introduce "flat ip" representations

Makefile

 	cd irc/cloaks && go test . && go vet .
 	cd irc/connection_limits && go test . && go vet .
 	cd irc/email && go test . && go vet .
+	cd irc/flatip && go test . && go vet .
 	cd irc/history && go test . && go vet .
 	cd irc/isupport && go test . && go vet .
 	cd irc/migrations && go test . && go vet .

irc/connection_limits/limiter.go

 package connection_limits
 
 import (
+	"crypto/md5"
 	"errors"
 	"fmt"
 	"net"
 	"sync"
 	"time"
 
+	"github.com/oragono/oragono/irc/flatip"
 	"github.com/oragono/oragono/irc/utils"
 )
 
 
 // tuples the key-value pair of a CIDR and its custom limit/throttle values
 type customLimit struct {
-	name          string
+	name          [16]byte
 	maxConcurrent int
 	maxPerWindow  int
-	nets          []net.IPNet
+	nets          []flatip.IPNet
+}
+
+type limiterKey struct {
+	maskedIP  flatip.IP
+	prefixLen uint8 // 0 for the fake nets we generate for custom limits
 }
 
 // LimiterConfig controls the automated connection limits.
 type LimiterConfig struct {
 	rawLimiterConfig
 
-	ipv4Mask     net.IPMask
-	ipv6Mask     net.IPMask
-	exemptedNets []net.IPNet
+	exemptedNets []flatip.IPNet
 	customLimits []customLimit
 }
 
 }
 
 func (config *LimiterConfig) postprocess() (err error) {
-	config.exemptedNets, err = utils.ParseNetList(config.Exempted)
+	exemptedNets, err := utils.ParseNetList(config.Exempted)
 	if err != nil {
 		return fmt.Errorf("Could not parse limiter exemption list: %v", err.Error())
 	}
+	config.exemptedNets = make([]flatip.IPNet, len(exemptedNets))
+	for i, exempted := range exemptedNets {
+		config.exemptedNets[i] = flatip.FromNetIPNet(exempted)
+	}
 
 	for identifier, customLimitConf := range config.CustomLimits {
-		nets := make([]net.IPNet, len(customLimitConf.Nets))
+		nets := make([]flatip.IPNet, len(customLimitConf.Nets))
 		for i, netStr := range customLimitConf.Nets {
-			normalizedNet, err := utils.NormalizedNetFromString(netStr)
+			normalizedNet, err := flatip.ParseToNormalizedNet(netStr)
 			if err != nil {
 				return fmt.Errorf("Bad net %s in custom-limits block %s: %w", netStr, identifier, err)
 			}
 		if len(customLimitConf.Nets) == 0 {
 			// see #1421: this is the legacy config format where the
 			// dictionary key of the block is a CIDR string
-			normalizedNet, err := utils.NormalizedNetFromString(identifier)
+			normalizedNet, err := flatip.ParseToNormalizedNet(identifier)
 			if err != nil {
 				return fmt.Errorf("Custom limit block %s has no defined nets", identifier)
 			}
-			nets = []net.IPNet{normalizedNet}
+			nets = []flatip.IPNet{normalizedNet}
 		}
 		config.customLimits = append(config.customLimits, customLimit{
 			maxConcurrent: customLimitConf.MaxConcurrent,
 			maxPerWindow:  customLimitConf.MaxPerWindow,
-			name:          "*" + identifier,
+			name:          md5.Sum([]byte(identifier)),
 			nets:          nets,
 		})
 	}
 
-	config.ipv4Mask = net.CIDRMask(config.CidrLenIPv4, 32)
-	config.ipv6Mask = net.CIDRMask(config.CidrLenIPv6, 128)
-
 	return nil
 }
 
 	config *LimiterConfig
 
 	// IP/CIDR -> count of clients connected from there:
-	limiter map[string]int
+	limiter map[limiterKey]int
 	// IP/CIDR -> throttle state:
-	throttler map[string]ThrottleDetails
+	throttler map[limiterKey]ThrottleDetails
 }
 
 // addrToKey canonicalizes `addr` to a string key, and returns
 // the relevant connection limit and throttle max-per-window values
-func (cl *Limiter) addrToKey(addr net.IP) (key string, limit int, throttle int) {
-	// `key` will be a CIDR string like "8.8.8.8/32" or "2001:0db8::/32"
+func (cl *Limiter) addrToKey(flat flatip.IP) (key limiterKey, limit int, throttle int) {
 	for _, custom := range cl.config.customLimits {
 		for _, net := range custom.nets {
-			if net.Contains(addr) {
-				return custom.name, custom.maxConcurrent, custom.maxPerWindow
+			if net.Contains(flat) {
+				return limiterKey{maskedIP: custom.name, prefixLen: 0}, custom.maxConcurrent, custom.maxPerWindow
 			}
 		}
 	}
 
-	var ipNet net.IPNet
-	addrv4 := addr.To4()
-	if addrv4 != nil {
-		ipNet = net.IPNet{
-			IP:   addrv4.Mask(cl.config.ipv4Mask),
-			Mask: cl.config.ipv4Mask,
-		}
+	var prefixLen int
+	if flat.IsIPv4() {
+		prefixLen = cl.config.CidrLenIPv4
+		flat = flat.Mask(prefixLen, 32)
+		prefixLen += 96
 	} else {
-		ipNet = net.IPNet{
-			IP:   addr.Mask(cl.config.ipv6Mask),
-			Mask: cl.config.ipv6Mask,
-		}
+		prefixLen = cl.config.CidrLenIPv6
+		flat = flat.Mask(prefixLen, 128)
 	}
-	return ipNet.String(), cl.config.MaxConcurrent, cl.config.MaxPerWindow
+
+	return limiterKey{maskedIP: flat, prefixLen: uint8(prefixLen)}, cl.config.MaxConcurrent, cl.config.MaxPerWindow
 }
 
 // AddClient adds a client to our population if possible. If we can't, throws an error instead.
 func (cl *Limiter) AddClient(addr net.IP) error {
+	flat := flatip.FromNetIP(addr)
+
 	cl.Lock()
 	defer cl.Unlock()
 
 	// we don't track populations for exempted addresses or nets - this is by design
-	if utils.IPInNets(addr, cl.config.exemptedNets) {
+	if flatip.IPInNets(flat, cl.config.exemptedNets) {
 		return nil
 	}
 
-	addrString, maxConcurrent, maxPerWindow := cl.addrToKey(addr)
+	addrString, maxConcurrent, maxPerWindow := cl.addrToKey(flat)
 
 	// XXX check throttle first; if we checked limit first and then checked throttle,
 	// we'd have to decrement the limit on an unsuccessful throttle check
 
 // RemoveClient removes the given address from our population
 func (cl *Limiter) RemoveClient(addr net.IP) {
+	flat := flatip.FromNetIP(addr)
+
 	cl.Lock()
 	defer cl.Unlock()
 
-	if !cl.config.Count || utils.IPInNets(addr, cl.config.exemptedNets) {
+	if !cl.config.Count || flatip.IPInNets(flat, cl.config.exemptedNets) {
 		return
 	}
 
-	addrString, _, _ := cl.addrToKey(addr)
+	addrString, _, _ := cl.addrToKey(flat)
 	count := cl.limiter[addrString]
 	count -= 1
 	if count < 0 {
 
 // ResetThrottle resets the throttle count for an IP
 func (cl *Limiter) ResetThrottle(addr net.IP) {
+	flat := flatip.FromNetIP(addr)
+
 	cl.Lock()
 	defer cl.Unlock()
 
-	if !cl.config.Throttle || utils.IPInNets(addr, cl.config.exemptedNets) {
+	if !cl.config.Throttle || flatip.IPInNets(flat, cl.config.exemptedNets) {
 		return
 	}
 
-	addrString, _, _ := cl.addrToKey(addr)
+	addrString, _, _ := cl.addrToKey(flat)
 	delete(cl.throttler, addrString)
 }
 
 	defer cl.Unlock()
 
 	if cl.limiter == nil {
-		cl.limiter = make(map[string]int)
+		cl.limiter = make(map[limiterKey]int)
 	}
 	if cl.throttler == nil {
-		cl.throttler = make(map[string]ThrottleDetails)
+		cl.throttler = make(map[limiterKey]ThrottleDetails)
 	}
 
 	cl.config = config

irc/connection_limits/limiter_test.go

 package connection_limits
 
 import (
+	"crypto/md5"
 	"net"
 	"testing"
 	"time"
+
+	"github.com/oragono/oragono/irc/flatip"
 )
 
 func easyParseIP(ipstr string) (result net.IP) {
 	return
 }
 
+func easyParseFlat(ipstr string) (result flatip.IP) {
+	r1 := easyParseIP(ipstr)
+	return flatip.FromNetIP(r1)
+}
+
 var baseConfig = LimiterConfig{
 	rawLimiterConfig: rawLimiterConfig{
 		Count:         true,
 	var limiter Limiter
 	limiter.ApplyConfig(&config)
 
-	key, maxConc, maxWin := limiter.addrToKey(easyParseIP("1.1.1.1"))
-	assertEqual(key, "1.1.1.1/32", t)
+	// an ipv4 /32 looks like a /128 to us after applying the 4-in-6 mapping
+	key, maxConc, maxWin := limiter.addrToKey(easyParseFlat("1.1.1.1"))
+	assertEqual(key.prefixLen, uint8(128), t)
+	assertEqual(key.maskedIP[12:], []byte{1, 1, 1, 1}, t)
 	assertEqual(maxConc, 4, t)
 	assertEqual(maxWin, 8, t)
 
-	key, maxConc, maxWin = limiter.addrToKey(easyParseIP("2607:5301:201:3100::7426"))
-	assertEqual(key, "2607:5301:201:3100::/64", t)
+	testIPv6 := easyParseFlat("2607:5301:201:3100::7426")
+	key, maxConc, maxWin = limiter.addrToKey(testIPv6)
+	assertEqual(key.prefixLen, uint8(64), t)
+	assertEqual(key.maskedIP[:], []byte(easyParseIP("2607:5301:201:3100::")), t)
 	assertEqual(maxConc, 4, t)
 	assertEqual(maxWin, 8, t)
 
-	key, maxConc, maxWin = limiter.addrToKey(easyParseIP("8.8.4.4"))
-	assertEqual(key, "*google", t)
+	key, maxConc, maxWin = limiter.addrToKey(easyParseFlat("8.8.4.4"))
+	assertEqual(key.prefixLen, uint8(0), t)
+	assertEqual([16]byte(key.maskedIP), md5.Sum([]byte("google")), t)
 	assertEqual(maxConc, 128, t)
 	assertEqual(maxWin, 256, t)
 }

irc/dline.go

 	"sync"
 	"time"
 
+	"github.com/oragono/oragono/irc/flatip"
 	"github.com/oragono/oragono/irc/utils"
 	"github.com/tidwall/buntdb"
 )
 	return message
 }
 
-// dLineNet contains the net itself and expiration time for a given network.
-type dLineNet struct {
-	// Network is the network that is blocked.
-	// This is always an IPv6 CIDR; IPv4 CIDRs are translated with the 4-in-6 prefix,
-	// individual IPv4 and IPV6 addresses are translated to the relevant /128.
-	Network net.IPNet
-	// Info contains information on the ban.
-	Info IPBanInfo
-}
-
 // DLineManager manages and dlines.
 type DLineManager struct {
 	sync.RWMutex                // tier 1
 	persistenceMutex sync.Mutex // tier 2
 	// networks that are dlined:
-	// XXX: the keys of this map (which are also the database persistence keys)
-	// are the human-readable representations returned by NetToNormalizedString
-	networks map[string]dLineNet
+	networks map[flatip.IPNet]IPBanInfo
 	// this keeps track of expiration timers for temporary bans
-	expirationTimers map[string]*time.Timer
+	expirationTimers map[flatip.IPNet]*time.Timer
 	server           *Server
 }
 
 // NewDLineManager returns a new DLineManager.
 func NewDLineManager(server *Server) *DLineManager {
 	var dm DLineManager
-	dm.networks = make(map[string]dLineNet)
-	dm.expirationTimers = make(map[string]*time.Timer)
+	dm.networks = make(map[flatip.IPNet]IPBanInfo)
+	dm.expirationTimers = make(map[flatip.IPNet]*time.Timer)
 	dm.server = server
 
 	dm.loadFromDatastore()
 	dm.RLock()
 	defer dm.RUnlock()
 
-	// map keys are already the human-readable forms, just return a copy of the map
 	for key, info := range dm.networks {
-		allb[key] = info.Info
+		allb[key.String()] = info
 	}
 
 	return allb
 	return dm.persistDline(id, info)
 }
 
-func (dm *DLineManager) addNetworkInternal(network net.IPNet, info IPBanInfo) (id string) {
-	network = utils.NormalizeNet(network)
-	id = utils.NetToNormalizedString(network)
+func (dm *DLineManager) addNetworkInternal(network net.IPNet, info IPBanInfo) (id flatip.IPNet) {
+	flatnet := flatip.FromNetIPNet(network)
+	id = flatnet
 
 	var timeLeft time.Duration
 	if info.Duration != 0 {
 	dm.Lock()
 	defer dm.Unlock()
 
-	dm.networks[id] = dLineNet{
-		Network: network,
-		Info:    info,
-	}
+	dm.networks[flatnet] = info
 
-	dm.cancelTimer(id)
+	dm.cancelTimer(flatnet)
 
 	if info.Duration == 0 {
 		return
 		dm.Lock()
 		defer dm.Unlock()
 
-		netBan, ok := dm.networks[id]
-		if ok && netBan.Info.TimeCreated.Equal(timeCreated) {
-			delete(dm.networks, id)
+		banInfo, ok := dm.networks[flatnet]
+		if ok && banInfo.TimeCreated.Equal(timeCreated) {
+			delete(dm.networks, flatnet)
 			// TODO(slingamn) here's where we'd remove it from the radix tree
-			delete(dm.expirationTimers, id)
+			delete(dm.expirationTimers, flatnet)
 		}
 	}
-	dm.expirationTimers[id] = time.AfterFunc(timeLeft, processExpiration)
+	dm.expirationTimers[flatnet] = time.AfterFunc(timeLeft, processExpiration)
 
 	return
 }
 
-func (dm *DLineManager) cancelTimer(id string) {
-	oldTimer := dm.expirationTimers[id]
+func (dm *DLineManager) cancelTimer(flatnet flatip.IPNet) {
+	oldTimer := dm.expirationTimers[flatnet]
 	if oldTimer != nil {
 		oldTimer.Stop()
-		delete(dm.expirationTimers, id)
+		delete(dm.expirationTimers, flatnet)
 	}
 }
 
-func (dm *DLineManager) persistDline(id string, info IPBanInfo) error {
+func (dm *DLineManager) persistDline(id flatip.IPNet, info IPBanInfo) error {
 	// save in datastore
-	dlineKey := fmt.Sprintf(keyDlineEntry, id)
+	dlineKey := fmt.Sprintf(keyDlineEntry, id.String())
 	// assemble json from ban info
 	b, err := json.Marshal(info)
 	if err != nil {
 	return err
 }
 
-func (dm *DLineManager) unpersistDline(id string) error {
-	dlineKey := fmt.Sprintf(keyDlineEntry, id)
+func (dm *DLineManager) unpersistDline(id flatip.IPNet) error {
+	dlineKey := fmt.Sprintf(keyDlineEntry, id.String())
 	return dm.server.store.Update(func(tx *buntdb.Tx) error {
 		_, err := tx.Delete(dlineKey)
 		return err
 	dm.persistenceMutex.Lock()
 	defer dm.persistenceMutex.Unlock()
 
-	id := utils.NetToNormalizedString(utils.NormalizeNet(network))
+	id := flatip.FromNetIPNet(network)
 
 	present := func() bool {
 		dm.Lock()
 }
 
 // CheckIP returns whether or not an IP address was banned, and how long it is banned for.
-func (dm *DLineManager) CheckIP(addr net.IP) (isBanned bool, info IPBanInfo) {
-	addr = addr.To16() // almost certainly unnecessary
+func (dm *DLineManager) CheckIP(netAddr net.IP) (isBanned bool, info IPBanInfo) {
+	addr := flatip.FromNetIP(netAddr)
 	if addr.IsLoopback() {
 		return // #671
 	}
 
 	// check networks
 	// TODO(slingamn) use a radix tree as the data plane for this
-	for _, netBan := range dm.networks {
-		if netBan.Network.Contains(addr) {
-			return true, netBan.Info
+	for flatnet, info := range dm.networks {
+		if flatnet.Contains(addr) {
+			return true, info
 		}
 	}
 	// no matches!
-	isBanned = false
 	return
 }
 

irc/flatip/flatip.go

+// Copyright 2020 Shivaram Lingamneni <slingamn@cs.stanford.edu>
+// Copyright 2009 The Go Authors
+
+package flatip
+
+import (
+	"bytes"
+	"errors"
+	"net"
+)
+
+var (
+	v4InV6Prefix = []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xff}
+
+	IPv6loopback = IP{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1}
+
+	ErrInvalidIPString = errors.New("String could not be interpreted as an IP address")
+)
+
+// packed versions of net.IP and net.IPNet; these are pure value types,
+// so they can be compared with == and used as map keys.
+
+// IP is the 128-bit representation of the IPv6 address, using the 4-in-6 mapping
+// if necessary:
+type IP [16]byte
+
+// IPNet is a IP network. In a valid value, all bits after PrefixLen are zeroes.
+type IPNet struct {
+	IP
+	PrefixLen uint8
+}
+
+// NetIP converts an IP into a net.IP.
+func (ip IP) NetIP() (result net.IP) {
+	result = make(net.IP, 16)
+	copy(result[:], ip[:])
+	return
+}
+
+// FromNetIP converts a net.IP into an IP.
+func FromNetIP(ip net.IP) (result IP) {
+	if len(ip) == 16 {
+		copy(result[:], ip[:])
+	} else {
+		result[10] = 0xff
+		result[11] = 0xff
+		copy(result[12:], ip[:])
+	}
+	return
+}
+
+// IPv4 returns the IP address representation of a.b.c.d
+func IPv4(a, b, c, d byte) (result IP) {
+	copy(result[:12], v4InV6Prefix)
+	result[12] = a
+	result[13] = b
+	result[14] = c
+	result[15] = d
+	return
+}
+
+// ParseIP parses a string representation of an IP address into an IP.
+// Unlike net.ParseIP, it returns an error instead of a zero value on failure,
+// since the zero value of `IP` is a representation of a valid IP (::0, the
+// IPv6 "unspecified address").
+func ParseIP(ipstr string) (ip IP, err error) {
+	// TODO reimplement this without net.ParseIP
+	netip := net.ParseIP(ipstr)
+	if netip == nil {
+		err = ErrInvalidIPString
+		return
+	}
+	netip = netip.To16()
+	copy(ip[:], netip)
+	return
+}
+
+// String returns the string representation of an IP
+func (ip IP) String() string {
+	// TODO reimplement this without using (net.IP).String()
+	return (net.IP)(ip[:]).String()
+}
+
+// IsIPv4 returns whether the IP is an IPv4 address.
+func (ip IP) IsIPv4() bool {
+	return bytes.Equal(ip[:12], v4InV6Prefix)
+}
+
+// IsLoopback returns whether the IP is a loopback address.
+func (ip IP) IsLoopback() bool {
+	if ip.IsIPv4() {
+		return ip[12] == 127
+	} else {
+		return ip == IPv6loopback
+	}
+}
+
+func rawCidrMask(length int) (m IP) {
+	n := uint(length)
+	for i := 0; i < 16; i++ {
+		if n >= 8 {
+			m[i] = 0xff
+			n -= 8
+			continue
+		}
+		m[i] = ^byte(0xff >> n)
+		return
+	}
+	return
+}
+
+func (ip IP) applyMask(mask IP) (result IP) {
+	for i := 0; i < 16; i += 1 {
+		result[i] = ip[i] & mask[i]
+	}
+	return
+}
+
+func cidrMask(ones, bits int) (result IP) {
+	switch bits {
+	case 32:
+		return rawCidrMask(96 + ones)
+	case 128:
+		return rawCidrMask(ones)
+	default:
+		return
+	}
+}
+
+// Mask returns the result of masking ip with the CIDR mask of
+// length 'ones', out of a total of 'bits' (which must be either
+// 32 for an IPv4 subnet or 128 for an IPv6 subnet).
+func (ip IP) Mask(ones, bits int) (result IP) {
+	return ip.applyMask(cidrMask(ones, bits))
+}
+
+// ToNetIPNet converts an IPNet into a net.IPNet.
+func (cidr IPNet) ToNetIPNet() (result net.IPNet) {
+	return net.IPNet{
+		IP:   cidr.IP.NetIP(),
+		Mask: net.CIDRMask(int(cidr.PrefixLen), 128),
+	}
+}
+
+// Contains retuns whether the network contains `ip`.
+func (cidr IPNet) Contains(ip IP) bool {
+	maskedIP := ip.Mask(int(cidr.PrefixLen), 128)
+	return cidr.IP == maskedIP
+}
+
+// FromNetIPnet converts a net.IPNet into an IPNet.
+func FromNetIPNet(network net.IPNet) (result IPNet) {
+	ones, _ := network.Mask.Size()
+	if len(network.IP) == 16 {
+		copy(result.IP[:], network.IP[:])
+	} else {
+		result.IP[10] = 0xff
+		result.IP[11] = 0xff
+		copy(result.IP[12:], network.IP[:])
+		ones += 96
+	}
+	// perform masking so that equal CIDRs are ==
+	result.IP = result.IP.Mask(ones, 128)
+	result.PrefixLen = uint8(ones)
+	return
+}
+
+// String returns a string representation of an IPNet.
+func (cidr IPNet) String() string {
+	ip := make(net.IP, 16)
+	copy(ip[:], cidr.IP[:])
+	ipnet := net.IPNet{
+		IP:   ip,
+		Mask: net.CIDRMask(int(cidr.PrefixLen), 128),
+	}
+	return ipnet.String()
+}
+
+// ParseCIDR parses a string representation of an IP network in CIDR notation,
+// then returns it as an IPNet (along with the original, unmasked address).
+func ParseCIDR(netstr string) (ip IP, ipnet IPNet, err error) {
+	// TODO reimplement this without net.ParseCIDR
+	nip, nipnet, err := net.ParseCIDR(netstr)
+	if err != nil {
+		return
+	}
+	return FromNetIP(nip), FromNetIPNet(*nipnet), nil
+}
+
+// begin ad-hoc utilities
+
+// ParseToNormalizedNet attempts to interpret a string either as an IP
+// network in CIDR notation, returning an IPNet, or as an IP address,
+// returning an IPNet that contains only that address.
+func ParseToNormalizedNet(netstr string) (ipnet IPNet, err error) {
+	_, ipnet, err = ParseCIDR(netstr)
+	if err == nil {
+		return
+	}
+	ip, err := ParseIP(netstr)
+	if err == nil {
+		ipnet.IP = ip
+		ipnet.PrefixLen = 128
+	}
+	return
+}
+
+// IPInNets is a convenience function for testing whether an IP is contained
+// in any member of a slice of IPNet's.
+func IPInNets(addr IP, nets []IPNet) bool {
+	for _, net := range nets {
+		if net.Contains(addr) {
+			return true
+		}
+	}
+	return false
+}

irc/flatip/flatip_test.go

+package flatip
+
+import (
+	"bytes"
+	"math/rand"
+	"net"
+	"testing"
+	"time"
+)
+
+func easyParseIP(ipstr string) (result net.IP) {
+	result = net.ParseIP(ipstr)
+	if result == nil {
+		panic(ipstr)
+	}
+	return
+}
+
+func easyParseFlat(ipstr string) (result IP) {
+	x := easyParseIP(ipstr)
+	return FromNetIP(x)
+}
+
+func easyParseIPNet(nipstr string) (result net.IPNet) {
+	_, nip, err := net.ParseCIDR(nipstr)
+	if err != nil {
+		panic(err)
+	}
+	return *nip
+}
+
+func TestBasic(t *testing.T) {
+	nip := easyParseIP("8.8.8.8")
+	flatip := FromNetIP(nip)
+	if flatip.String() != "8.8.8.8" {
+		t.Errorf("conversions don't work")
+	}
+}
+
+func TestLoopback(t *testing.T) {
+	localhost_v4 := easyParseFlat("127.0.0.1")
+	localhost_v4_again := easyParseFlat("127.2.3.4")
+	google := easyParseFlat("8.8.8.8")
+	loopback_v6 := easyParseFlat("::1")
+	google_v6 := easyParseFlat("2607:f8b0:4006:801::2004")
+
+	if !(localhost_v4.IsLoopback() && localhost_v4_again.IsLoopback() && loopback_v6.IsLoopback()) {
+		t.Errorf("can't detect loopbacks")
+	}
+
+	if google_v6.IsLoopback() || google.IsLoopback() {
+		t.Errorf("incorrectly detected loopbacks")
+	}
+}
+
+func TestContains(t *testing.T) {
+	nipnet := easyParseIPNet("8.8.0.0/16")
+	flatipnet := FromNetIPNet(nipnet)
+	nip := easyParseIP("8.8.8.8")
+	flatip_ := FromNetIP(nip)
+	if !flatipnet.Contains(flatip_) {
+		t.Errorf("contains doesn't work")
+	}
+}
+
+var testIPStrs = []string{
+	"8.8.8.8",
+	"127.0.0.1",
+	"1.1.1.1",
+	"128.127.65.64",
+	"2001:0db8::1",
+	"::1",
+	"255.255.255.255",
+}
+
+func doMaskingTest(ip net.IP, t *testing.T) {
+	flat := FromNetIP(ip)
+	netLen := len(ip) * 8
+	for i := 0; i < netLen; i++ {
+		masked := flat.Mask(i, netLen)
+		netMask := net.CIDRMask(i, netLen)
+		netMasked := ip.Mask(netMask)
+		if !bytes.Equal(masked[:], netMasked.To16()) {
+			t.Errorf("Masking %s with %d/%d; expected %s, got %s", ip.String(), i, netLen, netMasked.String(), masked.String())
+		}
+	}
+}
+
+func TestMasking(t *testing.T) {
+	for _, ipstr := range testIPStrs {
+		doMaskingTest(easyParseIP(ipstr), t)
+	}
+}
+
+func TestMaskingFuzz(t *testing.T) {
+	r := rand.New(rand.NewSource(time.Now().UnixNano()))
+	buf := make([]byte, 4)
+	for i := 0; i < 10000; i++ {
+		r.Read(buf)
+		doMaskingTest(net.IP(buf), t)
+	}
+
+	buf = make([]byte, 16)
+	for i := 0; i < 10000; i++ {
+		r.Read(buf)
+		doMaskingTest(net.IP(buf), t)
+	}
+}
+
+func BenchmarkMasking(b *testing.B) {
+	ip := easyParseIP("2001:0db8::42")
+	flat := FromNetIP(ip)
+	b.ResetTimer()
+
+	for i := 0; i < b.N; i++ {
+		flat.Mask(64, 128)
+	}
+}
+
+func BenchmarkMaskingLegacy(b *testing.B) {
+	ip := easyParseIP("2001:0db8::42")
+	mask := net.CIDRMask(64, 128)
+	b.ResetTimer()
+
+	for i := 0; i < b.N; i++ {
+		ip.Mask(mask)
+	}
+}
+
+func BenchmarkMaskingCached(b *testing.B) {
+	i := easyParseIP("2001:0db8::42")
+	flat := FromNetIP(i)
+	mask := cidrMask(64, 128)
+	b.ResetTimer()
+
+	for i := 0; i < b.N; i++ {
+		flat.applyMask(mask)
+	}
+}
+
+func BenchmarkMaskingConstruct(b *testing.B) {
+	for i := 0; i < b.N; i++ {
+		cidrMask(69, 128)
+	}
+}
+
+func BenchmarkContains(b *testing.B) {
+	ip := easyParseIP("2001:0db8::42")
+	flat := FromNetIP(ip)
+	_, ipnet, err := net.ParseCIDR("2001:0db8::/64")
+	if err != nil {
+		panic(err)
+	}
+	flatnet := FromNetIPNet(*ipnet)
+	b.ResetTimer()
+
+	for i := 0; i < b.N; i++ {
+		flatnet.Contains(flat)
+	}
+}
+
+func BenchmarkContainsLegacy(b *testing.B) {
+	ip := easyParseIP("2001:0db8::42")
+	_, ipnetptr, err := net.ParseCIDR("2001:0db8::/64")
+	if err != nil {
+		panic(err)
+	}
+	ipnet := *ipnetptr
+	b.ResetTimer()
+
+	for i := 0; i < b.N; i++ {
+		ipnet.Contains(ip)
+	}
+}