Add blocked_ips config and CIDR matching

spacebear21 · spacebear21 · commit 4c450cc138d3 · 2026-02-19T16:07:19.000-05:00
Allow operators to block specific IP addresses or CIDR ranges
independently of geographic region.

Bare IPs ("192.0.2.1") and CIDR notation ("192.0.2.0/24") are
both accepted in the config.
diff --git a/Cargo-minimal.lock b/Cargo-minimal.lock
@@ -2798,6 +2798,7 @@ dependencies = [
  "clap",
  "config",
  "flate2",
+ "ipnet",
  "maxminddb",
  "ohttp-relay",
  "opentelemetry",
diff --git a/Cargo-recent.lock b/Cargo-recent.lock
@@ -2798,6 +2798,7 @@ dependencies = [
  "clap",
  "config",
  "flate2",
+ "ipnet",
  "maxminddb",
  "ohttp-relay",
  "opentelemetry",
diff --git a/payjoin-mailroom/Cargo.toml b/payjoin-mailroom/Cargo.toml
@@ -22,7 +22,7 @@ acme = [
   "dep:rustls",
   "dep:tokio-stream",
 ]
-access-control = ["dep:flate2", "dep:maxminddb", "dep:reqwest"]
+access-control = ["dep:flate2", "dep:ipnet", "dep:maxminddb", "dep:reqwest"]
 telemetry = ["dep:opentelemetry-otlp"]
 
 [dependencies]
@@ -34,6 +34,7 @@ axum-server = { version = "0.8", features = [
 clap = { version = "4.5", features = ["derive", "env"] }
 config = "0.15"
 flate2 = { version = "1.1", optional = true }
+ipnet = { version = "2", optional = true }
 maxminddb = { version = "0.27", optional = true }
 ohttp-relay = { path = "../ohttp-relay", features = ["bootstrap"] }
 opentelemetry = "0.31"
diff --git a/payjoin-mailroom/config.example.toml b/payjoin-mailroom/config.example.toml
@@ -37,3 +37,6 @@
 
 # ISO 3166-1 alpha-2 country codes whose requests should be blocked.
 # blocked_regions = ["CU", "IR", "KP", "SY"]
+
+# IP addresses or CIDR ranges whose requests should be blocked.
+# blocked_ips = ["192.0.2.0/24", "2001:db8::1"]
diff --git a/payjoin-mailroom/src/access_control.rs b/payjoin-mailroom/src/access_control.rs
@@ -6,12 +6,13 @@ use maxminddb::PathElement;
 
 use crate::config::AccessControlConfig;
 
-pub struct GeoIp {
+pub struct IpFilter {
     geo_reader: Option<maxminddb::Reader<Vec<u8>>>,
     blocked_regions: HashSet<String>,
+    blocked_ips: Vec<ipnet::IpNet>,
 }
 
-impl GeoIp {
+impl IpFilter {
     pub async fn from_config(
         config: &AccessControlConfig,
         storage_dir: &Path,
@@ -42,11 +43,30 @@ impl GeoIp {
 
         let blocked_regions = config.blocked_regions.iter().cloned().collect();
 
-        Ok(Self { geo_reader, blocked_regions })
+        let blocked_ips = config
+            .blocked_ips
+            .iter()
+            .map(|s| {
+                s.parse::<ipnet::IpNet>().or_else(|_| {
+                    // Accept bare IP addresses without CIDR prefix length
+                    Ok(ipnet::IpNet::from(s.parse::<IpAddr>()?))
+                })
+            })
+            .collect::<Result<Vec<_>, anyhow::Error>>()?;
+
+        Ok(Self { geo_reader, blocked_regions, blocked_ips })
     }
 
-    /// Returns `true` if the IP is allowed. Fail-open on lookup errors.
+    /// Returns `true` if the IP is allowed. Fail-open on GeoIP lookup errors.
     pub fn check_ip(&self, ip: IpAddr) -> bool {
+        if self.blocked_ips.iter().any(|net| net.contains(&ip)) {
+            return false;
+        }
+
+        self.check_geoip(ip)
+    }
+
+    fn check_geoip(&self, ip: IpAddr) -> bool {
         let reader = match &self.geo_reader {
             Some(r) => r,
             None => return true,
@@ -165,14 +185,19 @@ mod tests {
 
     #[test]
     fn check_ip_allows_when_no_geo_reader() {
-        let ac = GeoIp { geo_reader: None, blocked_regions: HashSet::new() };
+        let ac =
+            IpFilter { geo_reader: None, blocked_regions: HashSet::new(), blocked_ips: vec![] };
         assert!(ac.check_ip("1.2.3.4".parse().unwrap()));
     }
 
     #[test]
     fn check_ip_allows_when_no_blocked_regions() {
         let reader = test_geo_reader();
-        let ac = GeoIp { geo_reader: Some(reader), blocked_regions: HashSet::new() };
+        let ac = IpFilter {
+            geo_reader: Some(reader),
+            blocked_regions: HashSet::new(),
+            blocked_ips: vec![],
+        };
         assert!(ac.check_ip("2.125.160.216".parse().unwrap()));
     }
 
@@ -181,7 +206,7 @@ mod tests {
         let reader = test_geo_reader();
         // 2.125.160.216 is GB in the test database
         let blocked_regions: HashSet<String> = ["GB"].iter().map(|s| s.to_string()).collect();
-        let ac = GeoIp { geo_reader: Some(reader), blocked_regions };
+        let ac = IpFilter { geo_reader: Some(reader), blocked_regions, blocked_ips: vec![] };
         assert!(!ac.check_ip("2.125.160.216".parse().unwrap()));
     }
 
@@ -190,19 +215,52 @@ mod tests {
         let reader = test_geo_reader();
         // 2.125.160.216 is GB in the test database
         let blocked_regions: HashSet<String> = ["US"].iter().map(|s| s.to_string()).collect();
-        let ac = GeoIp { geo_reader: Some(reader), blocked_regions };
+        let ac = IpFilter { geo_reader: Some(reader), blocked_regions, blocked_ips: vec![] };
         assert!(ac.check_ip("2.125.160.216".parse().unwrap()));
     }
 
     #[test]
     fn check_ip_fail_open_on_unknown_ip() {
         let reader = test_geo_reader();
         let blocked_regions: HashSet<String> = ["US"].iter().map(|s| s.to_string()).collect();
-        let ac = GeoIp { geo_reader: Some(reader), blocked_regions };
+        let ac = IpFilter { geo_reader: Some(reader), blocked_regions, blocked_ips: vec![] };
         // 127.0.0.1 won't be in test DB
         assert!(ac.check_ip("127.0.0.1".parse().unwrap()));
     }
 
+    #[test]
+    fn blocked_ips_blocks_exact_ipv4() {
+        let blocked_ips = vec!["192.0.2.1/32".parse().unwrap()];
+        let ac = IpFilter { geo_reader: None, blocked_regions: HashSet::new(), blocked_ips };
+        assert!(!ac.check_ip("192.0.2.1".parse().unwrap()));
+        assert!(ac.check_ip("192.0.2.2".parse().unwrap()));
+    }
+
+    #[test]
+    fn blocked_ips_blocks_exact_ipv6() {
+        let blocked_ips = vec!["2001:db8::1/128".parse().unwrap()];
+        let ac = IpFilter { geo_reader: None, blocked_regions: HashSet::new(), blocked_ips };
+        assert!(!ac.check_ip("2001:db8::1".parse().unwrap()));
+        assert!(ac.check_ip("2001:db8::2".parse().unwrap()));
+    }
+
+    #[test]
+    fn blocked_ips_blocks_cidr_range() {
+        let blocked_ips = vec!["198.51.100.0/24".parse().unwrap()];
+        let ac = IpFilter { geo_reader: None, blocked_regions: HashSet::new(), blocked_ips };
+        assert!(!ac.check_ip("198.51.100.0".parse().unwrap()));
+        assert!(!ac.check_ip("198.51.100.255".parse().unwrap()));
+        assert!(ac.check_ip("198.51.101.0".parse().unwrap()));
+    }
+
+    #[test]
+    fn empty_blocked_ips_allows_all() {
+        let ac =
+            IpFilter { geo_reader: None, blocked_regions: HashSet::new(), blocked_ips: vec![] };
+        assert!(ac.check_ip("192.0.2.1".parse().unwrap()));
+        assert!(ac.check_ip("2001:db8::1".parse().unwrap()));
+    }
+
     #[test]
     fn year_month_conversion_handles_leap_day() {
         // 2024-02-29 00:00:00 UTC
diff --git a/payjoin-mailroom/src/config.rs b/payjoin-mailroom/src/config.rs
@@ -59,6 +59,7 @@ pub struct AcmeConfig {
 pub struct AccessControlConfig {
     pub geo_db_path: Option<PathBuf>,
     pub blocked_regions: Vec<String>,
+    pub blocked_ips: Vec<String>,
 }
 
 #[cfg(feature = "acme")]
@@ -139,6 +140,7 @@ impl Config {
                     .with_list_parse_key("acme.domains")
                     .with_list_parse_key("acme.contact")
                     .with_list_parse_key("access_control.blocked_regions")
+                    .with_list_parse_key("access_control.blocked_ips")
                     .try_parsing(true),
             )
             .build()?
diff --git a/payjoin-mailroom/src/lib.rs b/payjoin-mailroom/src/lib.rs
@@ -30,7 +30,7 @@ struct Services {
     relay: ohttp_relay::Service,
     metrics: MetricsService,
     #[cfg(feature = "access-control")]
-    geoip: Option<std::sync::Arc<access_control::GeoIp>>,
+    geoip: Option<std::sync::Arc<access_control::IpFilter>>,
 }
 
 pub async fn serve(config: Config, meter_provider: Option<SdkMeterProvider>) -> anyhow::Result<()> {
@@ -231,10 +231,10 @@ async fn init_directory(
 #[cfg(feature = "access-control")]
 async fn init_geoip(
     config: &Config,
-) -> anyhow::Result<Option<std::sync::Arc<access_control::GeoIp>>> {
+) -> anyhow::Result<Option<std::sync::Arc<access_control::IpFilter>>> {
     match &config.access_control {
         Some(ac_config) => {
-            let gi = access_control::GeoIp::from_config(ac_config, &config.storage_dir).await?;
+            let gi = access_control::IpFilter::from_config(ac_config, &config.storage_dir).await?;
             info!("GeoIP access control enabled");
             Ok(Some(std::sync::Arc::new(gi)))
         }
diff --git a/payjoin-mailroom/src/middleware.rs b/payjoin-mailroom/src/middleware.rs
@@ -12,7 +12,7 @@ pub struct MaybePeerIp(pub Option<std::net::IpAddr>);
 pub async fn check_geoip(req: Request, next: Next) -> Response {
     use axum::http::StatusCode;
 
-    let geoip = req.extensions().get::<Option<std::sync::Arc<crate::access_control::GeoIp>>>();
+    let geoip = req.extensions().get::<Option<std::sync::Arc<crate::access_control::IpFilter>>>();
 
     if let Some(Some(geoip)) = geoip {
         if let Some(connect_info) =

Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,7 @@ pub struct AcmeConfig {`
`59`	`59`	`pub struct AccessControlConfig {`
`60`	`60`	`pub geo_db_path: Option<PathBuf>,`
`61`	`61`	`pub blocked_regions: Vec<String>,`
	`62`	`+ pub blocked_ips: Vec<String>,`
`62`	`63`	`}`
`63`	`64`
`64`	`65`	`#[cfg(feature = "acme")]`
`@@ -139,6 +140,7 @@ impl Config {`
`139`	`140`	`.with_list_parse_key("acme.domains")`
`140`	`141`	`.with_list_parse_key("acme.contact")`
`141`	`142`	`.with_list_parse_key("access_control.blocked_regions")`
	`143`	`+ .with_list_parse_key("access_control.blocked_ips")`
`142`	`144`	`.try_parsing(true),`
`143`	`145`	`)`
`144`	`146`	`.build()?`