lua-resty-iputils

Collection of utility functions for working with IP addresses.

Overview

    init_by_lua_block {
      local iputils = require("resty.iputils")
      iputils.enable_lrucache()
      local whitelist_ips = {
          "127.0.0.1",
          "10.10.10.0/24",
          "192.168.0.0/16",
      }
    
      -- WARNING: Global variable, recommend this is cached at the module level
      -- https://github.com/openresty/lua-nginx-module#data-sharing-within-an-nginx-worker
      whitelist = iputils.parse_cidrs(whitelist_ips)
    }
    
    access_by_lua_block {
        local iputils = require("resty.iputils")
        if not iputils.ip_in_cidrs(ngx.var.remote_addr, whitelist) then
          return ngx.exit(ngx.HTTP_FORBIDDEN)
        end
    }

Methods

enable_lrucache

syntax: ok, err = iputils.enable_lrucache(size?)

Creates a global lrucache object for caching ip2bin lookups.

Size is optional and defaults to 4000 entries (~1MB per worker)

Calling this repeatedly will reset the cache

ip2bin

syntax: bin_ip, bin_octets = iputils.ip2bin(ip)

Returns the binary representation of an IPv4 address and a table containing the binary representation of each octet

Returns nil and and error message for bad IPs

parse_cidr

syntax: lower, upper = iputils.parse_cidr(cidr)

Returns a binary representation of the lowest (network) and highest (broadcast) addresses of an IPv4 network.

parse_cidrs

syntax: parsed = iputils.parse_cidrs(cidrs)

Takes a table of CIDR format IPV4 networks and returns a table of tables containg the lower and upper addresses.

If an invalid network is in the table an error is logged and the other networks are returned

ip_in_cidrs

syntax: bool, err = iputils.ip_in_cidrs(ip, cidrs)

Takes a string IPv4 address and a table of parsed CIDRs (e.g. from iputils.parse_cidrs).

Returns a true or false if the IP exists within any of the specified networks.

Returns nil and an error message with an invalid IP

binip_in_cidrs

syntax: bool, err = iputils.binip_in_cidrs(bin_ip, cidrs)

Takes a nginx binary IPv4 address (e.g. ngx.var.binary_remote_addr) and a table of parsed CIDRs (e.g. from iputils.parse_cidrs).

This method is much faster than ip_in_cidrs() if the IP being checked is already available as a binary representation.

Returns a true or false if the IP exists within any of the specified networks.

Returns nil and an error message with an invalid IP

TODO

• IPv6 support - Alternative library supporting ipv6 - lua-libcidr-ffi