Allowing subset of a blocked IP Ranges


Author: lucanos

I realise that IP Addresses can now be blocked using CIDR masks of
between 16 & 32, which is an improvement on single IP Addresses.

For my application, I am wanting to have a restricted number of
terminals that can access the Wiki.

My suggestions are two-fold:

  • Add Full CIDR Support, allowing blocking of any and all ranges of


  • Add An "Allow" Option, permitting overidding of the Blocks, and

thereby providing a good tool for very restrictive access.

The idea here being that a large range of addresses can be blocked
(eg but by processing the "Allow" list after
the "Block" list (and only if the accessing IP is within a Blocked
range), I could specify that be allowed to access the

NOTE: I am a newbie, and I have tried to find resources to allow this kind of functionality, but without success. If I need to "RTFM", feel free to tell me so.

Version: 1.5.x
Severity: enhancement

bzimport added a project: MediaWiki-Special-pages.Via ConduitNov 21 2014, 8:47 PM
bzimport added a subscriber: wikibugs-l.
bzimport set Reference to bz3340.
bzimport created this task.Via LegacySep 3 2005, 4:28 AM
hashar added a comment.Via ConduitSep 18 2005, 11:16 AM

Changing summary. Switching to feature request.

There is no such thing as allowing a block of IP addresses. Special:Blockip
just block stuff and that should usually be enough :)

MediaWiki is hardcoded to disallow blocking of block that are more than
a /16 . You can still hack the code around to allow something bigger ;o)

bzimport added a comment.Via ConduitSep 18 2005, 11:25 AM

lucanos wrote:

Thanks Ashar,

That's what I was looking for - why is MediaWiki hard-coded to limit the block
size to /16 ? Why not allow larger blocks that that?

bzimport added a comment.Via ConduitApr 4 2006, 9:37 AM

robchur wrote:

(In reply to comment #2)

Thanks Ashar,

That's what I was looking for - why is MediaWiki hard-coded to limit the block
size to /16 ? Why not allow larger blocks that that?

To stop sysops who don't understand how it works from blocking massive subnets
and causing serious problems.

bzimport added a comment.Via ConduitJun 22 2007, 5:19 PM

michaeldaly wrote:

Could this be changed to allow any range for sysops who _do_ know what they're doing? Perhaps with a parameter in LocalSettings.php so the wiki admin can limit the damage or not (e.g. wgCIDRlimit = 16;)?

I have a lot of problems with spam via several companies within the Asia Pacific Network and see no reason why I shouldn't be able to block nnn.0.0.0/8 without having to enter 256 separate blocks of nnn.nnn.0.0/16. If I had one single valid user in these ranges, I'd deal with them separately.

demon added a comment.Via ConduitOct 30 2009, 9:42 PM

Added $wgBlockCIDRLimit in r58377. Other request (exempting specific IPs from a range block) is not done, though.

Add Comment

Column Prototype
This is a very early prototype of a persistent column. It is not expected to work yet, and leaving it open will activate other new features which will break things. Press "\" (backslash) on your keyboard to close it now.