From a0c6cea6fc7dce82579e967899cfcdc1c6401265 Mon Sep 17 00:00:00 2001
From: JackDoan <me@jackdoan.com>
Date: Fri, 17 Oct 2025 12:05:23 -0500
Subject: [PATCH] backport incompatible bart change (grr)

---
 firewall.go | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/firewall.go b/firewall.go
index 8a409d2..d976cfe 100644
--- a/firewall.go
+++ b/firewall.go
@@ -862,16 +862,13 @@ func (fr *FirewallRule) match(p firewall.Packet, c *cert.NebulaCertificate) bool
 		}
 	}
 
-	matched := false
-	prefix := netip.PrefixFrom(p.RemoteIP, p.RemoteIP.BitLen())
-	fr.CIDR.EachLookupPrefix(prefix, func(prefix netip.Prefix, val *firewallLocalCIDR) bool {
-		if prefix.Contains(p.RemoteIP) && val.match(p, c) {
-			matched = true
-			return false
+	for _, v := range fr.CIDR.Supernets(netip.PrefixFrom(p.RemoteIP, p.RemoteIP.BitLen())) {
+		if v.match(p, c) {
+			return true
 		}
-		return true
-	})
-	return matched
+	}
+
+	return false
 }
 
 func (flc *firewallLocalCIDR) addRule(f *Firewall, localIp netip.Prefix) error {