IPSet
Match IPs against CIDR specs
Loading...
Searching...
No Matches
Public Member Functions | Static Public Member Functions | List of all members
Wikimedia\IPSet Class Reference

Matches IP addresses against a set of CIDR specifications. More...

+ Inheritance diagram for Wikimedia\IPSet:
+ Collaboration diagram for Wikimedia\IPSet:

Public Member Functions

 __construct (array $cfg)
 Instantiate the object from an array of CIDR specs.
 
 match ( $ip)
 Match an IP address against the set.
 
 jsonSerialize ()
 

Static Public Member Functions

static newFromJson (string $json)
 

Detailed Description

Matches IP addresses against a set of CIDR specifications.

Usage: 

use Wikimedia\IPSet;
// At startup, calculate the optimized data structure for the set:
$ipset = new IPSet( [
    '208.80.154.0/26',
    '2620:0:861:1::/64',
    '10.64.0.0/22',
] );

// Runtime check against cached set (returns bool):
$allowme = $ipset->match( $ip );

In rough benchmarking, this takes about 80% more time than in_array() checks on a short (a couple hundred at most) array of addresses. It's fast either way at those levels, though, and IPSet would scale better than in_array if the array were much larger.

For mixed-family CIDR sets, however, this code gives well over 100x speedup vs iterating Wikimedia\IPUtils::isInRange() over an array of CIDR specs.

The basic implementation is two separate binary trees (IPv4 and IPv6) as nested php arrays with keys named 0 and 1. The values false and true are terminal match-fail and match-success, otherwise the value is a deeper node in the tree.

A simple depth-compression scheme is also implemented: whole-byte tree compression at whole-byte boundaries only, where no branching occurs during that whole byte of depth. A compressed node has keys 'comp' (the byte to compare) and 'next' (the next node to recurse into if 'comp' matched successfully).

For example, given these inputs: 

25.0.0.0/9
25.192.0.0/10

The v4 tree would look like: 

root4 => [
    'comp' => 25,
    'next' => [
        0 => true,
        1 => [
            0 => false,
            1 => true,
        ],
    ],
];

(multi-byte compression nodes were attempted as well, but were a net loss in my test scenarios due to additional match complexity)

Constructor & Destructor Documentation

◆ __construct()

Wikimedia\IPSet::__construct ( array $cfg)

Instantiate the object from an array of CIDR specs.

Invalid input network/mask values in $cfg will result in issuing E_WARNING and/or E_USER_WARNING and the bad values being ignored.

Parameters
array$cfgArray of IPv[46] CIDR specs as strings

Member Function Documentation

◆ match()

Wikimedia\IPSet::match ( $ip)

Match an IP address against the set.

If $ip is unparseable, inet_pton may issue an E_WARNING to that effect

Parameters
string$ipstring IPv[46] address
Returns
bool True is match success, false is match failure

◆ newFromJson()

static Wikimedia\IPSet::newFromJson ( string $json)
static
Parameters
string$json
Returns
IPSet
The documentation for this class was generated from the following file: