Fetch CF ranges concurrently and prevent writes

Use tokio::join to fetch IPv4 and IPv6 Cloudflare ranges in parallel. When range fetch fails, avoid performing updates that could write Cloudflare addresses by clearing detected/filtered IP lists and emitting warnings. Add unit tests to validate parsing and boundary checks for the current Cloudflare ranges. Bump crate version to 2.0.6. Fetch Cloudflare ranges concurrently; avoid writes Skip updates (clear detected IPs) if Cloudflare ranges can't be retrieved to avoid writing Cloudflare anycast addresses. Default REJECT_CLOUDFLARE_IPS=true, update README, add comprehensive CF-range tests, and bump crate version Fetch CF ranges concurrently and avoid updates Enable rejecting Cloudflare IPs by default and skip any updates if the published ranges cannot be fetched to avoid writing Cloudflare anycast addresses. Fetch IPv4 and IPv6 ranges concurrently, add parsing/matching tests, and update README and version.
2026-03-22 06:58:57 -03:00 · 2026-03-19 18:56:11 -04:00
parent f8d5b5cb7e
commit 83dd454c42
6 changed files with 158 additions and 19 deletions
--- a/src/updater.rs
+++ b/src/updater.rs
@@ -101,11 +101,12 @@ pub async fn update_once(
                        )));
                    }
                }
-            } else {
+            } else if !detected_ips.is_empty() {
                ppfmt.warningf(
                    pp::EMOJI_WARNING,
-                    "Could not fetch Cloudflare IP ranges; skipping filter",
+                    "Could not fetch Cloudflare IP ranges; skipping update to avoid writing Cloudflare IPs",
                );
+                detected_ips.clear();
            }
        }

@@ -298,6 +299,7 @@ async fn update_legacy(config: &AppConfig, ppfmt: &PP) -> bool {

    // Filter out Cloudflare IPs if enabled
    if config.reject_cloudflare_ips {
+        let before_count = ips.len();
        if let Some(cf_filter) =
            CloudflareIpFilter::fetch(&detection_client, config.detection_timeout, ppfmt).await
        {
@@ -316,11 +318,18 @@ async fn update_legacy(config: &AppConfig, ppfmt: &PP) -> bool {
                }
                true
            });
-        } else {
+            if ips.is_empty() && before_count > 0 {
+                ppfmt.warningf(
+                    pp::EMOJI_WARNING,
+                    "All detected addresses were Cloudflare IPs; skipping updates",
+                );
+            }
+        } else if !ips.is_empty() {
            ppfmt.warningf(
                pp::EMOJI_WARNING,
-                "Could not fetch Cloudflare IP ranges; skipping filter",
+                "Could not fetch Cloudflare IP ranges; skipping update to avoid writing Cloudflare IPs",
            );
+            ips.clear();
        }
    }