Validate Reject IP size

2025-12-14 10:10:34 +08:00 · 2025-06-22 18:27:17 +08:00 · 2025-06-22 18:27:17 +08:00 · 72d7831532
commit 72d7831532
parent f190da5c0e
2 changed files with 32 additions and 8 deletions
--- a/Build/build-reject-domainset.ts
+++ b/Build/build-reject-domainset.ts
@ -189,7 +189,13 @@ export const buildRejectDomainSet = task(require.main === module, __filename)(as
      span.traceChildAsync(
        'get botnet ips',
        () => fetchAssets(...BOTNET_FILTER, true, true)
-      ).then(arr => rejectIPOutput.bulkAddAnyCIDR(arr, false)),
+      ).then(arr => {
        if (arr.length > 2000) {
          throw new Error('Too many botnet ips, please check the source of BOTNET_FILTER');
        }
        return rejectIPOutput.bulkAddAnyCIDR(arr, false);
      }),
      span.traceChildAsync(
        'get bogus nxdomain ips',
        () => fetchAssets(...BOGUS_NXDOMAIN_DNSMASQ, true, false)
@ -197,18 +203,21 @@ export const buildRejectDomainSet = task(require.main === module, __filename)(as
            for (let i = 0, len = arr.length; i < len; i++) {
              const line = arr[i];
              if (line.startsWith('bogus-nxdomain=')) {
-                arr[i] = line.slice(15).trim();
+                // bogus nxdomain needs to be blocked even after resolved
                rejectIPOutput.addAnyCIDR(
                  line.slice(15).trim(),
                  false
                );
              }
            }
            return arr;
          })
-        // bogus nxdomain needs to be blocked even after resolved
+      )
      ).then(arr => rejectIPOutput.bulkAddAnyCIDR(arr, false))
    ].flat()));
  if (foundDebugDomain.value) {
-    // eslint-disable-next-line sukka/unicorn/no-process-exit -- cli App
+  // eslint-disable-next-line sukka/unicorn/no-process-exit -- cli App
    process.exit(1);
  }
@ -227,8 +236,8 @@ export const buildRejectDomainSet = task(require.main === module, __filename)(as
      rejectExtraDomainsetOutput.whitelistDomain(domain);
      rejectPhisingDomainsetOutput.whitelistDomain(domain);
-      // DON'T Whitelist reject non_ip ruleset, we are force blocking thingshere
+    // DON'T Whitelist reject non_ip ruleset, we are force blocking thingshere
-      // rejectNonIpRulesetOutput.whitelistDomain(domain);
+    // rejectNonIpRulesetOutput.whitelistDomain(domain);
    }
    // we use "whitelistKeyword" method, this will be used to create kwfilter internally
@ -267,7 +276,7 @@ export const buildRejectDomainSet = task(require.main === module, __filename)(as
  rejectOutputAdGuardHome.domainTrie = rejectDomainsetOutput.domainTrie;
  await rejectOutputAdGuardHome
-    // .addFromRuleset(readLocalMyRejectRulesetPromise)
+  // .addFromRuleset(readLocalMyRejectRulesetPromise)
    .addFromRuleset(readLocalRejectRulesetPromise)
    .addFromRuleset(readFileIntoProcessedArray(path.join(SOURCE_DIR, 'non_ip/reject-drop.conf')))
    .addFromRuleset(readFileIntoProcessedArray(path.join(SOURCE_DIR, 'non_ip/reject-no-drop.conf')))
--- a/Build/lib/rules/base.ts
+++ b/Build/lib/rules/base.ts
@ -250,6 +250,21 @@ export class FileOutput {
    return ip + '/128';
  };
  addAnyCIDR(cidr: string, noResolve = false) {
    const version = fastIpVersion(cidr);
    if (version === 0) return this;
    let list: Set<string>;
    if (version === 4) {
      list = noResolve ? this.ipcidrNoResolve : this.ipcidr;
    } else /* if (version === 6) */ {
      list = noResolve ? this.ipcidr6NoResolve : this.ipcidr6;
    }
    list.add(FileOutput.ipToCidr(cidr, version));
    return this;
  }
  bulkAddAnyCIDR(cidrs: string[], noResolve = false) {
    const list4 = noResolve ? this.ipcidrNoResolve : this.ipcidr;
    const list6 = noResolve ? this.ipcidr6NoResolve : this.ipcidr6;