Add IP-based rules #14963
Merged
Add IP-based rules #14963
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Gargron
force-pushed
the
feature-ip-blocks
branch
4 times, most recently
from
1a70134 to
95f01a6
Compare
Gargron
force-pushed
the
feature-ip-blocks
branch
2 times, most recently
from
b5d4945 to
c595422
Compare
ClearlyClaire
requested changes
Oct 11, 2020
There was a problem hiding this comment.
Requesting a few changes through inline comments.
Besides that, I'm a bit worried about how much this would scale: I have to admit I have no idea how many IP/subnets an instance would typically block, but I'm a bit concerned with the code loading the full list into RAM at once, as well as enumerating all subnet blocks to find a matching one. But maybe that's fine.
| end | ||
|
|
||
| def sign_up_from_ip_requires_approval? | ||
| !sign_up_ip.nil? && IpBlock.where(severity: :sign_up_requires_approval).where('ip >>= ?', sign_up_ip.to_s).exists? |
There was a problem hiding this comment.
That check is possibly quite slow.
I have two pieces of data to offer. One, by comparing to e-mail domain blocks I've accumulated over 4 years: 64, and a list of IPs I've blocked on iptables level: 291. So the assumption I am working with is that we're dealing with three digit numbers here, which is also why I'm not quick to add indices to this table. |
Gargron
force-pushed
the
feature-ip-blocks
branch
from
c595422 to
d89ab8d
Compare
ClearlyClaire
approved these changes
Oct 12, 2020
|
How about allowlist for ip rules? it could be useful for school |
mashirozx
added a commit
to mashirozx/mastodon
that referenced
this pull request
Oct 16, 2020
* Bump babel-jest from 26.3.0 to 26.5.2 (mastodon#14945) Bumps [babel-jest](https://github.com/facebook/jest/tree/HEAD/packages/babel-jest) from 26.3.0 to 26.5.2. - [Release notes](https://github.com/facebook/jest/releases) - [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md) - [Commits](https://github.com/facebook/jest/commits/v26.5.2/packages/babel-jest) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump @github/webauthn-json from 0.5.5 to 0.5.6 (mastodon#14946) Bumps [@github/webauthn-json](https://github.com/github/webauthn-json) from 0.5.5 to 0.5.6. - [Release notes](https://github.com/github/webauthn-json/releases) - [Commits](github/webauthn-json@v0.5.5...v0.5.6) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump sass from 1.26.11 to 1.26.12 (mastodon#14947) Bumps [sass](https://github.com/sass/dart-sass) from 1.26.11 to 1.26.12. - [Release notes](https://github.com/sass/dart-sass/releases) - [Changelog](https://github.com/sass/dart-sass/blob/master/CHANGELOG.md) - [Commits](sass/dart-sass@1.26.11...1.26.12) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump eslint-plugin-react from 7.21.2 to 7.21.3 (mastodon#14950) Bumps [eslint-plugin-react](https://github.com/yannickcr/eslint-plugin-react) from 7.21.2 to 7.21.3. - [Release notes](https://github.com/yannickcr/eslint-plugin-react/releases) - [Changelog](https://github.com/yannickcr/eslint-plugin-react/blob/master/CHANGELOG.md) - [Commits](jsx-eslint/eslint-plugin-react@v7.21.2...v7.21.3) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump mini-css-extract-plugin from 0.11.0 to 0.11.3 (mastodon#14949) Bumps [mini-css-extract-plugin](https://github.com/webpack-contrib/mini-css-extract-plugin) from 0.11.0 to 0.11.3. - [Release notes](https://github.com/webpack-contrib/mini-css-extract-plugin/releases) - [Changelog](https://github.com/webpack-contrib/mini-css-extract-plugin/blob/master/CHANGELOG.md) - [Commits](webpack-contrib/mini-css-extract-plugin@v0.11.0...v0.11.3) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump jest from 26.4.2 to 26.5.2 (mastodon#14951) Bumps [jest](https://github.com/facebook/jest) from 26.4.2 to 26.5.2. - [Release notes](https://github.com/facebook/jest/releases) - [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md) - [Commits](jestjs/jest@v26.4.2...v26.5.2) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump eslint from 7.6.0 to 7.10.0 (mastodon#14948) Bumps [eslint](https://github.com/eslint/eslint) from 7.6.0 to 7.10.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md) - [Commits](eslint/eslint@v7.6.0...v7.10.0) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * update themes * Remove dependency on goldfinger gem (mastodon#14919) There are edge cases where requests to certain hosts timeout when using the vanilla HTTP.rb gem, which the goldfinger gem uses. Now that we no longer need to support OStatus servers, webfinger logic is so simple that there is no point encapsulating it in a gem, so we can just use our own Request class. With that, we benefit from more robust timeout code and IPv4/IPv6 resolution. Fix mastodon#14091 * Fix unread notification marker not updating when mounting column (mastodon#14954) * Fix issue checking for last unread notification when there are gaps (mastodon#14960) * add & fix themes * update theme * fix theme * fix theme * Add IP-based rules (mastodon#14963) * Fix browser notification permission request logic (mastodon#13543) * Add notification permission handling code * Request notification permission when enabling any notification setting * Add badge to notification settings when permissions insufficient * Disable alerts by default, requesting permission and enable them on onboarding * Add duration parameter to muting. (mastodon#13831) * Adding duration to muting. * Remove useless checks * helm: add optional cron job to run `tootctl remove media` (mastodon#14396) * Change how CDN_HOST is passed down to make assets build reproducible (mastodon#14381) * Change how CDN_HOST is passed down to make assets build reproducible * Change webpacker/webpack configuration to dynamically load publicPath based on meta header * Fix embedded layout missing the cdn-host meta header * Bump compression-webpack-plugin from 6.0.2 to 6.0.3 (mastodon#14979) Bumps [compression-webpack-plugin](https://github.com/webpack-contrib/compression-webpack-plugin) from 6.0.2 to 6.0.3. - [Release notes](https://github.com/webpack-contrib/compression-webpack-plugin/releases) - [Changelog](https://github.com/webpack-contrib/compression-webpack-plugin/blob/master/CHANGELOG.md) - [Commits](webpack-contrib/compression-webpack-plugin@v6.0.2...v6.0.3) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump sass-loader from 10.0.2 to 10.0.3 (mastodon#14977) Bumps [sass-loader](https://github.com/webpack-contrib/sass-loader) from 10.0.2 to 10.0.3. - [Release notes](https://github.com/webpack-contrib/sass-loader/releases) - [Changelog](https://github.com/webpack-contrib/sass-loader/blob/master/CHANGELOG.md) - [Commits](webpack-contrib/sass-loader@v10.0.2...v10.0.3) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump imports-loader from 1.1.0 to 1.2.0 (mastodon#14976) Bumps [imports-loader](https://github.com/webpack-contrib/imports-loader) from 1.1.0 to 1.2.0. - [Release notes](https://github.com/webpack-contrib/imports-loader/releases) - [Changelog](https://github.com/webpack-contrib/imports-loader/blob/master/CHANGELOG.md) - [Commits](webpack-contrib/imports-loader@v1.1.0...v1.2.0) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump tzinfo-data from 1.2020.1 to 1.2020.2 (mastodon#14966) Bumps [tzinfo-data](https://github.com/tzinfo/tzinfo-data) from 1.2020.1 to 1.2020.2. - [Release notes](https://github.com/tzinfo/tzinfo-data/releases) - [Commits](tzinfo/tzinfo-data@v1.2020.1...v1.2020.2) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump rubocop from 0.92.0 to 0.93.0 (mastodon#14967) Bumps [rubocop](https://github.com/rubocop-hq/rubocop) from 0.92.0 to 0.93.0. - [Release notes](https://github.com/rubocop-hq/rubocop/releases) - [Changelog](https://github.com/rubocop-hq/rubocop/blob/master/CHANGELOG.md) - [Commits](rubocop/rubocop@v0.92.0...v0.93.0) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump file-loader from 6.1.0 to 6.1.1 (mastodon#14974) Bumps [file-loader](https://github.com/webpack-contrib/file-loader) from 6.1.0 to 6.1.1. - [Release notes](https://github.com/webpack-contrib/file-loader/releases) - [Changelog](https://github.com/webpack-contrib/file-loader/blob/master/CHANGELOG.md) - [Commits](webpack-contrib/file-loader@v6.1.0...v6.1.1) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump eslint-plugin-react from 7.21.3 to 7.21.4 (mastodon#14968) Bumps [eslint-plugin-react](https://github.com/yannickcr/eslint-plugin-react) from 7.21.3 to 7.21.4. - [Release notes](https://github.com/yannickcr/eslint-plugin-react/releases) - [Changelog](https://github.com/yannickcr/eslint-plugin-react/blob/master/CHANGELOG.md) - [Commits](jsx-eslint/eslint-plugin-react@v7.21.3...v7.21.4) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump terser-webpack-plugin from 4.2.2 to 4.2.3 (mastodon#14971) Bumps [terser-webpack-plugin](https://github.com/webpack-contrib/terser-webpack-plugin) from 4.2.2 to 4.2.3. - [Release notes](https://github.com/webpack-contrib/terser-webpack-plugin/releases) - [Changelog](https://github.com/webpack-contrib/terser-webpack-plugin/blob/master/CHANGELOG.md) - [Commits](webpack-contrib/terser-webpack-plugin@v4.2.2...v4.2.3) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump eslint from 7.10.0 to 7.11.0 (mastodon#14975) Bumps [eslint](https://github.com/eslint/eslint) from 7.10.0 to 7.11.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md) - [Commits](eslint/eslint@v7.10.0...v7.11.0) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump sass from 1.26.12 to 1.27.0 (mastodon#14973) Bumps [sass](https://github.com/sass/dart-sass) from 1.26.12 to 1.27.0. - [Release notes](https://github.com/sass/dart-sass/releases) - [Changelog](https://github.com/sass/dart-sass/blob/master/CHANGELOG.md) - [Commits](sass/dart-sass@1.26.12...1.27.0) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump jest from 26.5.2 to 26.5.3 (mastodon#14969) Bumps [jest](https://github.com/facebook/jest) from 26.5.2 to 26.5.3. - [Release notes](https://github.com/facebook/jest/releases) - [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md) - [Commits](jestjs/jest@v26.5.2...v26.5.3) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Fix a bear check when the activity object is nil (mastodon#14981) * Change how missing desktop notifications permission is displayed (mastodon#14985) Add missing controls for new notification type * Fix strings that could not be translated (mastodon#14980) * Fix translation string (mastodon#14986) * update theme Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eugen Rochko <[email protected]> Co-authored-by: ThibG <[email protected]> Co-authored-by: OSAMU SATO <[email protected]> Co-authored-by: Alex Dunn <[email protected]> Co-authored-by: Takeshi Umeda <[email protected]> Co-authored-by: mayaeh <[email protected]>
|
This is a great feature. A couple of nice-to-haves are to have the list sorted numerically, and to be able to edit existing IP rules (like the federation edit screen). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Admins get the ability to add rules for IP addresses and CIDR ranges, such as blocking all access, or requiring sign-ups to go through the approval process even if they're otherwise open.
The CLI utility is extended with the following commands:
tootctl ip_blocks add 1.1.1.1 2.2.2.2 --severity=no_access --comment="These are bad" --duration=31557600tootctl ip_blocks remove 2.2.2.2tootctl ip_blocks export --format=nginx