From 45ce88426426145e6a589827cb671025885c8455 Mon Sep 17 00:00:00 2001 From: Daniel Brahneborg Date: Sun, 7 Dec 2025 11:38:10 +0100 Subject: [PATCH] merge again if any new ranges were added --- src/autofw.c | 44 +++++++++++++++++++++++++++++++++----------- 1 file changed, 33 insertions(+), 11 deletions(-) diff --git a/src/autofw.c b/src/autofw.c index e3e54bc..d3f1d5e 100644 --- a/src/autofw.c +++ b/src/autofw.c @@ -21,6 +21,7 @@ fclose_ptr(FILE** p) typedef struct { bool obsolete; + bool is_new; uint32_t ip; uint8_t width; } iprange_t; @@ -111,7 +112,7 @@ iprange_cmp(const void* a, const void* b) return 0; } -static void +static bool iprange_join(iprange_t* prev, iprange_t* curr) { uint32_t const prev_mask = ~0U << (32 - prev->width); @@ -122,7 +123,7 @@ iprange_join(iprange_t* prev, iprange_t* curr) #endif if ((prev->ip & prev_mask) == (curr->ip & prev_mask)) { curr->obsolete = true; - return; + return false; } int min_width = prev->width < curr->width ? prev->width : curr->width; if (min_width < 8) @@ -131,14 +132,14 @@ iprange_join(iprange_t* prev, iprange_t* curr) // printf("widths: min %d max %d\n", min_width, max_width); if (max_width - min_width > 8) { // printf("width difference %d, too much\n", max_width - min_width); - return; + return false; } int new_width = max_width; uint32_t new_mask = 0; for (;;) { if ((new_width <= 8) || (max_width - new_width > 8)) { // printf("nothing in common with at least 8 bits\n"); - return; + return false; } new_width = new_width - 1; new_mask = ~0U << (32 - new_width); @@ -152,14 +153,24 @@ iprange_join(iprange_t* prev, iprange_t* curr) break; if (!(new_width & 7)) { // printf("too far apart, giving up\n"); - return; + return false; } } uint32_t const new_ip = prev->ip & new_mask; +#if 0 + printf("adding new range %d.%d.%d.%d/%d\n", + new_ip >> 24, + (new_ip >> 16) & 0xff, + (new_ip >> 8) & 0xff, + (new_ip >> 0) & 0xff, + new_width); +#endif iprange_t* const range = iprange_create(new_ip, new_width); + range->is_new = true; pbuf_append(&new_ranges, range); prev->obsolete = true; curr->obsolete = true; + return true; } static void @@ -167,6 +178,8 @@ ipranges_merge(void) { iprange_t* prev = NULL; iprange_t* curr; + bool added_something = false; + pbuf_sort(&black_ranges, iprange_cmp); PBUF_FOREACH(curr, &black_ranges) if (!prev) { prev = curr; @@ -185,10 +198,16 @@ ipranges_merge(void) (curr->ip >> 0) & 0xff, curr->width); #endif - iprange_join(prev, curr); + if (iprange_join(prev, curr)) + added_something = true; if (!curr->obsolete) prev = curr; PBUF_FOREACH_END + if (!added_something) + return; + pbuf_appendall(&black_ranges, &new_ranges); + pbuf_clear(&new_ranges); + ipranges_merge(); } static void @@ -271,7 +290,7 @@ main(int argc, const char* argv[]) { pbuf_init(&black_ranges, 4, 0, NULL); pbuf_init(&white_ranges, 4, 0, NULL); - pbuf_init(&new_ranges, 4, 0, NULL); + pbuf_init(&new_ranges, 4, 0, PBUF_NONE); pbuf_init(&new_b_ranges, 4, 0, NULL); iprange_load("autofw.whitelist", true); @@ -280,7 +299,6 @@ main(int argc, const char* argv[]) (void) argc; (void) argv; - pbuf_sort(&black_ranges, iprange_cmp); ipranges_merge(); ipranges_find_b_blocks(); @@ -288,7 +306,7 @@ main(int argc, const char* argv[]) iprange_t* range; PBUF_FOREACH(range, &black_ranges) - if (!range->obsolete) + if (!range->obsolete || range->is_new) continue; printf("yes | ufw delete deny from %d.%d.%d.%d/%d\n", range->ip >> 24, @@ -298,7 +316,11 @@ main(int argc, const char* argv[]) range->width); PBUF_FOREACH_END - PBUF_FOREACH(range, &new_ranges) + bool something_new = false; + PBUF_FOREACH(range, &black_ranges) + if (range->obsolete || !range->is_new) + continue; + something_new = true; printf("ufw insert 1 deny from %d.%d.%d.%d/%d\n", range->ip >> 24, (range->ip >> 16) & 0xff, @@ -316,7 +338,7 @@ main(int argc, const char* argv[]) range->width); PBUF_FOREACH_END - if (pbuf_size(&new_ranges) > 0) { + if (something_new) { PBUF_FOREACH(range, &white_ranges) printf("yes | ufw delete allow from %d.%d.%d.%d/%d\n", range->ip >> 24,