Updates

app/models/network_range.rb

@@ -392,13 +392,52 @@ class NetworkRange < ApplicationRecord
   end
 
   def blocking_rules
-    rules.where(action: 'deny', enabled: true)
+    rules.where(waf_action: :deny, enabled: true)
   end
 
   def active_rules
     rules.enabled.where("expires_at IS NULL OR expires_at > ?", Time.current)
   end
 
+  # Find all network ranges that are contained by this network and have enabled rules
+  # Used when creating a supernet rule to identify redundant child rules
+  def child_network_ranges_with_rules
+    NetworkRange
+      .where("network << ?::inet", network.to_s)  # network is strictly contained by this network
+      .joins(:rules)
+      .where(rules: { enabled: true })
+      .distinct
+  end
+
+  # Find all enabled rules on child network ranges (more specific networks)
+  # Used after creating a rule to expire redundant child rules
+  def child_rules
+    Rule
+      .joins(:network_range)
+      .where("network_ranges.network << ?::inet", cidr)
+      .where(enabled: true)
+  end
+
+  # Find all network ranges that contain this network and have enabled rules
+  # Used to check if creating a rule would be redundant
+  def parent_network_ranges_with_rules
+    NetworkRange
+      .where("?::inet << network", cidr)  # this network is strictly contained by parent
+      .joins(:rules)
+      .where(rules: { enabled: true })
+      .distinct
+  end
+
+  # Find all enabled rules on parent network ranges (less specific networks)
+  # Used before creating a rule to check if it would be redundant
+  def supernet_rules
+    Rule
+      .joins(:network_range)
+      .where("?::inet << network_ranges.network", cidr)
+      .where(enabled: true)
+      .order("masklen(network_ranges.network) DESC")  # Most specific supernet first
+  end
+
   # Check if this network range needs WAF policy evaluation
   # Returns true if:
   # - Never been evaluated, OR