#!/bin/bash
#
# Downloads Russian IP ranges and adds them to the nftables 'direct' set
# These IPs will be routed directly instead of through the DE proxy
#
# Run this script:
# - Once during initial setup
# - Periodically via cron (weekly) to keep ranges updated
#
# Data source: RIPE NCC delegated statistics
#

set -e

RIPE_URL="https://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-extended-latest"
TEMP_FILE="/tmp/ripe-delegated.txt"
NFT_TABLE="ip vpn-routing"
NFT_SET="direct"

echo "Downloading RIPE delegation data..."
curl -s "$RIPE_URL" -o "$TEMP_FILE"

echo "Parsing Russian IP allocations..."

# Extract Russian IPv4 allocations and convert to CIDR notation
# Format: ripencc|RU|ipv4|start_ip|count|date|status
RU_RANGES=$(grep '|RU|ipv4|' "$TEMP_FILE" | while IFS='|' read -r registry cc type start count date status rest; do
    # Convert count to CIDR prefix length
    # count is number of IPs, prefix = 32 - log2(count)
    if [[ "$count" =~ ^[0-9]+$ ]]; then
        prefix=$(echo "32 - l($count)/l(2)" | bc -l | cut -d. -f1)
        echo "$start/$prefix"
    fi
done)

# Count ranges
RANGE_COUNT=$(echo "$RU_RANGES" | wc -l)
echo "Found $RANGE_COUNT Russian IP ranges"

echo "Flushing existing 'direct' set..."
nft flush set $NFT_TABLE $NFT_SET 2>/dev/null || true

echo "Adding ranges to nftables set..."
# Add in batches for efficiency
echo "$RU_RANGES" | while read -r cidr; do
    if [[ -n "$cidr" ]]; then
        nft add element $NFT_TABLE $NFT_SET { "$cidr" } 2>/dev/null || true
    fi
done

# Cleanup
rm -f "$TEMP_FILE"

# Show stats
FINAL_COUNT=$(nft list set $NFT_TABLE $NFT_SET 2>/dev/null | grep -c "elements" || echo "0")
echo "Done. Set '$NFT_SET' populated with Russian IP ranges."
echo ""
echo "To verify: nft list set $NFT_TABLE $NFT_SET"