[PR #2843] Exclude local/private/CGNAT IPs from geo-block rules (fixes issue #2239) #5126

New Issue

Open

opened 2026-04-20 09:16:31 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-04-20 09:16:31 -05:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/fosrl/pangolin/pull/2843
Author: @Blacks-Army
Created: 4/12/2026
Status: 🔄 Open

Base: dev ← Head: dev

---

📝 Commits (1)

• 8e1905a Exclude local/private/CGNAT IPs from COUNTRY=ALL and ASN=ALL/AS0 geo-blocking rules

📊 Changes

1 file changed (+50 additions, -7 deletions)

View changed files

📝 server/routers/badger/verifySession.ts (+50 -7)

📄 Description

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description

Fixes issue #2239

Disclaimer:
This is my first contribution to Pangolin, so please bear with me 😅

This PR updates geo wildcard rule behavior for non-public source IPs.

• COUNTRY=ALL with action BLOCK: local/private/CGNAT IPs are skipped
• ASN=ALL / ASN=AS0 with action BLOCK: local/private/CGNAT IPs are skipped
• Explicit CIDR / IP rules are unchanged

Why this makes sense:

• local/private/CGNAT IPs are not meaningfully geolocatable
• wildcard geo block rules should target public Internet IPs
• intentional blocking is still possible via CIDR, including:
  • 0.0.0.0/0 (IPv4)
  • ::/0 (IPv6)

How to test?

1. Add rule COUNTRY=ALL or ASN=ALL, action BLOCK, send request from 192.168.1.10 --> not blocked by this rule.
2. Add rule CIDR=192.168.0.0/16, action BLOCK --> IP is blocked.
3. Add rule CIDR=0.0.0.0/0 (or ::/0 for IPv6), action BLOCK -> IP is also blocked.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/pangolin/pull/2843 **Author:** [@Blacks-Army](https://github.com/Blacks-Army) **Created:** 4/12/2026 **Status:** 🔄 Open **Base:** `dev` ← **Head:** `dev` --- ### 📝 Commits (1) - [`8e1905a`](https://github.com/fosrl/pangolin/commit/8e1905a695add77d18ca8a2e16cd4c40437bbca9) Exclude local/private/CGNAT IPs from COUNTRY=ALL and ASN=ALL/AS0 geo-blocking rules ### 📊 Changes **1 file changed** (+50 additions, -7 deletions) <details> <summary>View changed files</summary> 📝 `server/routers/badger/verifySession.ts` (+50 -7) </details> ### 📄 Description ## Community Contribution License Agreement By creating this pull request, I grant the project maintainers an unlimited, perpetual license to use, modify, and redistribute these contributions under any terms they choose, including both the AGPLv3 and the Fossorial Commercial license terms. I represent that I have the right to grant this license for all contributed content. ## Description Fixes issue #2239 Disclaimer: This is my first contribution to Pangolin, so please bear with me 😅 This PR updates geo wildcard rule behavior for non-public source IPs. - `COUNTRY=ALL` with action `BLOCK`: local/private/CGNAT IPs are skipped - `ASN=ALL` / `ASN=AS0` with action `BLOCK`: local/private/CGNAT IPs are skipped - Explicit `CIDR` / `IP` rules are unchanged Why this makes sense: - local/private/CGNAT IPs are not meaningfully geolocatable - wildcard geo block rules should target public Internet IPs - intentional blocking is still possible via CIDR, including: - `0.0.0.0/0` (IPv4) - `::/0` (IPv6) ## How to test? 1. Add rule `COUNTRY=ALL` or `ASN=ALL`, action `BLOCK`, send request from `192.168.1.10` --> not blocked by this rule. 2. Add rule `CIDR=192.168.0.0/16`, action `BLOCK` --> IP is blocked. 3. Add rule `CIDR=0.0.0.0/0` (or `::/0` for IPv6), action `BLOCK` -> IP is also blocked. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-04-20 09:16:31 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

resource-policies

copilot/fix-create-alert-visibility

dev

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

redis

crowdin_dev

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

dependabot/npm_and_yarn/next-intl-4.9.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

dependabot/docker/docker/library/node-25-slim

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#5126