IPFS Swarm Filters: Alternative to CIDR?

Okay, I really hope I’m not missing something silly here, but before I start writing out swarm filters for 192.168.{0…255}.0/24, I figured I’d better ask if there’s a better way.

I know that Swarm filters are deny-only, so there isn’t a way to say “deny this range except another range”. I’m just having trouble figuring out how to efficiently make a group of deny ranges that still allows a /24 within the larger /16 range.

So, for example, I’m trying to exclude, while including I could imagine carving out a good chunk of that with a bitmask such as, but that doesn’t translate to CIDR. Does multiaddr have a way to use a bitmask instead of a CIDR, and is it supported in IPFS?

So far, the closest workaround I can come by is to go bit-by-bit in the third octet like this:

After that my binary gets a bit fuzzy:

(Edit: Update: The above didn’t work as I was still able to (attempt) to connect to

Alternatively I could just put in entries for anything smaller than /21:

(Edit: Update: After testing, the above did work.

I realize looking through the issues in ipfs/go-ipfs on github that there is a technical hurdle to adding allow-list functionality to swarm filters. Instead, is there a way to use a bitmask instead of CIDR?

Thanks in advance for any clues

Unfortunately, there isn’t an existing solution for this within go-ipfs. With libp2p, you can pass arbitrary functions to filter addresses, but you obviously can’t do that with go-ipfs.

That is unfortunate. This is not entirely unexpected as I couldn’t see any mention of multiaddr having support for bitmasks. Thankfully, my rather brute-force workaround mentioned above worked, although I don’t know what strain might be caused by having a large number of filters.

At the moment, it checks each one sequentially. A bit unfortunate but it shouldn’t slow you down too much.