firehol
diff --git a/‎README.md‎
Lines changed: 12 additions & 0 deletions b/‎README.md‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎docs/dns-resolution.md‎
Lines changed: 55 additions & 0 deletions b/‎docs/dns-resolution.md‎
Lines changed: 55 additions & 0 deletions
diff --git a/‎docs/input-formats.md‎
Lines changed: 133 additions & 0 deletions b/‎docs/input-formats.md‎
Lines changed: 133 additions & 0 deletions
diff --git a/‎docs/ipset-reduce.md‎
Lines changed: 129 additions & 0 deletions b/‎docs/ipset-reduce.md‎
Lines changed: 129 additions & 0 deletions
@@ -366,13 +366,25 @@ To skip the man page: `./configure --disable-man`
 | Directory | Contents |
 |-----------|----------|
 | `src/` | C sources and headers |
+| `docs/` | Detailed documentation |
 | `packaging/` | Spec template, ebuild, release tooling |
 | `tests.d/` | CLI regression tests |
 | `tests.build.d/` | Build and layout regressions |
 | `tests.sanitizers.d/` | Sanitizer CLI regressions |
 | `tests.tsan.d/` | TSAN regressions |
 | `tests.unit/` | Unit-style internal harnesses |
 
+## Documentation
+
+Detailed guides in the [`docs/`](docs/) directory:
+
+- [Input formats](docs/input-formats.md) — every accepted format, file lists, directories, binary
+- [Output formats](docs/output-formats.md) — CIDR, ranges, single IPs, binary, CSV, prefix/suffix
+- [Operations](docs/operations.md) — merge, intersect, exclude, diff, reduce, compare, count
+- [IPv6 support](docs/ipv6.md) — address family, normalization, cross-family rules
+- [DNS resolution](docs/dns-resolution.md) — threading, retry, configuration
+- [Optimizing ipsets for iptables](docs/ipset-reduce.md) — prefix reduction with examples
+
 ## Getting help
 
 ```bash
 
@@ -0,0 +1,55 @@
+# DNS resolution
+
+When input files contain hostnames (one per line), `iprange` resolves them in parallel using a thread pool.
+
+## Configuration
+
+| Option | Default | Meaning |
+|--------|---------|---------|
+| `--dns-threads N` | 5 | Maximum number of parallel DNS queries |
+| `--dns-silent` | off | Suppress all DNS error messages |
+| `--dns-progress` | off | Show a progress bar during resolution |
+
+## How it works
+
+1. As each input line is parsed, hostnames are queued for resolution.
+2. Worker threads pick requests from the queue and call `getaddrinfo()`.
+3. Resolved IPs are added to a reply queue.
+4. The main thread drains the reply queue periodically and after all requests finish.
+
+Threads are created on demand up to `--dns-threads`. If the queue grows faster than threads can process, new threads are spawned up to the limit.
+
+## Address family behavior
+
+| Mode | Records resolved | Normalization |
+|------|-----------------|---------------|
+| IPv4 (default / `-4`) | A records only | None |
+| IPv6 (`-6`) | AAAA and A records | A results mapped to `::ffff:x.x.x.x` |
+
+In IPv6 mode, a hostname that has both AAAA and A records will contribute all addresses — IPv6 addresses directly, IPv4 addresses as IPv4-mapped IPv6.
+
+## Retry and error handling
+
+- **Temporary failures** (`EAI_AGAIN`): retried up to 20 times with 1-second delays between retry cycles.
+- **Permanent failures** (`EAI_NONAME`, `EAI_FAIL`, etc.): logged to stderr and counted.
+- **System errors** (`EAI_SYSTEM`, `EAI_MEMORY`): logged to stderr.
+
+After all resolutions complete, if any hostname permanently failed, the entire load fails (returns error). Use `--dns-silent` to suppress the per-hostname error messages, but the load will still fail.
+
+## Hostname detection
+
+A line is treated as a hostname when:
+- It contains only hostname-valid characters (alphanumeric, dot, hyphen, underscore)
+- It does not look like a valid IP address or CIDR
+- It appears alone on the line (optionally followed by a comment)
+
+Lines that look like IPs but fail to parse are treated as errors, not hostnames. This prevents typos like `1.2.3.999` from triggering DNS resolution.
+
+Hostnames cannot appear as range endpoints. A line like `host1.example.com - host2.example.com` is invalid.
+
+## Performance notes
+
+- With the default 5 threads, `iprange` can resolve hundreds of hostnames per second.
+- For files with thousands of hostnames, increase `--dns-threads` (e.g., 50-100).
+- DNS results are added to the ipset as they arrive, so resolution overlaps with continued file parsing.
+- Each hostname resolution is independent — one slow or failing hostname does not block others.
@@ -0,0 +1,133 @@
+# Input formats
+
+`iprange` accepts one entry per line. All formats can coexist in the same file.
+
+## IPv4 (default mode)
+
+### Addresses and CIDRs
+
+| Format | Example | Expansion |
+|--------|---------|-----------|
+| Dotted decimal | `1.2.3.4` | Single IP |
+| CIDR prefix | `1.2.3.0/24` | 1.2.3.0 - 1.2.3.255 |
+| Dotted netmask | `1.2.3.0/255.255.255.0` | Same as /24 |
+| Abbreviated | `10.1` | `inet_aton()` expansion |
+| Decimal integer | `16909060` | 1.2.3.4 |
+| Octal | `012.0.0.1` | 10.0.0.1 (leading zero = octal) |
+| Hex | `0x0A000001` | 10.0.0.1 |
+
+IPv4 parsing uses `inet_aton()`, which accepts all the above forms. Be careful with leading zeros — `010.0.0.1` is octal 8.0.0.1, not decimal 10.0.0.1.
+
+By default, CIDRs are normalized to the network address: `1.1.1.17/24` is read as `1.1.1.0/24`. Use `--dont-fix-network` to disable this.
+
+The default prefix for bare IPs (no `/` suffix) is /32. Change with `--default-prefix N`.
+
+### Ranges
+
+| Format | Example | Meaning |
+|--------|---------|---------|
+| IP range | `1.2.3.0 - 1.2.3.255` | Explicit start-end |
+| CIDR range | `1.2.3.0/24 - 1.2.4.0/24` | Network of first to broadcast of second |
+| Mixed | `1.2.3.0/24 - 1.2.4.0/255.255.255.0` | CIDR and netmask can be mixed |
+
+The dash can have optional spaces around it.
+
+### Hostnames
+
+Hostnames (one per line) are resolved via parallel DNS queries. In IPv4 mode, only A records are resolved. If a hostname resolves to multiple IPs, all are added.
+
+See [DNS resolution](dns-resolution.md) for threading and configuration.
+
+## IPv6 (`-6` mode)
+
+### Addresses and CIDRs
+
+| Format | Example | Notes |
+|--------|---------|-------|
+| Full notation | `2001:0db8:0000:0000:0000:0000:0000:0001` | |
+| Compressed | `2001:db8::1` | Standard `::` compression |
+| Loopback | `::1` | |
+| CIDR | `2001:db8::/32` | Prefix 0-128 |
+| IPv4-mapped | `::ffff:10.0.0.1` | |
+| Plain IPv4 | `10.0.0.1` | Auto-normalized to `::ffff:10.0.0.1` |
+
+IPv6 parsing uses `inet_pton(AF_INET6)`.
+
+### Ranges
+
+IPv6 ranges use the same `addr1 - addr2` syntax. Both endpoints must be the same address family — a range like `10.0.0.1 - 2001:db8::1` is rejected as a mixed-family error.
+
+### Hostnames
+
+In IPv6 mode, hostnames are resolved for both AAAA and A records. A-record results are normalized to IPv4-mapped IPv6 (`::ffff:x.x.x.x`).
+
+## Comments and whitespace
+
+- `#` or `;` at the start of a line marks it as a comment.
+- `#` or `;` after an IP/range/hostname starts an inline comment (rest of line ignored).
+- Empty lines and leading/trailing whitespace are silently skipped.
+
+## File inputs
+
+### Regular files
+
+```bash
+iprange file1.txt file2.txt file3.txt
+```
+
+Each file argument is loaded as a separate ipset. For modes like `--compare`, each file appears as a separate column in the output.
+
+### stdin
+
+```bash
+cat blocklist.txt | iprange -
+# or just:
+cat blocklist.txt | iprange
+```
+
+If no file arguments are given, stdin is assumed. Explicit `-` reads stdin.
+
+### File lists (`@filename`)
+
+```bash
+iprange @my-lists.txt
+```
+
+The file `my-lists.txt` contains one filename per line. Comments (`#`, `;`) and empty lines are ignored. Each listed file is loaded as a separate ipset.
+
+```
+# my-lists.txt
+/path/to/blocklist-a.txt
+/path/to/blocklist-b.txt
+# /path/to/disabled.txt
+```
+
+Feature detection: `iprange --has-filelist-loading` exits 0 if supported.
+
+### Directory loading (`@directory`)
+
+```bash
+iprange @/etc/firehol/ipsets/
+```
+
+All regular files in the directory are loaded (sorted alphabetically), each as a separate ipset. Subdirectories are not traversed.
+
+Feature detection: `iprange --has-directory-loading` exits 0 if supported.
+
+### Naming for CSV output
+
+Any file argument can be followed by `as NAME` to override its name in CSV output:
+
+```bash
+iprange --compare --header file1.txt as "Blocklist A" file2.txt as "Blocklist B"
+```
+
+## Binary input
+
+Binary files (produced by `--print-binary`) are auto-detected by their header line:
+- IPv4 binary: format v1.0
+- IPv6 binary: format v2.0
+
+Loading a binary file of the wrong family is an error. In IPv4 mode, an IPv6 binary file is rejected. In IPv6 mode, an IPv4 binary file is rejected.
+
+Binary files are architecture-specific (no endianness conversion). They are intended as a same-machine cache, not a portable interchange format.
@@ -0,0 +1,129 @@
+# Optimizing ipsets for iptables
+
+netfilter/iptables `hash:net` ipsets (netsets) are a fast way to manage IP lists for firewall rules. The number of entries in an ipset does not affect lookup performance. However, each **distinct prefix length** in the netset adds one extra lookup per packet. A netset using all 32 possible IPv4 prefixes forces 32 lookups per packet.
+
+`iprange --ipset-reduce` consolidates prefixes while keeping the matched IP set identical. For example, one /23 entry becomes two /24 entries — same IPs, one fewer prefix.
+
+## Parameters
+
+| Option | Default | Purpose |
+|--------|---------|---------|
+| `--ipset-reduce PERCENT` | 20 | Allow this % increase in entries |
+| `--ipset-reduce-entries ENTRIES` | 16384 | Minimum absolute entry cap |
+
+You enable reduce mode by giving either option. The maximum acceptable entries is computed as:
+
+```
+max(current_entries * (1 + PERCENT / 100), ENTRIES)
+```
+
+This design works well across all netset sizes:
+- Small netsets (hundreds of entries) are scaled up to ENTRIES
+- Large netsets (hundreds of thousands) are scaled by PERCENT
+
+## Algorithm
+
+The algorithm is optimal: at each step it finds the prefix whose elimination adds the fewest new entries, merges it into the next available prefix, and repeats until the entry limit is reached. Use `-v` to see the elimination steps.
+
+## Example: country netset
+
+The GeoLite2 netset for Greece:
+
+```bash
+$ iprange -C --header country_gr.netset
+entries,unique_ips
+406,6304132
+```
+
+406 entries, 6.3 million unique IPs. The prefix breakdown (`-v`):
+
+```
+prefix /13 counts 1 entries
+prefix /14 counts 3 entries
+prefix /15 counts 7 entries
+prefix /16 counts 42 entries
+prefix /17 counts 19 entries
+prefix /18 counts 17 entries
+prefix /19 counts 21 entries
+prefix /20 counts 21 entries
+prefix /21 counts 30 entries
+prefix /22 counts 50 entries
+prefix /23 counts 50 entries
+prefix /24 counts 98 entries
+prefix /25 counts 4 entries
+prefix /27 counts 2 entries
+prefix /28 counts 7 entries
+prefix /29 counts 25 entries
+prefix /31 counts 3 entries
+prefix /32 counts 6 entries
+```
+
+**18 distinct prefixes** = 18 lookups per packet.
+
+After reduction with 20% entry increase:
+
+```bash
+$ iprange -v --ipset-reduce 20 country_gr.netset >/dev/null
+Eliminated 15 out of 18 prefixes (3 remain in the final set).
+
+prefix /21 counts 3028 entries
+prefix /24 counts 398 entries
+prefix /32 counts 900 entries
+```
+
+**3 prefixes, 4,326 entries** — same 6.3 million unique IPs. The kernel now does 3 lookups instead of 18.
+
+With a higher entry cap:
+
+```bash
+$ iprange -v --ipset-reduce 20 --ipset-reduce-entries 50000 country_gr.netset >/dev/null
+Eliminated 16 out of 18 prefixes (2 remain in the final set).
+
+prefix /24 counts 24622 entries
+prefix /32 counts 900 entries
+```
+
+**2 prefixes, 25,522 entries** — one more prefix eliminated thanks to the higher entry budget.
+
+## Example: large blocklist
+
+A large blocklist (218,307 entries, 25 prefixes, 765 million IPs):
+
+```bash
+$ iprange -v --ipset-reduce 20 --ipset-reduce-entries 50000 \
+    ib_bluetack_level1.netset >/dev/null
+Eliminated 17 out of 25 prefixes (8 remain in the final set).
+
+prefix /16 counts 11118 entries
+prefix /20 counts 5216 entries
+prefix /24 counts 46718 entries
+prefix /26 counts 17902 entries
+prefix /27 counts 18123 entries
+prefix /28 counts 32637 entries
+prefix /29 counts 94802 entries
+prefix /32 counts 33570 entries
+```
+
+From 25 prefixes to 8, entries from 218,307 to 260,086. At 50%: 6 prefixes. At 100%: 5 prefixes.
+
+## Lossless round-trip
+
+The reduction is lossless. Piping reduced output back through `iprange` reproduces the original optimized set:
+
+```bash
+iprange --ipset-reduce 100 blocklist.txt | iprange -v >/dev/null
+# output is identical to: iprange -v blocklist.txt >/dev/null
+```
+
+## Typical usage
+
+```bash
+# Moderate reduction (good default)
+iprange --ipset-reduce 20 blocklist.txt > reduced.txt
+
+# Aggressive reduction for small lists
+iprange --ipset-reduce 20 --ipset-reduce-entries 50000 country.netset > reduced.txt
+
+# Generate ipset restore commands from reduced set
+iprange --ipset-reduce 20 --print-prefix "add myset " blocklist.txt
+```