> On Aug 30, 2021, at 8:19 AM, Kassem Omega <[email protected]> wrote: > > snip... > > The use case: allowing all traffic to go through WireGuard except > specific ranges. > > Right now to do this I must use this long list of ranges to achieve this: > > AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, > 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, > 172.0.0.0/12, 172.16.0.0/24, 172.32.0.0/11, 172.64.0.0/10, > 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, > 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, > 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, > 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 8.8.8.8/32 > > However, if the DisallowedIPs option is available, I'd simply use: > > DisallowedIPs = 192.168.0.0/16, 10.0.0.0/8
For the IPv4-only case, there is a handy C based tool: iprange [1] For your example: Allow: 0.0.0.0/0 Disallow: 192.168.0.0/16, 10.0.0.0/8 $ cat allow.ipset 0.0.0.0/0 $ cat disallow.ipset 192.168.0.0/16 10.0.0.0/8 $ iprange allow.ipset --exclude-next disallow.ipset 0.0.0.0/5 8.0.0.0/7 11.0.0.0/8 12.0.0.0/6 16.0.0.0/4 32.0.0.0/3 64.0.0.0/2 128.0.0.0/2 192.0.0.0/9 192.128.0.0/11 192.160.0.0/13 192.169.0.0/16 192.170.0.0/15 192.172.0.0/14 192.176.0.0/12 192.192.0.0/10 193.0.0.0/8 194.0.0.0/7 196.0.0.0/6 200.0.0.0/5 208.0.0.0/4 224.0.0.0/3 The output is optimized and sorted. Lonnie [1] https://github.com/firehol/iprange
