The IfPlugin.checkIP method has a comment "TODO: Add subnetwork matching, e.g. 10.0.0.0/8". This is a patch to address this. Sorry that this does not come as a PR, but the changes are limited in scope.

Additions to pom.xml

    <ipaddress.version>5.4.0</ipaddress.version>

      <dependency>
        <groupId>com.github.seancfoley</groupId>
        <artifactId>ipaddress</artifactId>
        <version>${ipaddress.version}</version>
      </dependency>

Additions to jspwiki-util/pom.xml

	<dependency>
		<groupId>com.github.seancfoley</groupId>
		<artifactId>ipaddress</artifactId>
	</dependency>

Changes in jspwiki-util/src/main/java/org/apache/wiki/util/HttpUtil.java

This method now checks whether the IP contains a comma, which can happen if the request goes through more than one proxy.
That's not directly related to this patch, but useful nonetheless.

    /**
     * returns the remote address by looking into {@code x-forwarded-for} header or, if unavailable,
     * into {@link HttpServletRequest#getRemoteAddr()}.
     *
     * @param req http request
     * @return remote address associated to the request.
     */
    public static String getRemoteAddress( final HttpServletRequest req ) {
		String realIP = StringUtils.isNotEmpty ( req.getHeader( "X-Forwarded-For" ) ) ? req.getHeader( "X-Forwarded-For" ) :
			                                                                          req.getRemoteAddr();
		// can be a comma-separated list of IPs
		if (realIP.contains(","))
			realIP = realIP.substring(realIP.indexOf(","));

		return realIP;
	}

This method is new

    /**
     * Returns whether or not the IP address of the request equals a given IP, or is in a given IP range
     *
     * @param req http request
     * @param ipOrRange IP address or IP range to test against
     * @return 
     */
    public static boolean ipIsInRange ( final HttpServletRequest req, final String ipOrRange ) {
		String requestIP = getRemoteAddress(req);
		if (ipOrRange.contains("/")) {
			IPAddressString testRange = new IPAddressString(ipOrRange);
			return testRange.contains(new IPAddressString(requestIP));
		} else {
			return requestIP.equals(ipOrRange);
		}
	}


Changes in jspwiki-main/src/main/java/org/apache/wiki/plugin/IfPlugin.java

Instead of
            include |= ipaddrToCheck.equals( HttpUtil.getRemoteAddress( context.getHttpRequest() ) ) ^ invert;

now it should read

            include |= HttpUtil.ipIsInRange( context.getHttpRequest(), ipaddrToCheck ) ^ invert;


That's all. Now the IfPlugin accepts something like

[{If ip='192.168.0.0/16|10.0.0.0/8|127.0.0.1'

Secret stuff for localhost}]