pfBlockerNG: fix ipv6 regex to match prefix lengths > 99 #1372
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes a regex used to match ipv6 addresses and networks.
The current regular expression used when cleaning ipv6 network prefixes during updates/reloads does not correctly recognize three-digit ipv6 prefix lengths.
I was using a blocklist 1 that includes the network prefix
2602:80d:1003::/112
.As a result of this bug, that was being mangled to
2602:80d:1003::/11
, which in turn resulted in the final pf table including the prefix2600::/11
(thus erroneously blocking a large portion of the internet.)The current regex uses
(\/[0-9][0-9]?|1([01][0-9]|2[0-8]))?
to match the prefix length.This correctly matches a
/
followed by one or two digits, but the part of the regex meant to match three-digit prefix lengths doesn't work:This patch replaces
(\/[0-9][0-9]?|1([01][0-9]|2[0-8]))?
with(\/(1(2[0-8]|[01]\d)|[1-9]?\d))?
.Footnotes
The list in question is
censys_scanning_ranges.txt
, downloadable from Censys’ “Opt Out of Data Collection” page. ↩