The ip-access-control() handler is convenient, but makes the assumption that I want to block the request.  There can be utility in matching IP ranges purely as a predicate so I can attach my own handler if the check matches or not. 

The ACL logic should be refactored to a predicate (recommended name: "ip-allowed()" ) that performs the same checks, but simply returns true or false so the user can pair a handler of their choice.  

ip-allowed( default-allow=false, acl={'127.0.0.* allow'} ) -> set( %{i,trusted_ip}, true )

Then refactor the ip-access-control() handler to use the new ip-allowed() predicate internally.