pfBlockerNG: fix ipv6 regex to match prefix lengths > 99

[dairiki]

This fixes a regex used to match ipv6 addresses and networks.

The current regular expression used when cleaning ipv6 network prefixes during updates/reloads does not correctly recognize three-digit ipv6 prefix lengths.

I was using a blocklist ¹ that includes the network prefix 2602:80d:1003::/112.
As a result of this bug, that was being mangled to 2602:80d:1003::/11, which in turn resulted in the final pf table including the prefix 2600::/11 (thus erroneously blocking a large portion of the internet.)

The current regex uses (\/[0-9][0-9]?|1([01][0-9]|2[0-8]))? to match the prefix length.
This correctly matches a / followed by one or two digits, but the part of the regex meant to match three-digit prefix lengths doesn't work:

1. The leading slash is only attached to the first alternative. An extra set of parentheses is necessary to fix that.
2. The first matching alternative wins, so longer alternatives should be listed first.

This patch replaces (\/[0-9][0-9]?|1([01][0-9]|2[0-8]))? with (\/(1(2[0-8]|[01]\d)|[1-9]?\d))?.

Footnotes

1. The list in question is censys_scanning_ranges.txt, downloadable from Censys’ “Opt Out of Data Collection” page. ↩