diff --git a/BUILD b/BUILD
index cb40c29c..4b11cc14 100644
--- a/BUILD
+++ b/BUILD
@@ -195,6 +195,7 @@ proto_library(
         "//envoy/extensions/internal_redirect/safe_cross_scheme/v3:pkg",
         "//envoy/extensions/matching/common_inputs/environment_variable/v3:pkg",
         "//envoy/extensions/matching/input_matchers/consistent_hashing/v3:pkg",
+        "//envoy/extensions/matching/input_matchers/ip/v3:pkg",
         "//envoy/extensions/network/socket_interface/v3:pkg",
         "//envoy/extensions/quic/crypto_stream/v3:pkg",
         "//envoy/extensions/quic/proof_source/v3:pkg",
diff --git a/envoy/extensions/matching/input_matchers/ip/v3/BUILD b/envoy/extensions/matching/input_matchers/ip/v3/BUILD
new file mode 100644
index 00000000..1c1a6f6b
--- /dev/null
+++ b/envoy/extensions/matching/input_matchers/ip/v3/BUILD
@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)
diff --git a/envoy/extensions/matching/input_matchers/ip/v3/ip.proto b/envoy/extensions/matching/input_matchers/ip/v3/ip.proto
new file mode 100644
index 00000000..3c7cb4eb
--- /dev/null
+++ b/envoy/extensions/matching/input_matchers/ip/v3/ip.proto
@@ -0,0 +1,38 @@
+syntax = "proto3";
+
+package envoy.extensions.matching.input_matchers.ip.v3;
+
+import "envoy/config/core/v3/address.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.matching.input_matchers.ip.v3";
+option java_outer_classname = "IpProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: IP matcher]
+// [#extension: envoy.matching.input_matchers.ip]
+
+// This input matcher matches IPv4 or IPv6 addresses against a list of CIDR
+// ranges. It returns true if and only if the input IP belongs to at least one
+// of these CIDR ranges. Internally, it uses a Level-Compressed trie, as
+// described in the paper `IP-address lookup using LC-tries
+// <https://www.nada.kth.se/~snilsson/publications/IP-address-lookup-using-LC-tries/>`_
+// by S. Nilsson and G. Karlsson. For "big" lists of IPs, this matcher is more
+// efficient than multiple single IP matcher, that would have a linear cost.
+message Ip {
+  // Match if the IP belongs to any of these CIDR ranges.
+  repeated config.core.v3.CidrRange cidr_ranges = 1 [(validate.rules).repeated = {min_items: 1}];
+
+  // The human readable prefix to use when emitting statistics for the IP input
+  // matcher. Names in the table below are concatenated to this prefix.
+  //
+  // .. csv-table::
+  //    :header: Name, Type, Description
+  //    :widths: 1, 1, 2
+  //
+  //    ip_parsing_failed, Counter, Total number of IP addresses the matcher was unable to parse
+  string stat_prefix = 2 [(validate.rules).string = {min_len: 1}];
+}
diff --git a/versioning/BUILD b/versioning/BUILD
index eb426726..51bc6318 100644
--- a/versioning/BUILD
+++ b/versioning/BUILD
@@ -140,6 +140,7 @@ proto_library(
         "//envoy/extensions/internal_redirect/safe_cross_scheme/v3:pkg",
         "//envoy/extensions/matching/common_inputs/environment_variable/v3:pkg",
         "//envoy/extensions/matching/input_matchers/consistent_hashing/v3:pkg",
+        "//envoy/extensions/matching/input_matchers/ip/v3:pkg",
         "//envoy/extensions/network/socket_interface/v3:pkg",
         "//envoy/extensions/quic/crypto_stream/v3:pkg",
         "//envoy/extensions/quic/proof_source/v3:pkg",