Merge branch 'master' into split

CHANGELOG.md

@@ -1,41 +1,45 @@
-## Parity [v1.6.10](https://github.com/paritytech/parity/releases/tag/v1.6.10) (2017-07-23)
-
-This is a hotfix release for the stable channel addressing the recent [multi-signature wallet vulnerability](https://blog.parity.io/security-alert-high-2/). Note, upgrading is not mandatory, and all future multi-sig wallets created by any version of Parity are secure.
-
-All Changes:
-
-- Backports for stable [#6116](https://github.com/paritytech/parity/pull/6116)
-  - Remove chunk to restore from pending set only upon successful import [#6112](https://github.com/paritytech/parity/pull/6112)
-  - Blacklist bad snapshot manifest hashes upon failure [#5874](https://github.com/paritytech/parity/pull/5874)
-  - Bump snap version and tweak importing detection logic [#6079](https://github.com/paritytech/parity/pull/6079) (modified to work)
-- Fix docker build for stable [#6118](https://github.com/paritytech/parity/pull/6118)
-- Backported wallet fix [#6104](https://github.com/paritytech/parity/pull/6104)
-  - Fix initialisation bug. ([#6102](https://github.com/paritytech/parity/pull/6102))
-  - Update wallet library modifiers ([#6103](https://github.com/paritytech/parity/pull/6103))
-- Bump to v1.6.10
-
-## Parity [v1.7.0](https://github.com/paritytech/parity/releases/tag/v1.7.0) (2017-07-23)
+## Parity [v1.7.0](https://github.com/paritytech/parity/releases/tag/v1.7.0) (2017-07-28)
 
 Parity 1.7.0 is a major release introducing several important features:
 
-- **Experimental [Light client](https://github.com/paritytech/parity/wiki/The-Parity-Light-Protocol-(PIP)) support**. Start Parity with `--light` to enable light mode.
+- **Experimental [Light client](https://github.com/paritytech/parity/wiki/The-Parity-Light-Protocol-(PIP)) support**. Start Parity with `--light` to enable light mode. Please, note: The wallet UI integration for the light client is not included, yet.
 - **Experimental web wallet**. A hosted version of Parity that keeps the keys and signs transactions using your browser storage. Try it at https://wallet.parity.io or run your own with `--public-node`.
 - **WASM contract support**. Private networks can run contracts compiled into WASM bytecode. _More information and documentation to follow_.
 - **DApps and RPC server merge**. DApp and RPC are now available through a single API endpoint. DApp server related settings are deprecated.
 - **Export accounts from the wallet**. Backing up your keys can now simply be managed through the wallet interface.
-- **PoA/Kovan validator set contract**. The PoA network validator-set management via smart contract is now supported by warp and light sync.
+- **PoA/Kovan validator set contract**. The PoA network validator-set management via smart contract is now supported by warp and, in the near future, light sync.
 - **PubSub API**. https://github.com/paritytech/parity/wiki/JSONRPC-Parity-Pub-Sub-module
 - **Signer apps for IOS and Android**.
 
 Full list of included changes:
 
+- Backports [#6163](https://github.com/paritytech/parity/pull/6163)
+  - Light client improvements ([#6156](https://github.com/paritytech/parity/pull/6156))
+    - No seal checking
+    - Import command and --no-seal-check for light client
+    - Fix eth_call
+    - Tweak registry dapps lookup
+    - Ignore failed requests to non-server peers
+  - Fix connecting to wildcard addresses. ([#6167](https://github.com/paritytech/parity/pull/6167))
+  - Don't display an overlay in case the time sync check fails. ([#6164](https://github.com/paritytech/parity/pull/6164))
+    - Small improvements to time estimation.
+    - Temporarily disable NTP time check by default.
+- Light client fixes ([#6148](https://github.com/paritytech/parity/pull/6148)) [#6151](https://github.com/paritytech/parity/pull/6151)
+  - Light client fixes
+  - Fix memory-lru-cache
+  - Clear pending reqs on disconnect
+- Filter tokens logs from current block, not genesis ([#6128](https://github.com/paritytech/parity/pull/6128)) [#6141](https://github.com/paritytech/parity/pull/6141)
+- Fix QR scanner returning null on confirm [#6122](https://github.com/paritytech/parity/pull/6122)
 - Check QR before lowercase ([#6119](https://github.com/paritytech/parity/pull/6119)) [#6120](https://github.com/paritytech/parity/pull/6120)
 - Remove chunk to restore from pending set only upon successful import [#6117](https://github.com/paritytech/parity/pull/6117)
 - Fixed node address detection on incoming connection [#6094](https://github.com/paritytech/parity/pull/6094)
 - Place RETURNDATA behind block number gate [#6095](https://github.com/paritytech/parity/pull/6095)
+- Update wallet library binaries [#6108](https://github.com/paritytech/parity/pull/6108)
 - Backported wallet fix [#6105](https://github.com/paritytech/parity/pull/6105)
   - Fix initialisation bug. ([#6102](https://github.com/paritytech/parity/pull/6102))
   - Update wallet library modifiers ([#6103](https://github.com/paritytech/parity/pull/6103))
+- Place RETURNDATA behind block number gate [#6095](https://github.com/paritytech/parity/pull/6095)
+- Fixed node address detection on incoming connection [#6094](https://github.com/paritytech/parity/pull/6094)
 - Bump snap version and tweak importing detection logic ([#6079](https://github.com/paritytech/parity/pull/6079)) [#6081](https://github.com/paritytech/parity/pull/6081)
   - bump last tick just before printing info and restore sync detection
   - bump kovan snapshot version
@@ -439,6 +443,23 @@ Full list of included changes:
 - Update the Wallet Library Registry key [#4817](https://github.com/paritytech/parity/pull/4817)
 - Update Wallet to new Wallet Code [#4805](https://github.com/paritytech/parity/pull/4805)
 
+## Parity [v1.6.10](https://github.com/paritytech/parity/releases/tag/v1.6.10) (2017-07-25)
+
+This is a hotfix release for the stable channel addressing the recent [multi-signature wallet vulnerability](https://blog.parity.io/security-alert-high-2/). Note, upgrading is not mandatory, and all future multi-sig wallets created by any version of Parity are secure.
+
+All Changes:
+
+- Backports for stable [#6116](https://github.com/paritytech/parity/pull/6116)
+  - Remove chunk to restore from pending set only upon successful import [#6112](https://github.com/paritytech/parity/pull/6112)
+  - Blacklist bad snapshot manifest hashes upon failure [#5874](https://github.com/paritytech/parity/pull/5874)
+  - Bump snap version and tweak importing detection logic [#6079](https://github.com/paritytech/parity/pull/6079) (modified to work)
+- Fix docker build for stable [#6118](https://github.com/paritytech/parity/pull/6118)
+- Update wallet library binaries [#6108](https://github.com/paritytech/parity/pull/6108)
+- Backported wallet fix [#6104](https://github.com/paritytech/parity/pull/6104)
+  - Fix initialisation bug. ([#6102](https://github.com/paritytech/parity/pull/6102))
+  - Update wallet library modifiers ([#6103](https://github.com/paritytech/parity/pull/6103))
+- Bump to v1.6.10
+
 ## Parity [v1.6.9](https://github.com/paritytech/parity/releases/tag/v1.6.9) (2017-07-16)
 
 This is a first stable release of 1.6 series. It contains a number of minor fixes and introduces the `--reseal-on-uncles` option for miners.

Cargo.lock

@@ -668,6 +668,7 @@ dependencies = [
  "ethcrypto 0.1.0",
  "ethkey 0.2.0",
  "igd 0.6.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "ipnetwork 0.12.6 (registry+https://github.com/rust-lang/crates.io-index)",
  "libc 0.2.21 (registry+https://github.com/rust-lang/crates.io-index)",
  "log 0.3.7 (registry+https://github.com/rust-lang/crates.io-index)",
  "mio 0.6.8 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -872,6 +873,7 @@ dependencies = [
  "ethcore-util 1.8.0",
  "ethkey 0.2.0",
  "heapsize 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "ipnetwork 0.12.6 (registry+https://github.com/rust-lang/crates.io-index)",
  "log 0.3.7 (registry+https://github.com/rust-lang/crates.io-index)",
  "parking_lot 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
  "rand 0.3.14 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -1159,6 +1161,11 @@ dependencies = [
  "semver 0.6.0 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
+[[package]]
+name = "ipnetwork"
+version = "0.12.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+
 [[package]]
 name = "isatty"
 version = "0.1.1"
@@ -1773,6 +1780,7 @@ dependencies = [
  "ethcore-ipc-tests 0.1.0",
  "ethcore-light 1.8.0",
  "ethcore-logger 1.8.0",
+ "ethcore-network 1.8.0",
  "ethcore-secretstore 1.0.0",
  "ethcore-stratum 1.8.0",
  "ethcore-util 1.8.0",
@@ -1781,6 +1789,7 @@ dependencies = [
  "fdlimit 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)",
  "futures 0.1.11 (registry+https://github.com/rust-lang/crates.io-index)",
  "futures-cpupool 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
+ "ipnetwork 0.12.6 (registry+https://github.com/rust-lang/crates.io-index)",
  "isatty 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)",
  "jsonrpc-core 7.0.0 (git+https://github.com/paritytech/jsonrpc.git?branch=parity-1.7)",
  "log 0.3.7 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -3236,6 +3245,7 @@ dependencies = [
 "checksum igd 0.6.0 (registry+https://github.com/rust-lang/crates.io-index)" = "356a0dc23a4fa0f8ce4777258085d00a01ea4923b2efd93538fc44bf5e1bda76"
 "checksum integer-encoding 1.0.3 (registry+https://github.com/rust-lang/crates.io-index)" = "a053c9c7dcb7db1f2aa012c37dc176c62e4cdf14898dee0eecc606de835b8acb"
 "checksum iovec 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "29d062ee61fccdf25be172e70f34c9f6efc597e1fb8f6526e8437b2046ab26be"
+"checksum ipnetwork 0.12.6 (registry+https://github.com/rust-lang/crates.io-index)" = "232e76922883005380e831068f731ef0305541c9f77b30df3a1635047b16f370"
 "checksum isatty 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "7408a548dc0e406b7912d9f84c261cc533c1866e047644a811c133c56041ac0c"
 "checksum itertools 0.5.9 (registry+https://github.com/rust-lang/crates.io-index)" = "d95557e7ba6b71377b0f2c3b3ae96c53f1b75a926a6901a500f557a370af730a"
 "checksum itoa 0.3.0 (registry+https://github.com/rust-lang/crates.io-index)" = "91fd9dc2c587067de817fec4ad355e3818c3d893a78cab32a0a474c7a15bb8d5"

Cargo.toml

@@ -41,6 +41,7 @@ ethcore-ipc-hypervisor = { path = "ipc/hypervisor" }
 ethcore-light = { path = "ethcore/light" }
 ethcore-logger = { path = "logger" }
 ethcore-stratum = { path = "stratum" }
+ethcore-network = { path = "util/network" }
 ethkey = { path = "ethkey" }
 rlp = { path = "util/rlp" }
 rpc-cli = { path = "rpc_cli" }
@@ -65,6 +66,7 @@ rustc_version = "0.2"
 [dev-dependencies]
 ethcore-ipc-tests = { path = "ipc/tests" }
 pretty_assertions = "0.1"
+ipnetwork = "0.12.6"
 
 [target.'cfg(windows)'.dependencies]
 winapi = "0.2"

nsis/installer.nsi

@@ -149,7 +149,7 @@ function un.onInit
 	SetShellVarContext all
 
 	#Verify the uninstaller - last chance to back out
-	MessageBox MB_OKCANCEL "Permanantly remove ${APPNAME}?" IDOK next
+	MessageBox MB_OKCANCEL "Permanently remove ${APPNAME}?" IDOK next
 		Abort
 
 	next:

parity/cli/usage.txt

@@ -148,11 +148,15 @@ Networking Options:
                                    These nodes will always have a reserved slot on top
                                    of the normal maximum peers. (default: {flag_reserved_peers:?})
   --reserved-only                  Connect only to reserved nodes. (default: {flag_reserved_only})
-  --allow-ips FILTER               Filter outbound connections. Must be one of:
+  --allow-ips FILTER               Filter outbound connections. FILTER can be one of:
                                    private - connect to private network IP addresses only;
                                    public - connect to public network IP addresses only;
-                                   all - connect to any IP address.
-                                   (default: {flag_allow_ips})
+                                   all - connect to any IP address;
+                                   none - block all (for use with a custom filter as below);
+                                   a custom filter list in the format: "private ip_range1 -ip_range2 ...".
+                                   Where ip_range1 would be allowed and ip_range2 blocked;
+                                   Custom blocks ("-ip_range") override custom allows ("ip_range");
+                                   (default: {flag_allow_ips}).
   --max-pending-peers NUM          Allow up to NUM pending connections. (default: {flag_max_pending_peers})
   --no-ancient-blocks              Disable downloading old blocks after snapshot restoration
                                    or warp sync. (default: {flag_no_ancient_blocks})

parity/configuration.rs

@@ -24,7 +24,7 @@ use cli::{Args, ArgsError};
 use util::{Hashable, H256, U256, Bytes, version_data, Address};
 use util::journaldb::Algorithm;
 use util::Colour;
-use ethsync::{NetworkConfiguration, is_valid_node_url, AllowIP};
+use ethsync::{NetworkConfiguration, is_valid_node_url};
 use ethcore::ethstore::ethkey::{Secret, Public};
 use ethcore::client::{VMType};
 use ethcore::miner::{MinerOptions, Banning, StratumOptions};
@@ -48,6 +48,7 @@ use blockchain::{BlockchainCmd, ImportBlockchain, ExportBlockchain, KillBlockcha
 use presale::ImportWallet;
 use account::{AccountCmd, NewAccount, ListAccounts, ImportAccounts, ImportFromGethAccounts};
 use snapshot::{self, SnapshotCommand};
+use network::{IpFilter};
 
 #[derive(Debug, PartialEq)]
 pub enum Cmd {
@@ -56,7 +57,7 @@ pub enum Cmd {
 	Account(AccountCmd),
 	ImportPresaleWallet(ImportWallet),
 	Blockchain(BlockchainCmd),
-	SignerToken(WsConfiguration, UiConfiguration),
+	SignerToken(WsConfiguration, UiConfiguration, LogConfig),
 	SignerSign {
 		id: Option<usize>,
 		pwfile: Option<PathBuf>,
@@ -148,7 +149,7 @@ impl Configuration {
 			let authfile = ::signer::codes_path(&ws_conf.signer_path);
 
 			if self.args.cmd_new_token {
-				Cmd::SignerToken(ws_conf, ui_conf)
+				Cmd::SignerToken(ws_conf, ui_conf, logger_config.clone())
 			} else if self.args.cmd_sign {
 				let pwfile = self.args.flag_password.get(0).map(|pwfile| {
 					PathBuf::from(pwfile)
@@ -461,12 +462,10 @@ impl Configuration {
 		max(self.min_peers(), peers)
 	}
 
-	fn allow_ips(&self) -> Result<AllowIP, String> {
-		match self.args.flag_allow_ips.as_str() {
-			"all" => Ok(AllowIP::All),
-			"public" => Ok(AllowIP::Public),
-			"private" => Ok(AllowIP::Private),
-			_ => Err("Invalid IP filter value".to_owned()),
+	fn ip_filter(&self) -> Result<IpFilter, String> {
+		match IpFilter::parse(self.args.flag_allow_ips.as_str()) {
+			Ok(allow_ip) => Ok(allow_ip),
+			Err(_) => Err("Invalid IP filter value".to_owned()),
 		}
 	}
 
@@ -712,7 +711,7 @@ impl Configuration {
 		ret.max_peers = self.max_peers();
 		ret.min_peers = self.min_peers();
 		ret.snapshot_peers = self.snapshot_peers();
-		ret.allow_ips = self.allow_ips()?;
+		ret.ip_filter = self.ip_filter()?;
 		ret.max_pending_peers = self.max_pending_peers();
 		let mut net_path = PathBuf::from(self.directories().base);
 		net_path.push("network");
@@ -968,7 +967,6 @@ impl Configuration {
 		}.into()
 	}
 
-
 	fn ui_interface(&self) -> String {
 		self.interface(&self.args.flag_ui_interface)
 	}
@@ -1080,6 +1078,7 @@ impl Configuration {
 mod tests {
 	use std::io::Write;
 	use std::fs::{File, create_dir};
+	use std::str::FromStr;
 
 	use devtools::{RandomTempPath};
 	use ethcore::client::{VMType, BlockId};
@@ -1097,6 +1096,11 @@ mod tests {
 	use rpc::{WsConfiguration, UiConfiguration};
 	use run::RunCmd;
 
+	use network::{AllowIP, IpFilter};
+
+	extern crate ipnetwork;
+	use self::ipnetwork::IpNetwork;
+
 	use super::*;
 
 	#[derive(Debug, PartialEq)]
@@ -1281,7 +1285,11 @@ mod tests {
 			interface: "127.0.0.1".into(),
 			port: 8180,
 			hosts: Some(vec![]),
-		}));
+		}, LogConfig {
+            color: true,
+            mode: None,
+            file: None,
+        } ));
 	}
 
 	#[test]
@@ -1752,4 +1760,50 @@ mod tests {
 		assert_eq!(&conf0.ipfs_config().interface, "0.0.0.0");
 		assert_eq!(conf0.ipfs_config().hosts, None);
 	}
+
+	#[test]
+	fn allow_ips() {
+		let all = parse(&["parity", "--allow-ips", "all"]);
+		let private = parse(&["parity", "--allow-ips", "private"]);
+		let block_custom = parse(&["parity", "--allow-ips", "-10.0.0.0/8"]);
+		let combo = parse(&["parity", "--allow-ips", "public 10.0.0.0/8 -1.0.0.0/8"]);
+		let ipv6_custom_public = parse(&["parity", "--allow-ips", "public fc00::/7"]);
+		let ipv6_custom_private = parse(&["parity", "--allow-ips", "private -fc00::/7"]);
+
+		assert_eq!(all.ip_filter().unwrap(), IpFilter {
+			predefined: AllowIP::All,
+			custom_allow: vec![],
+			custom_block: vec![],
+		});
+
+		assert_eq!(private.ip_filter().unwrap(), IpFilter {
+			predefined: AllowIP::Private,
+			custom_allow: vec![],
+			custom_block: vec![],
+		});
+
+		assert_eq!(block_custom.ip_filter().unwrap(), IpFilter {
+			predefined: AllowIP::All,
+			custom_allow: vec![],
+			custom_block: vec![IpNetwork::from_str("10.0.0.0/8").unwrap()],
+		});
+
+		assert_eq!(combo.ip_filter().unwrap(), IpFilter {
+			predefined: AllowIP::Public,
+			custom_allow: vec![IpNetwork::from_str("10.0.0.0/8").unwrap()],
+			custom_block: vec![IpNetwork::from_str("1.0.0.0/8").unwrap()],
+		});
+
+		assert_eq!(ipv6_custom_public.ip_filter().unwrap(), IpFilter {
+			predefined: AllowIP::Public,
+			custom_allow: vec![IpNetwork::from_str("fc00::/7").unwrap()],
+			custom_block: vec![],
+		});
+
+		assert_eq!(ipv6_custom_private.ip_filter().unwrap(), IpFilter {
+			predefined: AllowIP::Private,
+			custom_allow: vec![],
+			custom_block: vec![IpNetwork::from_str("fc00::/7").unwrap()],
+		});
+	}
 }

parity/helpers.rs

@@ -191,7 +191,8 @@ pub fn to_bootnodes(bootnodes: &Option<String>) -> Result<Vec<String>, String> {
 
 #[cfg(test)]
 pub fn default_network_config() -> ::ethsync::NetworkConfiguration {
-	use ethsync::{NetworkConfiguration, AllowIP};
+	use ethsync::{NetworkConfiguration};
+	use super::network::IpFilter;
 	NetworkConfiguration {
 		config_path: Some(replace_home(&::dir::default_data_path(), "$BASE/network")),
 		net_config_path: None,
@@ -206,7 +207,7 @@ pub fn default_network_config() -> ::ethsync::NetworkConfiguration {
 		min_peers: 25,
 		snapshot_peers: 0,
 		max_pending_peers: 64,
-		allow_ips: AllowIP::All,
+		ip_filter: IpFilter::default(),
 		reserved_nodes: Vec::new(),
 		allow_non_reserved: true,
 	}

parity/main.rs

@@ -55,6 +55,7 @@ extern crate ethcore_ipc_nano as nanoipc;
 extern crate ethcore_light as light;
 extern crate ethcore_logger;
 extern crate ethcore_util as util;
+extern crate ethcore_network as network;
 extern crate ethkey;
 extern crate ethsync;
 extern crate panic_hook;
@@ -163,7 +164,7 @@ fn execute(command: Execute, can_restart: bool) -> Result<PostExecutionAction, S
 		Cmd::Account(account_cmd) => account::execute(account_cmd).map(|s| PostExecutionAction::Print(s)),
 		Cmd::ImportPresaleWallet(presale_cmd) => presale::execute(presale_cmd).map(|s| PostExecutionAction::Print(s)),
 		Cmd::Blockchain(blockchain_cmd) => blockchain::execute(blockchain_cmd).map(|_| PostExecutionAction::Quit),
-		Cmd::SignerToken(ws_conf, ui_conf) => signer::execute(ws_conf, ui_conf).map(|s| PostExecutionAction::Print(s)),
+		Cmd::SignerToken(ws_conf, ui_conf, logger_config) => signer::execute(ws_conf, ui_conf, logger_config).map(|s| PostExecutionAction::Print(s)),
 		Cmd::SignerSign { id, pwfile, port, authfile } => rpc_cli::signer_sign(id, pwfile, port, authfile).map(|s| PostExecutionAction::Print(s)),
 		Cmd::SignerList { port, authfile } => rpc_cli::signer_list(port, authfile).map(|s| PostExecutionAction::Print(s)),
 		Cmd::SignerReject { id, port, authfile } => rpc_cli::signer_reject(id, port, authfile).map(|s| PostExecutionAction::Print(s)),

parity/run.rs

@@ -118,12 +118,12 @@ pub struct RunCmd {
 	pub whisper: ::whisper::Config
 }
 
-pub fn open_ui(ws_conf: &rpc::WsConfiguration, ui_conf: &rpc::UiConfiguration) -> Result<(), String> {
+pub fn open_ui(ws_conf: &rpc::WsConfiguration, ui_conf: &rpc::UiConfiguration, logger_config: &LogConfig) -> Result<(), String> {
 	if !ui_conf.enabled {
 		return Err("Cannot use UI command with UI turned off.".into())
 	}
 
-	let token = signer::generate_token_and_url(ws_conf, ui_conf)?;
+	let token = signer::generate_token_and_url(ws_conf, ui_conf, logger_config)?;
 	// Open a browser
 	url::open(&token.url);
 	// Print a message
@@ -282,7 +282,7 @@ fn execute_light(cmd: RunCmd, can_restart: bool, logger: Arc<RotatingLogger>) ->
 	let rpc_stats = Arc::new(informant::RpcStats::default());
 
 	// the dapps server
-	let signer_service = Arc::new(signer::new_service(&cmd.ws_conf, &cmd.ui_conf));
+	let signer_service = Arc::new(signer::new_service(&cmd.ws_conf, &cmd.ui_conf, &cmd.logger_config));
 	let dapps_deps = {
 		let contract_client = Arc::new(::dapps::LightRegistrar {
 			client: service.client().clone(),
@@ -378,7 +378,7 @@ pub fn execute(cmd: RunCmd, can_restart: bool, logger: Arc<RotatingLogger>) -> R
 		// Check if Parity is already running
 		let addr = format!("{}:{}", cmd.ui_conf.interface, cmd.ui_conf.port);
 		if !TcpListener::bind(&addr as &str).is_ok() {
-			return open_ui(&cmd.ws_conf, &cmd.ui_conf).map(|_| (false, None));
+			return open_ui(&cmd.ws_conf, &cmd.ui_conf, &cmd.logger_config).map(|_| (false, None));
 		}
 	}
 
@@ -658,7 +658,7 @@ pub fn execute(cmd: RunCmd, can_restart: bool, logger: Arc<RotatingLogger>) -> R
 		false => Some(account_provider.clone())
 	};
 
-	let signer_service = Arc::new(signer::new_service(&cmd.ws_conf, &cmd.ui_conf));
+	let signer_service = Arc::new(signer::new_service(&cmd.ws_conf, &cmd.ui_conf, &cmd.logger_config));
 
 	// the dapps server
 	let dapps_deps = {
@@ -791,7 +791,7 @@ pub fn execute(cmd: RunCmd, can_restart: bool, logger: Arc<RotatingLogger>) -> R
 
 	// start ui
 	if cmd.ui {
-		open_ui(&cmd.ws_conf, &cmd.ui_conf)?;
+		open_ui(&cmd.ws_conf, &cmd.ui_conf, &cmd.logger_config)?;
 	}
 
 	if let Some(dapp) = cmd.dapp {

parity/signer.rs

@@ -17,13 +17,13 @@
 use std::io;
 use std::path::{Path, PathBuf};
 
-use ansi_term::Colour;
+use ansi_term::Colour::White;
+use ethcore_logger::Config as LogConfig;
 use rpc;
 use rpc_apis;
 use parity_rpc;
 use path::restrict_permissions_owner;
 
-
 pub const CODES_FILENAME: &'static str = "authcodes";
 
 pub struct NewToken {
@@ -32,12 +32,13 @@ pub struct NewToken {
 	pub message: String,
 }
 
-pub fn new_service(ws_conf: &rpc::WsConfiguration, ui_conf: &rpc::UiConfiguration) -> rpc_apis::SignerService {
+pub fn new_service(ws_conf: &rpc::WsConfiguration, ui_conf: &rpc::UiConfiguration, logger_config: &LogConfig) -> rpc_apis::SignerService {
 	let signer_path = ws_conf.signer_path.clone();
+	let logger_config_color = logger_config.color;
 	let signer_enabled = ui_conf.enabled;
 
 	rpc_apis::SignerService::new(move || {
-		generate_new_token(&signer_path).map_err(|e| format!("{:?}", e))
+		generate_new_token(&signer_path, logger_config_color).map_err(|e| format!("{:?}", e))
 	}, signer_enabled)
 }
 
@@ -48,13 +49,14 @@ pub fn codes_path(path: &Path) -> PathBuf {
 	p
 }
 
-pub fn execute(ws_conf: rpc::WsConfiguration, ui_conf: rpc::UiConfiguration) -> Result<String, String> {
-	Ok(generate_token_and_url(&ws_conf, &ui_conf)?.message)
+pub fn execute(ws_conf: rpc::WsConfiguration, ui_conf: rpc::UiConfiguration, logger_config: LogConfig) -> Result<String, String> {
+	Ok(generate_token_and_url(&ws_conf, &ui_conf, &logger_config)?.message)
 }
 
-pub fn generate_token_and_url(ws_conf: &rpc::WsConfiguration, ui_conf: &rpc::UiConfiguration) -> Result<NewToken, String> {
-	let code = generate_new_token(&ws_conf.signer_path).map_err(|err| format!("Error generating token: {:?}", err))?;
+pub fn generate_token_and_url(ws_conf: &rpc::WsConfiguration, ui_conf: &rpc::UiConfiguration, logger_config: &LogConfig) -> Result<NewToken, String> {
+	let code = generate_new_token(&ws_conf.signer_path, logger_config.color).map_err(|err| format!("Error generating token: {:?}", err))?;
 	let auth_url = format!("http://{}:{}/#/auth?token={}", ui_conf.interface, ui_conf.port, code);
+
 	// And print in to the console
 	Ok(NewToken {
 		token: code.clone(),
@@ -65,18 +67,24 @@ Open: {}
 to authorize your browser.
 Or use the generated token:
 {}"#,
-			Colour::White.bold().paint(auth_url),
+			match logger_config.color {
+				true => format!("{}", White.bold().paint(auth_url)),
+				false => auth_url
+			},
 			code
 		)
 	})
 }
 
-fn generate_new_token(path: &Path) -> io::Result<String> {
+fn generate_new_token(path: &Path, logger_config_color: bool) -> io::Result<String> {
 	let path = codes_path(path);
 	let mut codes = parity_rpc::AuthCodes::from_file(&path)?;
 	codes.clear_garbage();
 	let code = codes.generate_new()?;
 	codes.to_file(&path)?;
-	trace!("New key code created: {}", Colour::White.bold().paint(&code[..]));
+	trace!("New key code created: {}", match logger_config_color {
+		true => format!("{}", White.bold().paint(&code[..])),
+		false => format!("{}", &code[..])
+	});
 	Ok(code)
 }

sync/Cargo.toml

@@ -31,6 +31,7 @@ ethcore-ipc-nano = { path = "../ipc/nano" }
 ethcore-devtools = { path = "../devtools" }
 ethkey = { path = "../ethkey" }
 parking_lot = "0.4"
+ipnetwork = "0.12.6"
 
 [features]
 default = []

sync/src/api.rs

@@ -19,8 +19,7 @@ use std::collections::{HashMap, BTreeMap};
 use std::io;
 use util::Bytes;
 use network::{NetworkProtocolHandler, NetworkService, NetworkContext, HostInfo, PeerId, ProtocolId,
-	NetworkConfiguration as BasicNetworkConfiguration, NonReservedPeerMode, NetworkError,
-	AllowIP as NetworkAllowIP};
+	NetworkConfiguration as BasicNetworkConfiguration, NonReservedPeerMode, NetworkError};
 use util::{U256, H256, H512};
 use io::{TimerToken};
 use ethcore::ethstore::ethkey::Secret;
@@ -37,6 +36,7 @@ use chain::{ETH_PACKET_COUNT, SNAPSHOT_SYNC_PACKET_COUNT};
 use light::client::AsLightClient;
 use light::Provider;
 use light::net::{self as light_net, LightProtocol, Params as LightParams, Capabilities, Handler as LightHandler, EventContext};
+use network::IpFilter;
 
 /// Parity sync protocol
 pub const WARP_SYNC_PROTOCOL_ID: ProtocolId = *b"par";
@@ -539,30 +539,6 @@ impl ManageNetwork for EthSync {
 	}
 }
 
-/// IP fiter
-#[derive(Clone, Debug, PartialEq, Eq)]
-#[cfg_attr(feature = "ipc", binary)]
-pub enum AllowIP {
-	/// Connect to any address
-	All,
-	/// Connect to private network only
-	Private,
-	/// Connect to public network only
-	Public,
-}
-
-impl AllowIP {
-	/// Attempt to parse the peer mode from a string.
-	pub fn parse(s: &str) -> Option<Self> {
-		match s {
-			"all" => Some(AllowIP::All),
-			"private" => Some(AllowIP::Private),
-			"public" => Some(AllowIP::Public),
-			_ => None,
-		}
-	}
-}
-
 #[derive(Debug, Clone, PartialEq, Eq)]
 #[cfg_attr(feature = "ipc", binary)]
 /// Network service configuration
@@ -598,7 +574,7 @@ pub struct NetworkConfiguration {
 	/// The non-reserved peer mode.
 	pub allow_non_reserved: bool,
 	/// IP Filtering
-	pub allow_ips: AllowIP,
+	pub ip_filter: IpFilter,
 }
 
 impl NetworkConfiguration {
@@ -629,11 +605,7 @@ impl NetworkConfiguration {
 			max_handshakes: self.max_pending_peers,
 			reserved_protocols: hash_map![WARP_SYNC_PROTOCOL_ID => self.snapshot_peers],
 			reserved_nodes: self.reserved_nodes,
-			allow_ips: match self.allow_ips {
-				AllowIP::All => NetworkAllowIP::All,
-				AllowIP::Private => NetworkAllowIP::Private,
-				AllowIP::Public => NetworkAllowIP::Public,
-			},
+			ip_filter: self.ip_filter,
 			non_reserved_mode: if self.allow_non_reserved { NonReservedPeerMode::Accept } else { NonReservedPeerMode::Deny },
 		})
 	}
@@ -656,11 +628,7 @@ impl From<BasicNetworkConfiguration> for NetworkConfiguration {
 			max_pending_peers: other.max_handshakes,
 			snapshot_peers: *other.reserved_protocols.get(&WARP_SYNC_PROTOCOL_ID).unwrap_or(&0),
 			reserved_nodes: other.reserved_nodes,
-			allow_ips: match other.allow_ips {
-				NetworkAllowIP::All => AllowIP::All,
-				NetworkAllowIP::Private => AllowIP::Private,
-				NetworkAllowIP::Public => AllowIP::Public,
-			},
+			ip_filter: other.ip_filter,
 			allow_non_reserved: match other.non_reserved_mode { NonReservedPeerMode::Accept => true, _ => false } ,
 		}
 	}

sync/src/lib.rs

@@ -37,6 +37,7 @@ extern crate semver;
 extern crate parking_lot;
 extern crate smallvec;
 extern crate rlp;
+extern crate ipnetwork;
 
 extern crate ethcore_light as light;
 

util/network/Cargo.toml

@@ -30,6 +30,7 @@ ethcrypto = { path = "../../ethcrypto" }
 rlp = { path = "../rlp" }
 path = { path = "../path" }
 ethcore-logger = { path ="../../logger" }
+ipnetwork = "0.12.6"
 
 [features]
 default = []

util/network/src/discovery.rs

@@ -30,7 +30,7 @@ use node_table::*;
 use error::NetworkError;
 use io::{StreamToken, IoContext};
 use ethkey::{Secret, KeyPair, sign, recover};
-use AllowIP;
+use IpFilter;
 
 use PROTOCOL_VERSION;
 
@@ -99,7 +99,7 @@ pub struct Discovery {
 	send_queue: VecDeque<Datagramm>,
 	check_timestamps: bool,
 	adding_nodes: Vec<NodeEntry>,
-	allow_ips: AllowIP,
+	ip_filter: IpFilter,
 }
 
 pub struct TableUpdates {
@@ -108,7 +108,7 @@ pub struct TableUpdates {
 }
 
 impl Discovery {
-	pub fn new(key: &KeyPair, listen: SocketAddr, public: NodeEndpoint, token: StreamToken, allow_ips: AllowIP) -> Discovery {
+	pub fn new(key: &KeyPair, listen: SocketAddr, public: NodeEndpoint, token: StreamToken, ip_filter: IpFilter) -> Discovery {
 		let socket = UdpSocket::bind(&listen).expect("Error binding UDP socket");
 		Discovery {
 			id: key.public().clone(),
@@ -124,7 +124,7 @@ impl Discovery {
 			send_queue: VecDeque::new(),
 			check_timestamps: true,
 			adding_nodes: Vec::new(),
-			allow_ips: allow_ips,
+			ip_filter: ip_filter,
 		}
 	}
 
@@ -400,7 +400,7 @@ impl Discovery {
 	}
 
 	fn is_allowed(&self, entry: &NodeEntry) -> bool {
-		entry.endpoint.is_allowed(self.allow_ips) && entry.id != self.id
+		entry.endpoint.is_allowed(&self.ip_filter) && entry.id != self.id
 	}
 
 	fn on_ping(&mut self, rlp: &UntrustedRlp, node: &NodeId, from: &SocketAddr) -> Result<Option<TableUpdates>, NetworkError> {
@@ -561,7 +561,6 @@ mod tests {
 	use std::str::FromStr;
 	use rustc_hex::FromHex;
 	use ethkey::{Random, Generator};
-	use AllowIP;
 
 	#[test]
 	fn find_node() {
@@ -586,8 +585,8 @@ mod tests {
 		let key2 = Random.generate().unwrap();
 		let ep1 = NodeEndpoint { address: SocketAddr::from_str("127.0.0.1:40444").unwrap(), udp_port: 40444 };
 		let ep2 = NodeEndpoint { address: SocketAddr::from_str("127.0.0.1:40445").unwrap(), udp_port: 40445 };
-		let mut discovery1 = Discovery::new(&key1, ep1.address.clone(), ep1.clone(), 0, AllowIP::All);
-		let mut discovery2 = Discovery::new(&key2, ep2.address.clone(), ep2.clone(), 0, AllowIP::All);
+		let mut discovery1 = Discovery::new(&key1, ep1.address.clone(), ep1.clone(), 0, IpFilter::default());
+		let mut discovery2 = Discovery::new(&key2, ep2.address.clone(), ep2.clone(), 0, IpFilter::default());
 
 		let node1 = Node::from_str("enode://a979fb575495b8d6db44f750317d0f4622bf4c2aa3365d6af7c284339968eef29b69ad0dce72a4d8db5ebb4968de0e3bec910127f134779fbcb0cb6d3331163c@127.0.0.1:7770").unwrap();
 		let node2 = Node::from_str("enode://b979fb575495b8d6db44f750317d0f4622bf4c2aa3365d6af7c284339968eef29b69ad0dce72a4d8db5ebb4968de0e3bec910127f134779fbcb0cb6d3331163c@127.0.0.1:7771").unwrap();
@@ -619,7 +618,7 @@ mod tests {
 	fn removes_expired() {
 		let key = Random.generate().unwrap();
 		let ep = NodeEndpoint { address: SocketAddr::from_str("127.0.0.1:40446").unwrap(), udp_port: 40447 };
-		let mut discovery = Discovery::new(&key, ep.address.clone(), ep.clone(), 0, AllowIP::All);
+		let mut discovery = Discovery::new(&key, ep.address.clone(), ep.clone(), 0, IpFilter::default());
 		for _ in 0..1200 {
 			discovery.add_node(NodeEntry { id: NodeId::random(), endpoint: ep.clone() });
 		}
@@ -648,7 +647,7 @@ mod tests {
 	fn packets() {
 		let key = Random.generate().unwrap();
 		let ep = NodeEndpoint { address: SocketAddr::from_str("127.0.0.1:40447").unwrap(), udp_port: 40447 };
-		let mut discovery = Discovery::new(&key, ep.address.clone(), ep.clone(), 0, AllowIP::All);
+		let mut discovery = Discovery::new(&key, ep.address.clone(), ep.clone(), 0, IpFilter::default());
 		discovery.check_timestamps = false;
 		let from = SocketAddr::from_str("99.99.99.99:40445").unwrap();
 

util/network/src/host.rs

@@ -35,7 +35,7 @@ use rlp::*;
 use session::{Session, SessionInfo, SessionData};
 use error::*;
 use io::*;
-use {NetworkProtocolHandler, NonReservedPeerMode, AllowIP, PROTOCOL_VERSION};
+use {NetworkProtocolHandler, NonReservedPeerMode, PROTOCOL_VERSION, IpFilter};
 use node_table::*;
 use stats::NetworkStats;
 use discovery::{Discovery, TableUpdates, NodeEntry};
@@ -106,7 +106,7 @@ pub struct NetworkConfiguration {
 	/// The non-reserved peer mode.
 	pub non_reserved_mode: NonReservedPeerMode,
 	/// IP filter
-	pub allow_ips: AllowIP,
+	pub ip_filter: IpFilter,
 }
 
 impl Default for NetworkConfiguration {
@@ -132,7 +132,7 @@ impl NetworkConfiguration {
 			max_peers: 50,
 			max_handshakes: 64,
 			reserved_protocols: HashMap::new(),
-			allow_ips: AllowIP::All,
+			ip_filter: IpFilter::default(),
 			reserved_nodes: Vec::new(),
 			non_reserved_mode: NonReservedPeerMode::Accept,
 		}
@@ -566,7 +566,7 @@ impl Host {
 		}
 		let local_endpoint = self.info.read().local_endpoint.clone();
 		let public_address = self.info.read().config.public_address.clone();
-		let allow_ips = self.info.read().config.allow_ips;
+		let allow_ips = self.info.read().config.ip_filter.clone();
 		let public_endpoint = match public_address {
 			None => {
 				let public_address = select_public_address(local_endpoint.address.port());
@@ -660,7 +660,7 @@ impl Host {
 			}
 			let config = &info.config;
 
-			(config.min_peers, config.non_reserved_mode == NonReservedPeerMode::Deny, config.max_handshakes as usize, config.allow_ips, info.id().clone())
+			(config.min_peers, config.non_reserved_mode == NonReservedPeerMode::Deny, config.max_handshakes as usize, config.ip_filter.clone(), info.id().clone())
 		};
 
 		let session_count = self.session_count();

util/network/src/ip_utils.rs

@@ -21,55 +21,193 @@ use std::io;
 use igd::{PortMappingProtocol, search_gateway_from_timeout};
 use std::time::Duration;
 use node_table::{NodeEndpoint};
+use ipnetwork::{IpNetwork};
 
 /// Socket address extension for rustc beta. To be replaces with now unstable API
 pub trait SocketAddrExt {
-	/// Returns true for the special 'unspecified' address 0.0.0.0.
-	fn is_unspecified_s(&self) -> bool;
 	/// Returns true if the address appears to be globally routable.
 	fn is_global_s(&self) -> bool;
+
+	// Ipv4 specific
+	fn is_shared_space(&self) -> bool { false }
+	fn is_special_purpose(&self) -> bool { false }
+	fn is_benchmarking(&self) -> bool { false }
+	fn is_future_use(&self) -> bool { false }
+
+	// Ipv6 specific
+	fn is_unique_local_s(&self) -> bool { false }
+	fn is_unicast_link_local_s(&self) -> bool { false }
+	fn is_documentation_s(&self) -> bool { false }
+	fn is_global_multicast(&self) -> bool { false }
+	fn is_other_multicast(&self) -> bool { false }
+	
+	fn is_reserved(&self) -> bool;
+	fn is_usable_public(&self) -> bool;
+	fn is_usable_private(&self) -> bool;
+
+	fn is_within(&self, ipnet: &IpNetwork) -> bool;
 }
 
 impl SocketAddrExt for Ipv4Addr {
-	fn is_unspecified_s(&self) -> bool {
-		self.octets() == [0, 0, 0, 0]
+	fn is_global_s(&self) -> bool {
+		!self.is_private() && 
+		!self.is_loopback() && 
+		!self.is_link_local() &&
+		!self.is_broadcast() && 
+		!self.is_documentation()
 	}
 
-	fn is_global_s(&self) -> bool {
-		!self.is_private() && !self.is_loopback() && !self.is_link_local() &&
-			!self.is_broadcast() && !self.is_documentation()
+	// Used for communications between a service provider and its subscribers when using a carrier-grade NAT 
+	// see: https://en.wikipedia.org/wiki/Reserved_IP_addresses
+	fn is_shared_space(&self) -> bool {
+		*self >= Ipv4Addr::new(100, 64, 0, 0) && 
+		*self <= Ipv4Addr::new(100, 127, 255, 255)
+	}
+
+	// Used for the IANA IPv4 Special Purpose Address Registry
+	// see: https://en.wikipedia.org/wiki/Reserved_IP_addresses
+	fn is_special_purpose(&self) -> bool {
+		*self >= Ipv4Addr::new(192, 0, 0, 0) && 
+		*self <= Ipv4Addr::new(192, 0, 0, 255)
+	}
+
+	// Used for testing of inter-network communications between two separate subnets
+	// see: https://en.wikipedia.org/wiki/Reserved_IP_addresses
+	fn is_benchmarking(&self) -> bool {
+		*self >= Ipv4Addr::new(198, 18, 0, 0) && 
+		*self <= Ipv4Addr::new(198, 19, 255, 255)
+	}
+
+	// Reserved for future use
+	// see: https://en.wikipedia.org/wiki/Reserved_IP_addresses
+	fn is_future_use(&self) -> bool {
+		*self >= Ipv4Addr::new(240, 0, 0, 0) && 
+		*self <= Ipv4Addr::new(255, 255, 255, 254)
+	}
+
+	fn is_reserved(&self) -> bool {
+		self.is_unspecified() ||
+		self.is_loopback() ||
+		self.is_link_local() ||
+		self.is_broadcast() ||
+		self.is_documentation() ||
+		self.is_multicast() ||
+		self.is_shared_space() ||
+		self.is_special_purpose() ||
+		self.is_benchmarking() ||
+		self.is_future_use()
+	}
+
+	fn is_usable_public(&self) -> bool {
+		!self.is_reserved() &&
+		!self.is_private()
+	}
+	
+	fn is_usable_private(&self) -> bool {
+		self.is_private()
+	}
+
+	fn is_within(&self, ipnet: &IpNetwork) -> bool {
+		match ipnet {
+			&IpNetwork::V4(ipnet) => ipnet.contains(*self),
+			_ => false
+		}
 	}
 }
 
 impl SocketAddrExt for Ipv6Addr {
-	fn is_unspecified_s(&self) -> bool {
-		self.segments() == [0, 0, 0, 0, 0, 0, 0, 0]
+	fn is_global_s(&self) -> bool {
+		self.is_global_multicast() ||
+		(!self.is_loopback() && 
+		!self.is_unique_local_s() &&
+		!self.is_unicast_link_local_s() &&
+		!self.is_documentation_s() &&
+		!self.is_other_multicast())
 	}
 
-	fn is_global_s(&self) -> bool {
-		if self.is_multicast() {
-			self.segments()[0] & 0x000f == 14
-		} else {
-			!self.is_loopback() && !((self.segments()[0] & 0xffc0) == 0xfe80) &&
-            	!((self.segments()[0] & 0xffc0) == 0xfec0) && !((self.segments()[0] & 0xfe00) == 0xfc00)
+	// unique local address (fc00::/7).
+	fn is_unique_local_s(&self) -> bool {
+		(self.segments()[0] & 0xfe00) == 0xfc00
+	}
+
+	// unicast and link-local (fe80::/10).
+	fn is_unicast_link_local_s(&self) -> bool {
+		(self.segments()[0] & 0xffc0) == 0xfe80
+	}
+	
+	// reserved for documentation (2001:db8::/32).
+	fn is_documentation_s(&self) -> bool {
+		(self.segments()[0] == 0x2001) && (self.segments()[1] == 0xdb8)
+	}
+
+	fn is_global_multicast(&self) -> bool {
+		self.segments()[0] & 0x000f == 14
+	}
+
+	fn is_other_multicast(&self) -> bool {
+		self.is_multicast() && !self.is_global_multicast()
+	}
+
+	fn is_reserved(&self) -> bool {
+		self.is_unspecified() ||
+		self.is_loopback() ||
+		self.is_unicast_link_local_s() ||
+		self.is_documentation_s() ||
+		self.is_other_multicast()
+	}
+
+	fn is_usable_public(&self) -> bool {
+		!self.is_reserved() &&
+		!self.is_unique_local_s()
+	}
+	
+	fn is_usable_private(&self) -> bool {
+		self.is_unique_local_s()
+	}
+
+	fn is_within(&self, ipnet: &IpNetwork) -> bool {
+		match ipnet {
+			&IpNetwork::V6(ipnet) => ipnet.contains(*self),
+			_ => false
 		}
 	}
 }
 
 impl SocketAddrExt for IpAddr {
-	fn is_unspecified_s(&self) -> bool {
-		match *self {
-			IpAddr::V4(ref ip) => ip.is_unspecified_s(),
-			IpAddr::V6(ref ip) => ip.is_unspecified_s(),
-		}
-	}
-
 	fn is_global_s(&self) -> bool {
 		match *self {
 			IpAddr::V4(ref ip) => ip.is_global_s(),
 			IpAddr::V6(ref ip) => ip.is_global_s(),
 		}
 	}
+
+	fn is_reserved(&self) -> bool {
+		match *self {
+			IpAddr::V4(ref ip) => ip.is_reserved(),
+			IpAddr::V6(ref ip) => ip.is_reserved(),
+		}
+	}
+
+	fn is_usable_public(&self) -> bool {
+		match *self {
+			IpAddr::V4(ref ip) => ip.is_usable_public(),
+			IpAddr::V6(ref ip) => ip.is_usable_public(),
+		}
+	}
+	
+	fn is_usable_private(&self) -> bool {
+		match *self {
+			IpAddr::V4(ref ip) => ip.is_usable_private(),
+			IpAddr::V6(ref ip) => ip.is_usable_private(),
+		}
+	}
+
+	fn is_within(&self, ipnet: &IpNetwork) -> bool {
+		match *self {
+			IpAddr::V4(ref ip) => ip.is_within(ipnet),
+			IpAddr::V6(ref ip) => ip.is_within(ipnet)
+		}
+	}
 }
 
 #[cfg(not(windows))]
@@ -79,7 +217,7 @@ mod getinterfaces {
 	use libc::{getifaddrs, freeifaddrs, ifaddrs, sockaddr, sockaddr_in, sockaddr_in6};
 	use std::net::{Ipv4Addr, Ipv6Addr, IpAddr};
 
-	fn convert_sockaddr (sa: *mut sockaddr) -> Option<IpAddr> {
+	fn convert_sockaddr(sa: *mut sockaddr) -> Option<IpAddr> {
 		if sa == ptr::null_mut() { return None; }
 
 		let (addr, _) = match unsafe { *sa }.sa_family as i32 {
@@ -115,7 +253,7 @@ mod getinterfaces {
 		Some(addr)
 	}
 
-	fn convert_ifaddrs (ifa: *mut ifaddrs) -> Option<IpAddr> {
+	fn convert_ifaddrs(ifa: *mut ifaddrs) -> Option<IpAddr> {
 		let ifa = unsafe { &mut *ifa };
 		convert_sockaddr(ifa.ifa_addr)
 	}
@@ -158,16 +296,16 @@ pub fn select_public_address(port: u16) -> SocketAddr {
 		Ok(list) => {
 			//prefer IPV4 bindings
 			for addr in &list { //TODO: use better criteria than just the first in the list
-				match *addr {
-					IpAddr::V4(a) if !a.is_unspecified_s() && !a.is_loopback() && !a.is_link_local() => {
+				match addr {
+					&IpAddr::V4(a) if !a.is_reserved() => {
 						return SocketAddr::V4(SocketAddrV4::new(a, port));
 					},
 					_ => {},
 				}
 			}
-			for addr in list {
+			for addr in &list {
 				match addr {
-					IpAddr::V6(a) if !a.is_unspecified_s() && !a.is_loopback() => {
+					&IpAddr::V6(a) if !a.is_reserved() => {
 						return SocketAddr::V6(SocketAddrV6::new(a, port, 0, 0));
 					},
 					_ => {},
@@ -227,7 +365,6 @@ fn can_map_external_address_or_fail() {
 
 #[test]
 fn ipv4_properties() {
-
 	#![cfg_attr(feature="dev", allow(too_many_arguments))]
 	fn check(octets: &[u8; 4], unspec: bool, loopback: bool,
 			 private: bool, link_local: bool, global: bool,
@@ -235,7 +372,7 @@ fn ipv4_properties() {
 		let ip = Ipv4Addr::new(octets[0], octets[1], octets[2], octets[3]);
 		assert_eq!(octets, &ip.octets());
 
-		assert_eq!(ip.is_unspecified_s(), unspec);
+		assert_eq!(ip.is_unspecified(), unspec);
 		assert_eq!(ip.is_loopback(), loopback);
 		assert_eq!(ip.is_private(), private);
 		assert_eq!(ip.is_link_local(), link_local);
@@ -264,13 +401,131 @@ fn ipv4_properties() {
 	check(&[255, 255, 255, 255], false, false, false, false, false, false,    true,   false);
 }
 
+#[test]
+fn ipv4_shared_space() {
+	assert!(!Ipv4Addr::new(100, 63, 255, 255).is_shared_space());
+	assert!(Ipv4Addr::new(100, 64, 0, 0).is_shared_space());
+	assert!(Ipv4Addr::new(100, 127, 255, 255).is_shared_space());
+	assert!(!Ipv4Addr::new(100, 128, 0, 0).is_shared_space());
+}
+
+#[test]
+fn ipv4_special_purpose() {
+	assert!(!Ipv4Addr::new(191, 255, 255, 255).is_special_purpose());
+	assert!(Ipv4Addr::new(192, 0, 0, 0).is_special_purpose());
+	assert!(Ipv4Addr::new(192, 0, 0, 255).is_special_purpose());
+	assert!(!Ipv4Addr::new(192, 0, 1, 255).is_special_purpose());
+}
+
+#[test]
+fn ipv4_benchmarking() {
+	assert!(!Ipv4Addr::new(198, 17, 255, 255).is_benchmarking());
+	assert!(Ipv4Addr::new(198, 18, 0, 0).is_benchmarking());
+	assert!(Ipv4Addr::new(198, 19, 255, 255).is_benchmarking());
+	assert!(!Ipv4Addr::new(198, 20, 0, 0).is_benchmarking());
+}
+
+#[test]
+fn ipv4_future_use() {
+	assert!(!Ipv4Addr::new(239, 255, 255, 255).is_future_use());
+	assert!(Ipv4Addr::new(240, 0, 0, 0).is_future_use());
+	assert!(Ipv4Addr::new(255, 255, 255, 254).is_future_use());
+	assert!(!Ipv4Addr::new(255, 255, 255, 255).is_future_use());
+}
+
+#[test]
+fn ipv4_usable_public() {
+	assert!(!Ipv4Addr::new(0,0,0,0).is_usable_public()); // unspecified
+	assert!(Ipv4Addr::new(0,0,0,1).is_usable_public());
+	
+	assert!(Ipv4Addr::new(9,255,255,255).is_usable_public());
+	assert!(!Ipv4Addr::new(10,0,0,0).is_usable_public()); // private intra-network
+	assert!(!Ipv4Addr::new(10,255,255,255).is_usable_public()); // private intra-network
+	assert!(Ipv4Addr::new(11,0,0,0).is_usable_public());
+	
+	assert!(Ipv4Addr::new(100, 63, 255, 255).is_usable_public());
+	assert!(!Ipv4Addr::new(100, 64, 0, 0).is_usable_public()); // shared space 
+	assert!(!Ipv4Addr::new(100, 127, 255, 255).is_usable_public()); // shared space
+	assert!(Ipv4Addr::new(100, 128, 0, 0).is_usable_public());
+	
+	assert!(Ipv4Addr::new(126,255,255,255).is_usable_public());
+	assert!(!Ipv4Addr::new(127,0,0,0).is_usable_public()); // loopback
+	assert!(!Ipv4Addr::new(127,255,255,255).is_usable_public()); // loopback
+	assert!(Ipv4Addr::new(128,0,0,0).is_usable_public());
+	
+	assert!(Ipv4Addr::new(169,253,255,255).is_usable_public());
+	assert!(!Ipv4Addr::new(169,254,0,0).is_usable_public()); // link-local
+	assert!(!Ipv4Addr::new(169,254,255,255).is_usable_public()); // link-local
+	assert!(Ipv4Addr::new(169,255,0,0).is_usable_public());
+	
+	assert!(Ipv4Addr::new(172,15,255,255).is_usable_public());
+	assert!(!Ipv4Addr::new(172,16,0,0).is_usable_public()); // private intra-network
+	assert!(!Ipv4Addr::new(172,31,255,255).is_usable_public()); // private intra-network
+	assert!(Ipv4Addr::new(172,32,255,255).is_usable_public());
+	
+	assert!(Ipv4Addr::new(191,255,255,255).is_usable_public());
+	assert!(!Ipv4Addr::new(192,0,0,0).is_usable_public()); // special purpose
+	assert!(!Ipv4Addr::new(192,0,0,255).is_usable_public()); // special purpose
+	assert!(Ipv4Addr::new(192,0,1,0).is_usable_public());
+
+	assert!(Ipv4Addr::new(192,0,1,255).is_usable_public());
+	assert!(!Ipv4Addr::new(192,0,2,0).is_usable_public()); // documentation
+	assert!(!Ipv4Addr::new(192,0,2,255).is_usable_public()); // documentation 
+	assert!(Ipv4Addr::new(192,0,3,0).is_usable_public());
+	
+	assert!(Ipv4Addr::new(192,167,255,255).is_usable_public());
+	assert!(!Ipv4Addr::new(192,168,0,0).is_usable_public()); // private intra-network
+	assert!(!Ipv4Addr::new(192,168,255,255).is_usable_public()); // private intra-network
+	assert!(Ipv4Addr::new(192,169,0,0).is_usable_public());
+	
+	assert!(Ipv4Addr::new(198,17,255,255).is_usable_public());
+	assert!(!Ipv4Addr::new(198,18,0,0).is_usable_public()); // benchmarking
+	assert!(!Ipv4Addr::new(198,19,255,255).is_usable_public()); // benchmarking
+	assert!(Ipv4Addr::new(198,20,0,0).is_usable_public());
+	
+	assert!(Ipv4Addr::new(198,51,99,255).is_usable_public());
+	assert!(!Ipv4Addr::new(198,51,100,0).is_usable_public()); // documentation
+	assert!(!Ipv4Addr::new(198,51,100,255).is_usable_public()); // documentation
+	assert!(Ipv4Addr::new(198,51,101,0).is_usable_public());
+
+	assert!(Ipv4Addr::new(203,0,112,255).is_usable_public());
+	assert!(!Ipv4Addr::new(203,0,113,0).is_usable_public()); // documentation
+	assert!(!Ipv4Addr::new(203,0,113,255).is_usable_public()); // documentation
+	assert!(Ipv4Addr::new(203,0,114,0).is_usable_public());
+
+	assert!(Ipv4Addr::new(223,255,255,255).is_usable_public());
+	assert!(!Ipv4Addr::new(224,0,0,0).is_usable_public()); // multicast
+	assert!(!Ipv4Addr::new(239, 255, 255, 255).is_usable_public()); // multicast
+	assert!(!Ipv4Addr::new(240, 0, 0, 0).is_usable_public()); // future use
+	assert!(!Ipv4Addr::new(255, 255, 255, 254).is_usable_public()); // future use 
+	assert!(!Ipv4Addr::new(255, 255, 255, 255).is_usable_public()); // limited broadcast
+}
+
+#[test]
+fn ipv4_usable_private() {
+	assert!(!Ipv4Addr::new(9,255,255,255).is_usable_private());
+	assert!(Ipv4Addr::new(10,0,0,0).is_usable_private()); // private intra-network
+	assert!(Ipv4Addr::new(10,255,255,255).is_usable_private()); // private intra-network
+	assert!(!Ipv4Addr::new(11,0,0,0).is_usable_private());
+	
+	assert!(!Ipv4Addr::new(172,15,255,255).is_usable_private());
+	assert!(Ipv4Addr::new(172,16,0,0).is_usable_private()); // private intra-network
+	assert!(Ipv4Addr::new(172,31,255,255).is_usable_private()); // private intra-network
+	assert!(!Ipv4Addr::new(172,32,255,255).is_usable_private());
+	
+	assert!(!Ipv4Addr::new(192,167,255,255).is_usable_private());
+	assert!(Ipv4Addr::new(192,168,0,0).is_usable_private()); // private intra-network
+	assert!(Ipv4Addr::new(192,168,255,255).is_usable_private()); // private intra-network
+	assert!(!Ipv4Addr::new(192,169,0,0).is_usable_private());
+}
+
 #[test]
 fn ipv6_properties() {
 	fn check(str_addr: &str, unspec: bool, loopback: bool, global: bool) {
 		let ip: Ipv6Addr = str_addr.parse().unwrap();
 		assert_eq!(str_addr, ip.to_string());
 
-		assert_eq!(ip.is_unspecified_s(), unspec);
+		assert_eq!(ip.is_unspecified(), unspec);
 		assert_eq!(ip.is_loopback(), loopback);
 		assert_eq!(ip.is_global_s(), global);
 	}
@@ -279,3 +534,5 @@ fn ipv6_properties() {
 	check("::", true,  false, true);
 	check("::1", false, true, false);
 }
+
+

util/network/src/lib.rs

@@ -77,6 +77,7 @@ extern crate rlp;
 extern crate bytes;
 extern crate path;
 extern crate ethcore_logger;
+extern crate ipnetwork;
 
 #[macro_use]
 extern crate log;
@@ -106,6 +107,8 @@ pub use session::SessionInfo;
 
 pub use io::TimerToken;
 pub use node_table::{is_valid_node_url, NodeId};
+use ipnetwork::{IpNetwork, IpNetworkError};
+use std::str::FromStr;
 
 const PROTOCOL_VERSION: u32 = 4;
 
@@ -145,8 +148,49 @@ impl NonReservedPeerMode {
 	}
 }
 
+#[derive(Clone, Debug, PartialEq, Eq)]
+#[cfg_attr(feature = "ipc", binary)]
+pub struct IpFilter {
+    pub predefined: AllowIP,
+    pub custom_allow: Vec<IpNetwork>,
+    pub custom_block: Vec<IpNetwork>,
+} 
+
+impl Default for IpFilter {
+    fn default() -> Self {
+        IpFilter {
+            predefined: AllowIP::All,
+            custom_allow: vec![],
+            custom_block: vec![],
+        }
+    }
+}
+
+impl IpFilter {
+    /// Attempt to parse the peer mode from a string.
+    pub fn parse(s: &str) -> Result<IpFilter, IpNetworkError> {
+        let mut filter = IpFilter::default();
+        for f in s.split_whitespace() {
+            match f {
+                "all" => filter.predefined = AllowIP::All,
+                "private" => filter.predefined = AllowIP::Private,
+                "public" => filter.predefined = AllowIP::Public,
+                "none" => filter.predefined = AllowIP::None,
+                custom => {
+                    if custom.starts_with("-") {
+                        filter.custom_block.push(IpNetwork::from_str(&custom.to_owned().split_off(1))?)
+                    } else {
+                        filter.custom_allow.push(IpNetwork::from_str(custom)?)
+                    }
+                }
+            }
+        }
+        Ok(filter)
+    }
+}
+
 /// IP fiter
-#[derive(Clone, Debug, PartialEq, Eq, Copy)]
+#[derive(Clone, Debug, PartialEq, Eq)]
 pub enum AllowIP {
 	/// Connect to any address
 	All,
@@ -154,5 +198,7 @@ pub enum AllowIP {
 	Private,
 	/// Connect to public network only
 	Public,
+    /// Block all addresses
+    None,
 }
 

util/network/src/node_table.rs

@@ -30,7 +30,7 @@ use util::UtilError;
 use rlp::*;
 use time::Tm;
 use error::NetworkError;
-use AllowIP;
+use {AllowIP, IpFilter};
 use discovery::{TableUpdates, NodeEntry};
 use ip_utils::*;
 pub use rustc_serialize::json::Json;
@@ -55,11 +55,21 @@ impl NodeEndpoint {
 		}
 	}
 
-	pub fn is_allowed(&self, filter: AllowIP) -> bool {
+	pub fn is_allowed(&self, filter: &IpFilter) -> bool {
+		(self.is_allowed_by_predefined(&filter.predefined) || filter.custom_allow.iter().any(|ipnet| {
+			self.address.ip().is_within(ipnet)
+		})) 
+		&& !filter.custom_block.iter().any(|ipnet| {
+			self.address.ip().is_within(ipnet)
+		})
+	}
+
+	pub fn is_allowed_by_predefined(&self, filter: &AllowIP) -> bool {
 		match filter {
-			AllowIP::All => true,
-			AllowIP::Private => !self.address.ip().is_global_s(),
-			AllowIP::Public => self.address.ip().is_global_s(),
+			&AllowIP::All => true,
+			&AllowIP::Private => self.address.ip().is_usable_private(),
+			&AllowIP::Public => self.address.ip().is_usable_public(),
+			&AllowIP::None => false,
 		}
 	}
 
@@ -101,8 +111,8 @@ impl NodeEndpoint {
 	pub fn is_valid(&self) -> bool {
 		self.udp_port != 0 && self.address.port() != 0 &&
 		match self.address {
-			SocketAddr::V4(a) => !a.ip().is_unspecified_s(),
-			SocketAddr::V6(a) => !a.ip().is_unspecified_s()
+			SocketAddr::V4(a) => !a.ip().is_unspecified(),
+			SocketAddr::V6(a) => !a.ip().is_unspecified()
 		}
 	}
 }
@@ -219,8 +229,8 @@ impl NodeTable {
 	}
 
 	/// Returns node ids sorted by number of failures
-	pub fn nodes(&self, filter: AllowIP) -> Vec<NodeId> {
-		let mut refs: Vec<&Node> = self.nodes.values().filter(|n| !self.useless_nodes.contains(&n.id) && n.endpoint.is_allowed(filter)).collect();
+	pub fn nodes(&self, filter: IpFilter) -> Vec<NodeId> {
+		let mut refs: Vec<&Node> = self.nodes.values().filter(|n| !self.useless_nodes.contains(&n.id) && n.endpoint.is_allowed(&filter)).collect();
 		refs.sort_by(|a, b| a.failures.cmp(&b.failures));
 		refs.iter().map(|n| n.id.clone()).collect()
 	}
@@ -283,7 +293,7 @@ impl NodeTable {
 			let mut json = String::new();
 			json.push_str("{\n");
 			json.push_str("\"nodes\": [\n");
-			let node_ids = self.nodes(AllowIP::All);
+			let node_ids = self.nodes(IpFilter::default());
 			for i in 0 .. node_ids.len() {
 				let node = self.nodes.get(&node_ids[i]).expect("self.nodes() only returns node IDs from self.nodes");
 				json.push_str(&format!("\t{{ \"url\": \"{}\", \"failures\": {} }}{}\n", node, node.failures, if i == node_ids.len() - 1 {""} else {","}))
@@ -366,7 +376,7 @@ mod tests {
 	use util::H512;
 	use std::str::FromStr;
 	use devtools::*;
-	use AllowIP;
+	use ipnetwork::IpNetwork;
 
 	#[test]
 	fn endpoint_parse() {
@@ -412,7 +422,7 @@ mod tests {
 		table.note_failure(&id1);
 		table.note_failure(&id2);
 
-		let r = table.nodes(AllowIP::All);
+		let r = table.nodes(IpFilter::default());
 		assert_eq!(r[0][..], id3[..]);
 		assert_eq!(r[1][..], id2[..]);
 		assert_eq!(r[2][..], id1[..]);
@@ -434,9 +444,55 @@ mod tests {
 
 		{
 			let table = NodeTable::new(Some(temp_path.as_path().to_str().unwrap().to_owned()));
-			let r = table.nodes(AllowIP::All);
+			let r = table.nodes(IpFilter::default());
 			assert_eq!(r[0][..], id1[..]);
 			assert_eq!(r[1][..], id2[..]);
 		}
 	}
+
+	#[test]
+	fn custom_allow() {
+		let filter = IpFilter {
+			predefined: AllowIP::None,
+			custom_allow: vec![IpNetwork::from_str(&"10.0.0.0/8").unwrap(), IpNetwork::from_str(&"1.0.0.0/8").unwrap()],
+			custom_block: vec![],
+		};
+		assert!(!NodeEndpoint::from_str("123.99.55.44:7770").unwrap().is_allowed(&filter));
+		assert!(NodeEndpoint::from_str("10.0.0.1:7770").unwrap().is_allowed(&filter));
+		assert!(NodeEndpoint::from_str("1.0.0.55:5550").unwrap().is_allowed(&filter));
+	}
+
+	#[test]
+	fn custom_block() {
+		let filter = IpFilter {
+			predefined: AllowIP::All,
+			custom_allow: vec![],
+			custom_block: vec![IpNetwork::from_str(&"10.0.0.0/8").unwrap(), IpNetwork::from_str(&"1.0.0.0/8").unwrap()],
+		};
+		assert!(NodeEndpoint::from_str("123.99.55.44:7770").unwrap().is_allowed(&filter));
+		assert!(!NodeEndpoint::from_str("10.0.0.1:7770").unwrap().is_allowed(&filter));
+		assert!(!NodeEndpoint::from_str("1.0.0.55:5550").unwrap().is_allowed(&filter));
+	}
+
+	#[test]
+	fn custom_allow_ipv6() {
+		let filter = IpFilter {
+			predefined: AllowIP::None,
+			custom_allow: vec![IpNetwork::from_str(&"fc00::/8").unwrap()],
+			custom_block: vec![],
+		};
+		assert!(NodeEndpoint::from_str("[fc00::]:5550").unwrap().is_allowed(&filter));
+		assert!(!NodeEndpoint::from_str("[fd00::]:5550").unwrap().is_allowed(&filter));
+	}
+
+	#[test]
+	fn custom_block_ipv6() {
+		let filter = IpFilter {
+			predefined: AllowIP::All,
+			custom_allow: vec![],
+			custom_block: vec![IpNetwork::from_str(&"fc00::/8").unwrap()],
+		};
+		assert!(!NodeEndpoint::from_str("[fc00::]:5550").unwrap().is_allowed(&filter));
+		assert!(NodeEndpoint::from_str("[fd00::]:5550").unwrap().is_allowed(&filter));
+	}
 }