Last modified: 2013-05-10 13:45:27 UTC
This is an import of the feature request at http://meta.wikimedia.org/wiki/XFF_project/RFC_1918. Some proxies pass an X-Forwarded-For header with an internal IP as value. If we could block the combination of internal and external (e.g. 10.1.0.0/16 via 62.171.194.4), that would allow us to target particular computers without blocking the whole proxy. There are several known proxies this applies to (listed at URL above), and probably many more unknown. Several are schools. Those alone would provide a significant benefit,
Jasper Deng noted at bug 23343 that this feature could also be useful for [[carrier-grade NAT]]: "I'd like to add (from the above dup) that it would be useful, especially for networks using carrier-grade NAT, that we should be able to also base blocks off of both public-facing and (private) IPs behind, such as blocking "206.34.7.1/16/xff:10.6.0.0/16" or "206.6.1.8/xff:192.168.2.0/24"."