Implement firewall matching with CIDR rules

Q: Implement firewall matching with CIDR rules

This question evaluates understanding of IPv4 addressing and CIDR prefix matching, including bitwise reasoning, robust parsing, handling of edge cases, and algorithmic efficiency for large rule sets.

Q: How do I approach Coding & Algorithms interview questions?

Coding & Algorithms questions require understanding of core concepts and practice. PracHub provides solutions with explanations to help you master coding & algorithms interviews.

Question

Implement a simple IPv4 firewall rule matcher.

Problem

You are given an ordered list of firewall rules. Each rule has:

an action : ALLOW or DENY
a CIDR prefix in IPv4 notation: A.B.C.D/L , where:
- A, B, C, D are integers in [0, 255]
- L (the prefix length) is an integer in [0, 32]

The firewall processes incoming IPv4 addresses in order of the rules:

Convert each IPv4 address and each rule's network address to a 32‑bit integer.
An IP address matches a CIDR rule if the first L bits of the IP are equal to the first L bits of the rule's network address.
Rules are evaluated in the given order. The first matching rule determines the result.
If no rule matches, the default is DENY .

Task

Design and implement a function:

bool isAllowed(List<Rule> rules, string ipAddress)

where:

rules is the ordered list of rules, each with action ∈ { "ALLOW" , "DENY" } and cidr ∈ IPv4 CIDR format "A.B.C.D/L" .
ipAddress is a string in IPv4 dotted format "A.B.C.D" .

The function should return true if the IP is allowed by the rule set, and false otherwise.

You should:

Parse and validate IPv4 addresses and CIDR strings.
Implement correct CIDR matching semantics for all prefix lengths, including edge cases like /0 (matches all IPs) and /32 (matches exactly one IP).
Assume there can be up to, for example, 10^5 rules and 10^5 queries, and aim for an efficient solution.

Follow‑up 1 — Test cases

List and explain a set of important test cases you would use to validate your implementation, including:

Simple matches and non‑matches.
Multiple matching rules where the first should win.
Boundary addresses of CIDR ranges (first and last IP in the block).
Edge prefix lengths (0 and 32).
Invalid inputs (malformed IPs or CIDRs) and how your function should behave in that case (you may define reasonable behavior and be consistent).

Follow‑up 2 — CIDR as query input

Extend the API so that the input to check is itself a CIDR block, e.g. "10.0.1.0/24", instead of a single IP.

Define and implement a function with a suitable signature, for example:

Result checkRange(List<Rule> rules, string cidrRange)

Decide and justify the semantics of Result, for example:

Does it indicate whether the entire range is allowed/denied by the same action?
Does it distinguish between fully allowed, fully denied, and mixed (partially allowed, partially denied) ranges?

Clearly specify the matching and precedence rules when a CIDR range query overlaps multiple firewall rules.

Follow‑up 3 — Matching condition

Formally specify, in terms of 32‑bit integers and bit operations, the exact condition under which an IPv4 address matches a CIDR network/prefixLength pair.