SecurityOptions IPAllowedList not blocking IPs outside list (Whitelist not enforced) ocelot version (23.4.2) & .Net version 8

[Nikhil-nama]

Hello Ocelot team / community,

I am using Ocelot version [insert version] (.NET [insert version]) and trying to implement a whitelist behavior using SecurityOptions. My ocelot.json (route-specific) config for a route looks like:

"SecurityOptions": {
  "IPBlockedList": [ "172.16.40.240", "::/0" ],
  "IPAllowedList": [ "192.168.0.15", "172.16.40.248", "127.0.0.1", "::1" ],
  "ExcludeAllowedFromBlocked": true
}


What I expect:

Only the IPs in IPAllowedList should be allowed.

All other IPs (including 172.16.40.240, and any other external IP) should be blocked.

What I observe:

Any IP is getting through (requests from IPs not in IPAllowedList succeed).

Even though IPBlockedList includes ::/0 which should block all IPv6 addresses not explicitly allowed, this is not working.

So behavior is not matching whitelist.