docs: Clarify IP address operator behavior (is public/private address) #84
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ehavior Improved documentation for the IP address detection operators to clearly specify which address ranges are matched/excluded: **is private address:** - Explicitly lists RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) - Notes that loopback and link-local are NOT matched by this operator **is public address:** - Documents excluded ranges in a clear table format: - Private (RFC 1918) - Loopback (127.0.0.0/8) - Link-local (169.254.0.0/16) - Clarifies that multicast addresses ARE considered public This documentation update accompanies the fix in dr-engine PR #213 which corrected the behavior of 'is public address' to exclude loopback and link-local addresses. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Documents new D&R operators for version-specific IP address classification: - is public ipv4 address - is public ipv6 address - is private ipv4 address - is private ipv6 address Updates existing operator documentation: - is private address: Added CGNAT (RFC 6598) and IPv6 ULA (RFC 4193) - is public address: Added comprehensive IPv6 support, corrected multicast handling, added CGNAT exclusion All address ranges now include RFC references for clarity. BREAKING CHANGE: Documentation now correctly states that multicast addresses (224.0.0.0/4, ff00::/8) are NOT considered public. Previous documentation incorrectly stated they were public.
…arification-updates docs: Add IPv4/IPv6 address operators and fix IP classification documentation
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Improves documentation for the
is public addressandis private addressD&R operators to clearly specify which IP address ranges are matched or excluded.Context
A user reported that detection rules using
op: is public addresswere incorrectly flagging127.x.x.x(loopback) addresses as "public". Investigation revealed that Go'snet.IP.IsPrivate()only covers RFC 1918 addresses and doesn't include loopback or link-local ranges.Changes
is private addressoperator10.0.0.0/8172.16.0.0/12192.168.0.0/16cidroperator for matching those ranges if neededis public addressoperator10.0.0.0/8,172.16.0.0/12,192.168.0.0/16127.0.0.0/8169.254.0.0/16224.0.0.0/4) ARE considered publicyamlfor better syntax highlightingTest plan
🤖 Generated with Claude Code