Add IP prefix blocklist

[jprenken]

Fixes #8237

[github-actions]

@jprenken, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values.

[jprenken]

@jprenken, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values.

Thanks, bot! But these config changes are merely optional.

[beautifulentropy]

I noticed an opportunity to improve lookup performance during run time with a little pre-processing at load time. Otherwise this change looks good to me!

[beautifulentropy]

By removing redundant prefixes at load time, we could reduce the size of the list and improve per-request lookup performance at run time.

// canonicalizePrefixes returns a sorted, deduplicated, and non-overlapping
// slice of netip.Prefix.
func canonicalizePrefixes(in []netip.Prefix) []netip.Prefix {
	if len(in) == 0 {
		return nil
	}
	cp := make([]netip.Prefix, len(in))
	copy(cp, in)

	slices.SortFunc(cp, func(a, b netip.Prefix) int {
		if a.Addr() == b.Addr() {
			return a.Bits() - b.Bits()
		}
		if a.Addr().Less(b.Addr()) {
			return -1
		}
		return 1
	})

	out := make([]netip.Prefix, 0, len(cp))
	for _, p := range cp {
		if len(out) > 0 && out[len(out)-1].Contains(p.Addr()) &&
			out[len(out)-1].Bits() <= p.Bits() {
			continue
		}
		out = append(out, p)
	}
	return out
}

[jprenken]

Hmmm, if we decide to add more complex code to improve lookup performance, I'd rather integrate bart.

[jsha]

Generally looks good! A naming and a comment comment.