nodejs · Aug 31, 2021
diff --git a/‎doc/api/net.md
+80 b/‎doc/api/net.md
+80
diff --git a/‎lib/internal/blocklist.js
+115 b/‎lib/internal/blocklist.js
+115
diff --git a/‎lib/net.js
+6 b/‎lib/net.js
+6
diff --git a/‎node.gyp
+1 b/‎node.gyp
+1
diff --git a/‎src/node_binding.cc
+1 b/‎src/node_binding.cc
+1
diff --git a/‎src/node_sockaddr-inl.h
+26-2 b/‎src/node_sockaddr-inl.h
+26-2
diff --git a/‎src/node_sockaddr.cc
+592 b/‎src/node_sockaddr.cc
+592
diff --git a/‎src/node_sockaddr.h
+146 b/‎src/node_sockaddr.h
+146
diff --git a/‎test/cctest/test_sockaddr.cc
+86 b/‎test/cctest/test_sockaddr.cc
+86
diff --git a/‎test/parallel/test-blocklist.js
+136 b/‎test/parallel/test-blocklist.js
+136
@@ -55,6 +55,86 @@ net.createServer().listen(
   path.join('\\\\?\\pipe', process.cwd(), 'myctl'));
 ```
 
+## Class: `net.BlockList`
+<!-- YAML
+added: REPLACEME
+-->
+
+The `BlockList` object can be used with some network APIs to specify rules for
+disabling inbound or outbound access to specific IP addresses, IP ranges, or
+IP subnets.
+
+### `blockList.addAddress(address[, type])`
+<!-- YAML
+added: REPLACEME
+-->
+
+* `address` {string} An IPv4 or IPv6 address.
+* `type` {string} Either `'ipv4'` or `'ipv6'`. **Default**: `'ipv4'`.
+
+Adds a rule to block the given IP address.
+
+### `blockList.addRange(start, end[, type])`
+<!-- YAML
+added: REPLACEME
+-->
+
+* `start` {string} The starting IPv4 or IPv6 address in the range.
+* `end` {string} The ending IPv4 or IPv6 address in the range.
+* `type` {string} Either `'ipv4'` or `'ipv6'`. **Default**: `'ipv4'`.
+
+Adds a rule to block a range of IP addresses from `start` (inclusive) to
+`end` (inclusive).
+
+### `blockList.addSubnet(net, prefix[, type])`
+<!-- YAML
+added: REPLACEME
+-->
+
+* `net` {string} The network IPv4 or IPv6 address.
+* `prefix` {number} The number of CIDR prefix bits. For IPv4, this
+  must be a value between `0` and `32`. For IPv6, this must be between
+  `0` and `128`.
+* `type` {string} Either `'ipv4'` or `'ipv6'`. **Default**: `'ipv4'`.
+
+Adds a rule to block a range of IP addresses specified as a subnet mask.
+
+### `blockList.check(address[, type])`
+<!-- YAML
+added: REPLACEME
+-->
+
+* `address` {string} The IP address to check
+* `type` {string} Either `'ipv4'` or `'ipv6'`. **Default**: `'ipv4'`.
+* Returns: {boolean}
+
+Returns `true` if the given IP address matches any of the rules added to the
+`BlockList`.
+
+```js
+const blockList = new net.BlockList();
+blockList.addAddress('123.123.123.123');
+blockList.addRange('10.0.0.1', '10.0.0.10');
+blockList.addSubnet('8592:757c:efae:4e45::', 64, 'ipv6');
+
+console.log(blockList.check('123.123.123.123'));  // Prints: true
+console.log(blockList.check('10.0.0.3'));  // Prints: true
+console.log(blockList.check('222.111.111.222'));  // Prints: false
+
+// IPv6 notation for IPv4 addresses works:
+console.log(blockList.check('::ffff:7b7b:7b7b', 'ipv6')); // Prints: true
+console.log(blockList.check('::ffff:123.123.123.123', 'ipv6')); // Prints: true
+```
+
+### `blockList.rules`
+<!-- YAML
+added: REPLACEME
+-->
+
+* Type: {string[]}
+
+The list of rules added to the blocklist.
+
 ## Class: `net.Server`
 <!-- YAML
 added: v0.1.90
 
@@ -0,0 +1,115 @@
+'use strict';
+
+const {
+  Boolean,
+  Symbol
+} = primordials;
+
+const {
+  BlockList: BlockListHandle,
+  AF_INET,
+  AF_INET6,
+} = internalBinding('block_list');
+
+const {
+  customInspectSymbol: kInspect,
+} = require('internal/util');
+const { inspect } = require('internal/util/inspect');
+
+const kHandle = Symbol('kHandle');
+const { owner_symbol } = internalBinding('symbols');
+
+const {
+  ERR_INVALID_ARG_TYPE,
+  ERR_INVALID_ARG_VALUE,
+  ERR_OUT_OF_RANGE,
+} = require('internal/errors').codes;
+
+class BlockList {
+  constructor() {
+    this[kHandle] = new BlockListHandle();
+    this[kHandle][owner_symbol] = this;
+  }
+
+  [kInspect](depth, options) {
+    if (depth < 0)
+      return this;
+
+    const opts = {
+      ...options,
+      depth: options.depth == null ? null : options.depth - 1
+    };
+
+    return `BlockList ${inspect({
+      rules: this.rules
+    }, opts)}`;
+  }
+
+  addAddress(address, family = 'ipv4') {
+    if (typeof address !== 'string')
+      throw new ERR_INVALID_ARG_TYPE('address', 'string', address);
+    if (typeof family !== 'string')
+      throw new ERR_INVALID_ARG_TYPE('family', 'string', family);
+    if (family !== 'ipv4' && family !== 'ipv6')
+      throw new ERR_INVALID_ARG_VALUE('family', family);
+    const type = family === 'ipv4' ? AF_INET : AF_INET6;
+    this[kHandle].addAddress(address, type);
+  }
+
+  addRange(start, end, family = 'ipv4') {
+    if (typeof start !== 'string')
+      throw new ERR_INVALID_ARG_TYPE('start', 'string', start);
+    if (typeof end !== 'string')
+      throw new ERR_INVALID_ARG_TYPE('end', 'string', end);
+    if (typeof family !== 'string')
+      throw new ERR_INVALID_ARG_TYPE('family', 'string', family);
+    if (family !== 'ipv4' && family !== 'ipv6')
+      throw new ERR_INVALID_ARG_VALUE('family', family);
+    const type = family === 'ipv4' ? AF_INET : AF_INET6;
+    const ret = this[kHandle].addRange(start, end, type);
+    if (ret === false)
+      throw new ERR_INVALID_ARG_VALUE('start', start, 'must come before end');
+  }
+
+  addSubnet(network, prefix, family = 'ipv4') {
+    if (typeof network !== 'string')
+      throw new ERR_INVALID_ARG_TYPE('network', 'string', network);
+    if (typeof prefix !== 'number')
+      throw new ERR_INVALID_ARG_TYPE('prefix', 'number', prefix);
+    if (typeof family !== 'string')
+      throw new ERR_INVALID_ARG_TYPE('family', 'string', family);
+    let type;
+    switch (family) {
+      case 'ipv4':
+        type = AF_INET;
+        if (prefix < 0 || prefix > 32)
+          throw new ERR_OUT_OF_RANGE(prefix, '>= 0 and <= 32', prefix);
+        break;
+      case 'ipv6':
+        type = AF_INET6;
+        if (prefix < 0 || prefix > 128)
+          throw new ERR_OUT_OF_RANGE(prefix, '>= 0 and <= 128', prefix);
+        break;
+      default:
+        throw new ERR_INVALID_ARG_VALUE('family', family);
+    }
+    this[kHandle].addSubnet(network, type, prefix);
+  }
+
+  check(address, family = 'ipv4') {
+    if (typeof address !== 'string')
+      throw new ERR_INVALID_ARG_TYPE('address', 'string', address);
+    if (typeof family !== 'string')
+      throw new ERR_INVALID_ARG_TYPE('family', 'string', family);
+    if (family !== 'ipv4' && family !== 'ipv6')
+      throw new ERR_INVALID_ARG_VALUE('family', family);
+    const type = family === 'ipv4' ? AF_INET : AF_INET6;
+    return Boolean(this[kHandle].check(address, type));
+  }
+
+  get rules() {
+    return this[kHandle].getRules();
+  }
+}
+
+module.exports = BlockList;
@@ -115,6 +115,7 @@ const {
 // Lazy loaded to improve startup performance.
 let cluster;
 let dns;
+let BlockList;
 
 const { clearTimeout } = require('timers');
 const { kTimeout } = require('internal/timers');
@@ -1755,6 +1756,11 @@ module.exports = {
   _createServerHandle: createServerHandle,
   _normalizeArgs: normalizeArgs,
   _setSimultaneousAccepts,
+  get BlockList() {
+    if (BlockList === undefined)
+      BlockList = require('internal/blocklist');
+    return BlockList;
+  },
   connect,
   createConnection: connect,
   createServer,
 
@@ -101,6 +101,7 @@
       'lib/internal/assert/assertion_error.js',
       'lib/internal/assert/calltracker.js',
       'lib/internal/async_hooks.js',
+      'lib/internal/blocklist.js',
       'lib/internal/buffer.js',
       'lib/internal/cli_table.js',
       'lib/internal/child_process.js',
 
@@ -37,6 +37,7 @@
 // __attribute__((constructor)) like mechanism in GCC.
 #define NODE_BUILTIN_STANDARD_MODULES(V)                                       \
   V(async_wrap)                                                                \
+  V(block_list)                                                                \
   V(buffer)                                                                    \
   V(cares_wrap)                                                                \
   V(config)                                                                    \
 
@@ -4,6 +4,7 @@
 #if defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS
 
 #include "node.h"
+#include "env-inl.h"
 #include "node_internals.h"
 #include "node_sockaddr.h"
 #include "util-inl.h"
@@ -88,11 +89,11 @@ SocketAddress& SocketAddress::operator=(const SocketAddress& addr) {
 }
 
 const sockaddr& SocketAddress::operator*() const {
-  return *this->data();
+  return *data();
 }
 
 const sockaddr* SocketAddress::operator->() const {
-  return this->data();
+  return data();
 }
 
 size_t SocketAddress::length() const {
@@ -166,6 +167,24 @@ bool SocketAddress::operator!=(const SocketAddress& other) const {
   return !(*this == other);
 }
 
+bool SocketAddress::operator<(const SocketAddress& other) const {
+  return compare(other) == CompareResult::LESS_THAN;
+}
+
+bool SocketAddress::operator>(const SocketAddress& other) const {
+  return compare(other) == CompareResult::GREATER_THAN;
+}
+
+bool SocketAddress::operator<=(const SocketAddress& other) const {
+  CompareResult c = compare(other);
+  return c == CompareResult::NOT_COMPARABLE ? false :
+              c <= CompareResult::SAME;
+}
+
+bool SocketAddress::operator>=(const SocketAddress& other) const {
+  return compare(other) >= CompareResult::SAME;
+}
+
 template <typename T>
 SocketAddressLRU<T>::SocketAddressLRU(
     size_t max_size)
@@ -231,6 +250,11 @@ typename T::Type* SocketAddressLRU<T>::Upsert(
   return &map_[address]->second;
 }
 
+v8::MaybeLocal<v8::Value> SocketAddressBlockList::Rule::ToV8String(
+    Environment* env) {
+  std::string str = ToString();
+  return ToV8Value(env->context(), str);
+}
 }  // namespace node
 
 #endif  // NODE_WANT_INTERNALS
 
@@ -3,11 +3,14 @@
 
 #if defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS
 
+#include "env.h"
 #include "memory_tracker.h"
+#include "base_object.h"
 #include "node.h"
 #include "uv.h"
 #include "v8.h"
 
+#include <memory>
 #include <string>
 #include <list>
 #include <unordered_map>
@@ -18,13 +21,25 @@ class Environment;
 
 class SocketAddress : public MemoryRetainer {
  public:
+  enum class CompareResult {
+    NOT_COMPARABLE = -2,
+    LESS_THAN,
+    SAME,
+    GREATER_THAN
+  };
+
   struct Hash {
     size_t operator()(const SocketAddress& addr) const;
   };
 
   inline bool operator==(const SocketAddress& other) const;
   inline bool operator!=(const SocketAddress& other) const;
 
+  inline bool operator<(const SocketAddress& other) const;
+  inline bool operator>(const SocketAddress& other) const;
+  inline bool operator<=(const SocketAddress& other) const;
+  inline bool operator>=(const SocketAddress& other) const;
+
   inline static bool is_numeric_host(const char* hostname);
   inline static bool is_numeric_host(const char* hostname, int family);
 
@@ -78,6 +93,20 @@ class SocketAddress : public MemoryRetainer {
   inline std::string address() const;
   inline int port() const;
 
+  // Returns true if the given other SocketAddress is a match
+  // for this one. The addresses are a match if:
+  // 1. They are the same family and match identically
+  // 2. They are different family but match semantically (
+  //     for instance, an IPv4 addres in IPv6 notation)
+  bool is_match(const SocketAddress& other) const;
+
+  // Compares this SocketAddress to the given other SocketAddress.
+  CompareResult compare(const SocketAddress& other) const;
+
+  // Returns true if this SocketAddress is within the subnet
+  // identified by the given network address and CIDR prefix.
+  bool is_in_network(const SocketAddress& network, int prefix) const;
+
   // If the SocketAddress is an IPv6 address, returns the
   // current value of the IPv6 flow label, if set. Otherwise
   // returns 0.
@@ -152,6 +181,123 @@ class SocketAddressLRU : public MemoryRetainer {
   size_t max_size_;
 };
 
+// A BlockList is used to evaluate whether a given
+// SocketAddress should be accepted for inbound or
+// outbound network activity.
+class SocketAddressBlockList : public MemoryRetainer {
+ public:
+  explicit SocketAddressBlockList(
+      std::shared_ptr<SocketAddressBlockList> parent = {});
+  ~SocketAddressBlockList() = default;
+
+  void AddSocketAddress(
+      const SocketAddress& address);
+
+  void RemoveSocketAddress(
+      const SocketAddress& address);
+
+  void AddSocketAddressRange(
+      const SocketAddress& start,
+      const SocketAddress& end);
+
+  void AddSocketAddressMask(
+      const SocketAddress& address,
+      int prefix);
+
+  bool Apply(const SocketAddress& address);
+
+  size_t size() const { return rules_.size(); }
+
+  v8::MaybeLocal<v8::Array> ListRules(Environment* env);
+
+  struct Rule : public MemoryRetainer {
+    virtual bool Apply(const SocketAddress& address) = 0;
+    inline v8::MaybeLocal<v8::Value> ToV8String(Environment* env);
+    virtual std::string ToString() = 0;
+  };
+
+  struct SocketAddressRule final : Rule {
+    SocketAddress address;
+
+    explicit SocketAddressRule(const SocketAddress& address);
+
+    bool Apply(const SocketAddress& address) override;
+    std::string ToString() override;
+
+    void MemoryInfo(node::MemoryTracker* tracker) const override;
+    SET_MEMORY_INFO_NAME(SocketAddressRule)
+    SET_SELF_SIZE(SocketAddressRule)
+  };
+
+  struct SocketAddressRangeRule final : Rule {
+    SocketAddress start;
+    SocketAddress end;
+
+    SocketAddressRangeRule(
+        const SocketAddress& start,
+        const SocketAddress& end);
+
+    bool Apply(const SocketAddress& address) override;
+    std::string ToString() override;
+
+    void MemoryInfo(node::MemoryTracker* tracker) const override;
+    SET_MEMORY_INFO_NAME(SocketAddressRangeRule)
+    SET_SELF_SIZE(SocketAddressRangeRule)
+  };
+
+  struct SocketAddressMaskRule final : Rule {
+    SocketAddress network;
+    int prefix;
+
+    SocketAddressMaskRule(
+        const SocketAddress& address,
+        int prefix);
+
+    bool Apply(const SocketAddress& address) override;
+    std::string ToString() override;
+
+    void MemoryInfo(node::MemoryTracker* tracker) const override;
+    SET_MEMORY_INFO_NAME(SocketAddressMaskRule)
+    SET_SELF_SIZE(SocketAddressMaskRule)
+  };
+
+  void MemoryInfo(node::MemoryTracker* tracker) const override;
+  SET_MEMORY_INFO_NAME(SocketAddressBlockList)
+  SET_SELF_SIZE(SocketAddressBlockList)
+
+ private:
+  std::shared_ptr<SocketAddressBlockList> parent_;
+  std::list<std::unique_ptr<Rule>> rules_;
+  SocketAddress::Map<std::list<std::unique_ptr<Rule>>::iterator> address_rules_;
+};
+
+class SocketAddressBlockListWrap :
+    public BaseObject,
+    public SocketAddressBlockList {
+ public:
+  static void Initialize(v8::Local<v8::Object> target,
+                         v8::Local<v8::Value> unused,
+                         v8::Local<v8::Context> context,
+                         void* priv);
+
+  static void New(const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void AddAddress(const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void AddRange(const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void AddSubnet(const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void Check(const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void GetRules(const v8::FunctionCallbackInfo<v8::Value>& args);
+
+  SocketAddressBlockListWrap(
+      Environment* env,
+      v8::Local<v8::Object> wrap);
+
+  void MemoryInfo(node::MemoryTracker* tracker) const override {
+    SocketAddressBlockList::MemoryInfo(tracker);
+  }
+  SET_MEMORY_INFO_NAME(SocketAddressBlockListWrap)
+  SET_SELF_SIZE(SocketAddressBlockListWrap)
+};
+
 }  // namespace node
 
 #endif  // NOE_WANT_INTERNALS
 
@@ -2,6 +2,7 @@
 #include "gtest/gtest.h"
 
 using node::SocketAddress;
+using node::SocketAddressBlockList;
 using node::SocketAddressLRU;
 
 TEST(SocketAddress, SocketAddress) {
@@ -84,6 +85,7 @@ TEST(SocketAddressLRU, SocketAddressLRU) {
   SocketAddress::ToSockAddr(AF_INET, "123.123.123.125", 443, &storage[2]);
   SocketAddress::ToSockAddr(AF_INET, "123.123.123.123", 443, &storage[3]);
 
+
   SocketAddress addr1(reinterpret_cast<const sockaddr*>(&storage[0]));
   SocketAddress addr2(reinterpret_cast<const sockaddr*>(&storage[1]));
   SocketAddress addr3(reinterpret_cast<const sockaddr*>(&storage[2]));
@@ -125,3 +127,87 @@ TEST(SocketAddressLRU, SocketAddressLRU) {
   CHECK_NULL(lru.Peek(addr1));
   CHECK_NULL(lru.Peek(addr2));
 }
+
+TEST(SocketAddress, Comparison) {
+  sockaddr_storage storage[6];
+
+  SocketAddress::ToSockAddr(AF_INET, "10.0.0.1", 0, &storage[0]);
+  SocketAddress::ToSockAddr(AF_INET, "10.0.0.2", 0, &storage[1]);
+  SocketAddress::ToSockAddr(AF_INET6, "::1", 0, &storage[2]);
+  SocketAddress::ToSockAddr(AF_INET6, "::2", 0, &storage[3]);
+  SocketAddress::ToSockAddr(AF_INET6, "::ffff:10.0.0.1", 0, &storage[4]);
+  SocketAddress::ToSockAddr(AF_INET6, "::ffff:10.0.0.2", 0, &storage[5]);
+
+  SocketAddress addr1(reinterpret_cast<const sockaddr*>(&storage[0]));
+  SocketAddress addr2(reinterpret_cast<const sockaddr*>(&storage[1]));
+  SocketAddress addr3(reinterpret_cast<const sockaddr*>(&storage[2]));
+  SocketAddress addr4(reinterpret_cast<const sockaddr*>(&storage[3]));
+  SocketAddress addr5(reinterpret_cast<const sockaddr*>(&storage[4]));
+  SocketAddress addr6(reinterpret_cast<const sockaddr*>(&storage[5]));
+
+  CHECK_EQ(addr1.compare(addr1), SocketAddress::CompareResult::SAME);
+  CHECK_EQ(addr1.compare(addr2), SocketAddress::CompareResult::LESS_THAN);
+  CHECK_EQ(addr2.compare(addr1), SocketAddress::CompareResult::GREATER_THAN);
+  CHECK(addr1 <= addr1);
+  CHECK(addr1 < addr2);
+  CHECK(addr1 <= addr2);
+  CHECK(addr2 >= addr2);
+  CHECK(addr2 > addr1);
+  CHECK(addr2 >= addr1);
+
+  CHECK_EQ(addr3.compare(addr3), SocketAddress::CompareResult::SAME);
+  CHECK_EQ(addr3.compare(addr4), SocketAddress::CompareResult::LESS_THAN);
+  CHECK_EQ(addr4.compare(addr3), SocketAddress::CompareResult::GREATER_THAN);
+  CHECK(addr3 <= addr3);
+  CHECK(addr3 < addr4);
+  CHECK(addr3 <= addr4);
+  CHECK(addr4 >= addr4);
+  CHECK(addr4 > addr3);
+  CHECK(addr4 >= addr3);
+
+  // Not comparable
+  CHECK_EQ(addr1.compare(addr3), SocketAddress::CompareResult::NOT_COMPARABLE);
+  CHECK_EQ(addr3.compare(addr1), SocketAddress::CompareResult::NOT_COMPARABLE);
+  CHECK(!(addr1 < addr3));
+  CHECK(!(addr1 > addr3));
+  CHECK(!(addr1 >= addr3));
+  CHECK(!(addr1 <= addr3));
+  CHECK(!(addr3 < addr1));
+  CHECK(!(addr3 > addr1));
+  CHECK(!(addr3 >= addr1));
+  CHECK(!(addr3 <= addr1));
+
+  // Comparable
+  CHECK_EQ(addr1.compare(addr5), SocketAddress::CompareResult::SAME);
+  CHECK_EQ(addr2.compare(addr6), SocketAddress::CompareResult::SAME);
+  CHECK_EQ(addr1.compare(addr6), SocketAddress::CompareResult::LESS_THAN);
+  CHECK_EQ(addr6.compare(addr1), SocketAddress::CompareResult::GREATER_THAN);
+  CHECK(addr1 <= addr5);
+  CHECK(addr1 <= addr6);
+  CHECK(addr1 < addr6);
+  CHECK(addr6 > addr1);
+  CHECK(addr6 >= addr1);
+  CHECK(addr2 >= addr6);
+  CHECK(addr2 >= addr5);
+}
+
+TEST(SocketAddressBlockList, Simple) {
+  SocketAddressBlockList bl;
+
+  sockaddr_storage storage[2];
+  SocketAddress::ToSockAddr(AF_INET, "10.0.0.1", 0, &storage[0]);
+  SocketAddress::ToSockAddr(AF_INET, "10.0.0.2", 0, &storage[1]);
+  SocketAddress addr1(reinterpret_cast<const sockaddr*>(&storage[0]));
+  SocketAddress addr2(reinterpret_cast<const sockaddr*>(&storage[1]));
+
+  bl.AddSocketAddress(addr1);
+  bl.AddSocketAddress(addr2);
+
+  CHECK(bl.Apply(addr1));
+  CHECK(bl.Apply(addr2));
+
+  bl.RemoveSocketAddress(addr1);
+
+  CHECK(!bl.Apply(addr1));
+  CHECK(bl.Apply(addr2));
+}
@@ -0,0 +1,136 @@
+'use strict';
+
+require('../common');
+
+const { BlockList } = require('net');
+const assert = require('assert');
+
+{
+  const blockList = new BlockList();
+
+  [1, [], {}, null, 1n, undefined, null].forEach((i) => {
+    assert.throws(() => blockList.addAddress(i), {
+      code: 'ERR_INVALID_ARG_TYPE'
+    });
+  });
+
+  [1, [], {}, null, 1n, null].forEach((i) => {
+    assert.throws(() => blockList.addAddress('1.1.1.1', i), {
+      code: 'ERR_INVALID_ARG_TYPE'
+    });
+  });
+
+  assert.throws(() => blockList.addAddress('1.1.1.1', 'foo'), {
+    code: 'ERR_INVALID_ARG_VALUE'
+  });
+
+  [1, [], {}, null, 1n, undefined, null].forEach((i) => {
+    assert.throws(() => blockList.addRange(i), {
+      code: 'ERR_INVALID_ARG_TYPE'
+    });
+    assert.throws(() => blockList.addRange('1.1.1.1', i), {
+      code: 'ERR_INVALID_ARG_TYPE'
+    });
+  });
+
+  [1, [], {}, null, 1n, null].forEach((i) => {
+    assert.throws(() => blockList.addRange('1.1.1.1', '1.1.1.2', i), {
+      code: 'ERR_INVALID_ARG_TYPE'
+    });
+  });
+
+  assert.throws(() => blockList.addRange('1.1.1.1', '1.1.1.2', 'foo'), {
+    code: 'ERR_INVALID_ARG_VALUE'
+  });
+}
+
+{
+  const blockList = new BlockList();
+  blockList.addAddress('1.1.1.1');
+  blockList.addAddress('8592:757c:efae:4e45:fb5d:d62a:0d00:8e17', 'ipv6');
+  blockList.addAddress('::ffff:1.1.1.2', 'ipv6');
+
+  assert(blockList.check('1.1.1.1'));
+  assert(!blockList.check('1.1.1.1', 'ipv6'));
+  assert(!blockList.check('8592:757c:efae:4e45:fb5d:d62a:0d00:8e17'));
+  assert(blockList.check('8592:757c:efae:4e45:fb5d:d62a:0d00:8e17', 'ipv6'));
+
+  assert(blockList.check('::ffff:1.1.1.1', 'ipv6'));
+
+  assert(blockList.check('1.1.1.2'));
+
+  assert(!blockList.check('1.2.3.4'));
+  assert(!blockList.check('::1', 'ipv6'));
+}
+
+{
+  const blockList = new BlockList();
+  blockList.addRange('1.1.1.1', '1.1.1.10');
+  blockList.addRange('::1', '::f', 'ipv6');
+
+  assert(!blockList.check('1.1.1.0'));
+  for (let n = 1; n <= 10; n++)
+    assert(blockList.check(`1.1.1.${n}`));
+  assert(!blockList.check('1.1.1.11'));
+
+  assert(!blockList.check('::0', 'ipv6'));
+  for (let n = 0x1; n <= 0xf; n++) {
+    assert(blockList.check(`::${n.toString(16)}`, 'ipv6'),
+           `::${n.toString(16)} check failed`);
+  }
+  assert(!blockList.check('::10', 'ipv6'));
+}
+
+{
+  const blockList = new BlockList();
+  blockList.addSubnet('1.1.1.0', 16);
+  blockList.addSubnet('8592:757c:efae:4e45::', 64, 'ipv6');
+
+  assert(blockList.check('1.1.0.1'));
+  assert(blockList.check('1.1.1.1'));
+  assert(!blockList.check('1.2.0.1'));
+  assert(blockList.check('::ffff:1.1.0.1', 'ipv6'));
+
+  assert(blockList.check('8592:757c:efae:4e45:f::', 'ipv6'));
+  assert(blockList.check('8592:757c:efae:4e45::f', 'ipv6'));
+  assert(!blockList.check('8592:757c:efae:4f45::f', 'ipv6'));
+}
+
+{
+  const blockList = new BlockList();
+  blockList.addAddress('1.1.1.1');
+  blockList.addRange('10.0.0.1', '10.0.0.10');
+  blockList.addSubnet('8592:757c:efae:4e45::', 64, 'ipv6');
+
+  const rulesCheck = [
+    'Subnet: IPv6 8592:757c:efae:4e45::/64',
+    'Range: IPv4 10.0.0.1-10.0.0.10',
+    'Address: IPv4 1.1.1.1'
+  ];
+  assert.deepStrictEqual(blockList.rules, rulesCheck);
+  console.log(blockList);
+
+  assert(blockList.check('1.1.1.1'));
+  assert(blockList.check('10.0.0.5'));
+  assert(blockList.check('::ffff:10.0.0.5', 'ipv6'));
+  assert(blockList.check('8592:757c:efae:4e45::f', 'ipv6'));
+
+  assert(!blockList.check('123.123.123.123'));
+  assert(!blockList.check('8592:757c:efaf:4e45:fb5d:d62a:0d00:8e17', 'ipv6'));
+  assert(!blockList.check('::ffff:123.123.123.123', 'ipv6'));
+}
+
+{
+  // This test validates boundaries of non-aligned CIDR bit prefixes
+  const blockList = new BlockList();
+  blockList.addSubnet('10.0.0.0', 27);
+  blockList.addSubnet('8592:757c:efaf::', 51, 'ipv6');
+
+  for (let n = 0; n <= 31; n++)
+    assert(blockList.check(`10.0.0.${n}`));
+  assert(!blockList.check('10.0.0.32'));
+
+  assert(blockList.check('8592:757c:efaf:0:0:0:0:0', 'ipv6'));
+  assert(blockList.check('8592:757c:efaf:1fff:ffff:ffff:ffff:ffff', 'ipv6'));
+  assert(!blockList.check('8592:757c:efaf:2fff:ffff:ffff:ffff:ffff', 'ipv6'));
+}