Add NetFromRange and NetFromIntervalRange helpers

tacerus · tacerus · commit bdd9db0c47f3 · 2025-12-06T16:45:17.000+01:00
When retrieving set elements it can be desired to format the result in
the same way `nft` would, which is merging intervals to CIDR
representations. To make this easier, introduce helper functions which
allow for conversion of IP address ranges to CIDR networks.

Signed-off-by: Georg Pfuetzenreuter &lt;mail@georg-pfuetzenreuter.net&gt;
diff --git a/util.go b/util.go
@@ -16,7 +16,10 @@ package nftables
 
 import (
 	"encoding/binary"
+	"errors"
+	"fmt"
 	"net"
+	"net/netip"
 
 	"github.com/google/nftables/binaryutil"
 	"golang.org/x/sys/unix"
@@ -126,3 +129,64 @@ func NetInterval(cidr string) (net.IP, net.IP, error) {
 
 	return first, nextIP(last), nil
 }
+
+// cidrString returns an IPnet given a network address and CIDR mask
+func cidrString(address net.IP, cidr int) (*net.IPNet, error) {
+
+	// TODO: why is CIDR for IPv6 off by 1 in some cases?
+	if address.To4() == nil {
+		cidr = cidr + 1
+	}
+
+	_, out, err := net.ParseCIDR(fmt.Sprintf("%s/%d", address, cidr))
+	if err != nil {
+		return nil, err
+	}
+
+	return out, err
+}
+
+// NetFromRange returns a CIDR IP network given a start and end address
+func NetFromRange(first []byte, last []byte) (*net.IPNet, error) {
+	ip1 := net.IP(first)
+	ip2 := net.IP(last)
+
+	maxLen := 32
+	ip1parts := ip1.To4()
+
+	if ip1parts == nil && ip2.To4() != nil {
+		return nil, errors.New("Cannot mix IPv4 and IPv6.")
+	}
+
+	if ip1parts == nil {
+		maxLen = 128
+	}
+
+	for l := maxLen; l >= 0; l-- {
+		cidrmask := net.CIDRMask(l, maxLen)
+		ipmask := ip2.Mask(cidrmask)
+		ipnet := net.IPNet{
+			IP:   ipmask,
+			Mask: cidrmask,
+		}
+
+		if ipnet.Contains(ip1) {
+			return cidrString(ipmask, l)
+		}
+	}
+
+	return nil, errors.New("Failed to construct network from range.")
+}
+
+// NetFromNetInterval returns a CIDR IP network given a start and end address as found in intervals.
+// This is similar to NetFromRange, but subtracts one address from the end of the range.
+func NetFromIntervalRange(first []byte, last []byte) (out *net.IPNet, err error) {
+	ip2, ok := netip.AddrFromSlice(last)
+	if !ok {
+		return nil, errors.New("Failed to construct slice from network.")
+	}
+
+	previous := ip2.Prev()
+
+	return NetFromRange(first, previous.AsSlice())
+}
diff --git a/util_test.go b/util_test.go
@@ -201,3 +201,135 @@ func TestNetInterval(t *testing.T) {
 		})
 	}
 }
+
+func TestNetFromRange(t *testing.T) {
+	tests := []struct {
+		name    string
+		first   string
+		last    string
+		wantNet string
+		wantErr bool
+	}{
+		{
+			first:   "0.0.0.1",
+			last:    "255.255.255.254",
+			wantNet: "0.0.0.0/0",
+			wantErr: false,
+		},
+		{
+			first:   "192.168.4.0",
+			last:    "192.168.4.255",
+			wantNet: "192.168.4.0/24",
+			wantErr: false,
+		},
+		{
+			first:   "192.0.2.17",
+			last:    "192.0.2.30",
+			wantNet: "192.0.2.16/28",
+			wantErr: false,
+		},
+		{
+			first:   "2001:db8:100::",
+			last:    "2001:db8:100:ffff:ffff:ffff:ffff:ffff",
+			wantNet: "2001:db8:100::/48",
+			wantErr: false,
+		},
+		{
+			first:   "2001:db8:100::",
+			last:    "192.0.2.30",
+			wantNet: "",
+			wantErr: true,
+		},
+		{
+			first:   "192.0.2.30",
+			last:    "2001:db8:100::",
+			wantNet: "",
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.first+"-"+tt.last, func(t *testing.T) {
+			gotNet, err := NetFromRange(net.ParseIP(tt.first), net.ParseIP(tt.last))
+			if (err != nil) != tt.wantErr {
+				t.Errorf("NetFromRange() error = %v, wantErr = %v", err, tt.wantErr)
+			}
+
+			if tt.wantNet == "" {
+				return
+			}
+
+			_, wantNetParsed, err := net.ParseCIDR(tt.wantNet)
+			if err != nil {
+				t.Fatalf("NetFromRange() error parsing test network = %v", err)
+			}
+
+			if !reflect.DeepEqual(gotNet, wantNetParsed) {
+				t.Errorf("NetFromRange() gotNet = %+v, wantNet = %+v", gotNet, wantNetParsed)
+			}
+		})
+	}
+}
+
+func TestNetFromIntervalRange(t *testing.T) {
+	tests := []struct {
+		name    string
+		first   string
+		last    string
+		wantNet string
+		wantErr bool
+	}{
+		{
+			first:   "192.0.2.16",
+			last:    "192.0.2.32",
+			wantNet: "192.0.2.16/28",
+			wantErr: false,
+		},
+		{
+			first:   "2001:db8:101::",
+			last:    "2001:db8:100::1",
+			wantNet: "2001:db8:100::/48",
+			wantErr: false,
+		},
+		{
+			first:   "2a02:1748:f7df:9c81::",
+			last:    "2a02:1748:f7df:9c80::1",
+			wantNet: "2a02:1748:f7df:9c80::/64",
+			wantErr: false,
+		},
+		{
+			first:   "2001:db8:100::",
+			last:    "192.0.2.30",
+			wantNet: "",
+			wantErr: true,
+		},
+		{
+			first:   "192.0.2.30",
+			last:    "2001:db8:100::",
+			wantNet: "",
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.first+"-"+tt.last, func(t *testing.T) {
+			gotNet, err := NetFromIntervalRange(net.ParseIP(tt.first), net.ParseIP(tt.last))
+			if (err != nil) != tt.wantErr {
+				t.Errorf("NetFromIntervalRange() error = %v, wantErr = %v", err, tt.wantErr)
+			}
+
+			if tt.wantNet == "" {
+				return
+			}
+
+			_, wantNetParsed, err := net.ParseCIDR(tt.wantNet)
+			if err != nil {
+				t.Fatalf("NetFromIntervalRange() error parsing test network = %v", err)
+			}
+
+			if !reflect.DeepEqual(gotNet, wantNetParsed) {
+				t.Errorf("NetFromIntervalRange() gotNet = %+v, wantNet = %+v", gotNet, wantNetParsed)
+			}
+		})
+	}
+}
