Change Details

Currently, AbuseFilter only supports one form of range blocks: a '/16' CIDR range. There are several issues with this: * For IPv6, a `/16` range does not make sense, and AbuseFilter does not have a separate configuration for range blocks of IPv6 * Even for IPv4, a `/16` range is not always the best choice; for instance, if a user edits from 173.213.113.111, the better choice would be a `/18` block as [[ https://ipinfo.io/173.213.113.111 | that is the current subnet for that IP ]]. The latter can be accounted for once {T174553} is resolved. The former requires a separate configuration for IPv6 range blocks. The current IPv4 range of `/16` should also be moved into a config variable, and these variables should be used whenever the subnet information is not available, and also as an upper-bound for block range sizes (for instance, if a range belongs to a `/15` subnet, we may not want to block the entire `/15`. Lastly, AbuseFilter should always check to ensure the range it is blocking is not larger than that specified in `$wgBlockCIDRLimit['IPv4']` or `$wgBlockCIDRLimit['IPv6']`, respectively. Based on my quick review of the code, this check is not currently done.

Currently, AbuseFilter only supports one form of range blocks: a '/16' CIDR range. There are several issues with this: * For IPv6, a `/16` range does not make sense, and AbuseFilter does not have a separate configuration for range blocks of IPv6 * Even for IPv4, a `/16` range is not always the best choice; for instance, if a user edits from 173.213.113.111, the better choice would be a `/18` block as [[ https://ipinfo.io/173.213.113.111 | that is the current subnet for that IP ]]. The latter can be accounted for once {T174553} is resolved. The former requires a separate configuration for IPv6 range blocks. The current IPv4 range of `/16` should also be moved into a config variable, and these variables should be used whenever the subnet information is not available, and also as an upper-bound for block range sizes (for instance, if a range belongs to a `/15` subnet, we may not want to block the entire `/15`. Lastly, AbuseFilter should always check to ensure the range it is blocking is not larger than that specified in `$wgBlockCIDRLimit['IPv4']` or `$wgBlockCIDRLimit['IPv6']`, respectively. Based on my quick review of the code, this check is not currently done. **Roadmap:** [x] Cap the range size to be numerically higher than $wgBlockCIDRLimit [x] Move the range size to a config variable [] Use subnet information to issue a fitting block

Currently, AbuseFilter only supports one form of range blocks: a '/16' CIDR range. There are several issues with this: * For IPv6, a `/16` range does not make sense, and AbuseFilter does not have a separate configuration for range blocks of IPv6 * Even for IPv4, a `/16` range is not always the best choice; for instance, if a user edits from 173.213.113.111, the better choice would be a `/18` block as [[ https://ipinfo.io/173.213.113.111 | that is the current subnet for that IP ]]. The latter can be accounted for once {T174553} is resolved. The former requires a separate configuration for IPv6 range blocks. The current IPv4 range of `/16` should also be moved into a config variable, and these variables should be used whenever the subnet information is not available, and also as an upper-bound for block range sizes (for instance, if a range belongs to a `/15` subnet, we may not want to block the entire `/15`. Lastly, AbuseFilter should always check to ensure the range it is blocking is not larger than that specified in `$wgBlockCIDRLimit['IPv4']` or `$wgBlockCIDRLimit['IPv6']`, respectively. Based on my quick review of the code, this check is not currently done. **Roadmap:** [x] Cap the range size to be numerically higher than $wgBlockCIDRLimit [x] Move the range size to a config variable [] Use subnet information to issue a fitting block