feat: --stats-allow-net CIDR for custom stats access ranges

Overlay networks (Tailscale, Netbird, WireGuard) use non-RFC1918 ranges
like 100.64.0.0/10 that is_private_ip() rejects. Add a repeatable flag
to extend the stats endpoint allowlist with specific CIDR ranges, reusing
the existing parser from net-ip-acl.c.

Closes #4

Author: dvershinin

CHANGELOG.md

@@ -2,6 +2,11 @@
 
 All notable changes to this project will be documented in this file.
 
+## [3.5.5] - 2026-03-30
+
+### Added
+- `--stats-allow-net CIDR` flag to extend stats endpoint access beyond RFC1918 ranges (repeatable, e.g. `--stats-allow-net 100.64.0.0/10` for Tailscale/WireGuard). Docker: `STATS_ALLOW_NET=100.64.0.0/10,fd00::/8` ([#4](https://github.com/teleproxy/teleproxy/issues/4))
+
 ## [3.5.4] - 2026-03-28
 
 ### Fixed

mtproto/mtproto-proxy.c

@@ -1701,7 +1701,7 @@ int hts_stats_execute (connection_job_t c, struct raw_message *msg, int op) {
     D->query_flags &= ~QF_KEEPALIVE;
     return -501;
   }
-  if (!is_private_ip(CONN_INFO(c)->remote_ip)) {
+  if (!is_private_ip(CONN_INFO(c)->remote_ip) && !ip_acl_check_stats_v4(CONN_INFO(c)->remote_ip)) {
     return -404;
   }
 
@@ -2612,6 +2612,12 @@ int f_parse_option (int val) {
   case 2003:
     direct_mode = 1;
     break;
+  case 2004:
+    if (ip_acl_add_stats_net (optarg) < 0) {
+      kprintf ("invalid CIDR for --stats-allow-net: %s\n", optarg);
+      return 2;
+    }
+    break;
   default:
     return -1;
   }
@@ -2633,6 +2639,7 @@ void mtfront_prepare_parse_options (void) {
   parse_option ("ip-blocklist", required_argument, 0, 2001, "path to file with CIDR ranges to reject");
   parse_option ("ip-allowlist", required_argument, 0, 2002, "path to file with CIDR ranges to exclusively allow");
   parse_option ("direct", no_argument, 0, 2003, "connect directly to Telegram DCs instead of through ME relays (incompatible with -P)");
+  parse_option ("stats-allow-net", required_argument, 0, 2004, "CIDR range to allow stats access from, e.g. 100.64.0.0/10 (repeatable)");
 }
 
 void mtfront_parse_extra_args (int argc, char *argv[]) /* {{{ */ {

net/net-ip-acl.c

@@ -43,6 +43,7 @@ struct ip_acl {
 
 static struct ip_acl *current_blocklist;
 static struct ip_acl *current_allowlist;
+static struct ip_acl *stats_allowlist;
 static char *blocklist_file;
 static char *allowlist_file;
 
@@ -221,6 +222,54 @@ static char *trim (char *s) {
   return s;
 }
 
+/* Parse a CIDR string (e.g. "100.64.0.0/10", "2001:db8::/32", "10.0.0.1")
+   into a rule struct. The input buffer is modified (slash replaced with NUL).
+   Returns 0 on success, -1 on parse error. */
+static int ip_acl_parse_cidr (char *s, struct ip_acl_rule *rule) {
+  memset (rule, 0, sizeof (*rule));
+
+  char *slash = strchr (s, '/');
+  int explicit_prefix = 0;
+  if (slash) {
+    *slash = '\0';
+    char *endptr;
+    rule->prefix_len = (int)strtol (slash + 1, &endptr, 10);
+    if (*endptr && !isspace ((unsigned char)*endptr)) {
+      return -1;
+    }
+    explicit_prefix = 1;
+  }
+
+  struct in_addr addr4;
+  struct in6_addr addr6;
+
+  if (inet_pton (AF_INET, s, &addr4) == 1) {
+    rule->family = AF_INET;
+    rule->addr.v4 = ntohl (addr4.s_addr);
+    if (!explicit_prefix) {
+      rule->prefix_len = 32;
+    }
+    if (rule->prefix_len < 0 || rule->prefix_len > 32) {
+      return -1;
+    }
+    rule->addr.v4 = mask_v4 (rule->addr.v4, rule->prefix_len);
+  } else if (inet_pton (AF_INET6, s, &addr6) == 1) {
+    rule->family = AF_INET6;
+    memcpy (rule->addr.v6, addr6.s6_addr, 16);
+    if (!explicit_prefix) {
+      rule->prefix_len = 128;
+    }
+    if (rule->prefix_len < 0 || rule->prefix_len > 128) {
+      return -1;
+    }
+    mask_v6 (rule->addr.v6, rule->prefix_len);
+  } else {
+    return -1;
+  }
+
+  return 0;
+}
+
 static struct ip_acl *ip_acl_load (const char *filename) {
   FILE *f = fopen (filename, "r");
   if (!f) {
@@ -241,56 +290,13 @@ static struct ip_acl *ip_acl_load (const char *filename) {
     lineno++;
     char *s = trim (line);
 
-    /* skip empty lines and comments */
     if (!*s || *s == '#') {
       continue;
     }
 
     struct ip_acl_rule rule;
-    memset (&rule, 0, sizeof (rule));
-
-    /* split on '/' for prefix length */
-    char *slash = strchr (s, '/');
-    int explicit_prefix = 0;
-    if (slash) {
-      *slash = '\0';
-      char *endptr;
-      rule.prefix_len = (int)strtol (slash + 1, &endptr, 10);
-      if (*endptr && !isspace ((unsigned char)*endptr)) {
-        kprintf ("ip_acl: %s:%d: invalid prefix length '%s'\n", filename, lineno, slash + 1);
-        continue;
-      }
-      explicit_prefix = 1;
-    }
-
-    /* try IPv4 first */
-    struct in_addr addr4;
-    struct in6_addr addr6;
-
-    if (inet_pton (AF_INET, s, &addr4) == 1) {
-      rule.family = AF_INET;
-      rule.addr.v4 = ntohl (addr4.s_addr);
-      if (!explicit_prefix) {
-        rule.prefix_len = 32;
-      }
-      if (rule.prefix_len < 0 || rule.prefix_len > 32) {
-        kprintf ("ip_acl: %s:%d: invalid IPv4 prefix length %d\n", filename, lineno, rule.prefix_len);
-        continue;
-      }
-      rule.addr.v4 = mask_v4 (rule.addr.v4, rule.prefix_len);
-    } else if (inet_pton (AF_INET6, s, &addr6) == 1) {
-      rule.family = AF_INET6;
-      memcpy (rule.addr.v6, addr6.s6_addr, 16);
-      if (!explicit_prefix) {
-        rule.prefix_len = 128;
-      }
-      if (rule.prefix_len < 0 || rule.prefix_len > 128) {
-        kprintf ("ip_acl: %s:%d: invalid IPv6 prefix length %d\n", filename, lineno, rule.prefix_len);
-        continue;
-      }
-      mask_v6 (rule.addr.v6, rule.prefix_len);
-    } else {
-      kprintf ("ip_acl: %s:%d: cannot parse address '%s'\n", filename, lineno, s);
+    if (ip_acl_parse_cidr (s, &rule) < 0) {
+      kprintf ("ip_acl: %s:%d: cannot parse '%s'\n", filename, lineno, s);
       continue;
     }
 
@@ -347,3 +353,34 @@ int ip_acl_blocklist_count (void) {
 int ip_acl_allowlist_count (void) {
   return current_allowlist ? current_allowlist->count : 0;
 }
+
+int ip_acl_add_stats_net (const char *cidr) {
+  char buf[256];
+  int len = snprintf (buf, sizeof (buf), "%s", cidr);
+  if (len <= 0 || len >= (int)sizeof (buf)) {
+    return -1;
+  }
+
+  char *s = trim (buf);
+  if (!*s) {
+    return -1;
+  }
+
+  struct ip_acl_rule rule;
+  if (ip_acl_parse_cidr (s, &rule) < 0) {
+    return -1;
+  }
+
+  if (!stats_allowlist) {
+    stats_allowlist = ip_acl_alloc ();
+    if (!stats_allowlist) {
+      return -1;
+    }
+  }
+
+  return ip_acl_add_rule (stats_allowlist, &rule);
+}
+
+int ip_acl_check_stats_v4 (unsigned ip) {
+  return acl_contains_v4 (stats_allowlist, ip);
+}

net/net-ip-acl.h

@@ -35,6 +35,14 @@ int ip_acl_check_v4 (unsigned ip);
    Returns 1 if allowed, 0 if rejected. */
 int ip_acl_check_v6 (const unsigned char ipv6[16]);
 
+/* Add a CIDR range to the stats endpoint allowlist (called during CLI parsing).
+   Can be called multiple times. Returns 0 on success, -1 on parse error. */
+int ip_acl_add_stats_net (const char *cidr);
+
+/* Check whether an IPv4 address (host byte order) is in the stats allowlist.
+   Returns 1 if allowed, 0 if not (default deny when no ranges configured). */
+int ip_acl_check_stats_v4 (unsigned ip);
+
 /* Return count of loaded rules (for stats/debugging). */
 int ip_acl_blocklist_count (void);
 int ip_acl_allowlist_count (void);

start.sh

@@ -160,6 +160,17 @@ if [ -n "$IP_ALLOWLIST" ]; then
     CMD="$CMD --ip-allowlist $IP_ALLOWLIST"
 fi
 
+if [ -n "$STATS_ALLOW_NET" ]; then
+    _save_ifs="$IFS"
+    IFS=','
+    for _net in $STATS_ALLOW_NET; do
+        IFS="$_save_ifs"
+        _net=$(printf '%s' "$_net" | tr -d '[:space:]')
+        [ -n "$_net" ] && CMD="$CMD --stats-allow-net $_net"
+    done
+    IFS="$_save_ifs"
+fi
+
 if [ "$DIRECT_MODE" = "true" ]; then
     CMD="$CMD --direct -M $WORKERS -u mtproxy $ORIG_ARGS"
     echo "Direct mode: connecting directly to Telegram DCs (no ME relay)"