From 011efe4bcbdf45b13e4c9697f5322daa8fd07d60 Mon Sep 17 00:00:00 2001
From: C24Be <c@24.be>
Date: Thu, 26 Mar 2026 09:26:41 +0100
Subject: [PATCH] some fixes

---
 README.md                        | 14 ++++---
 blacklists/.keep_folder          |  0
 blacklists_iptables/.keep_folder |  0
 blacklists_nftables/.keep_folder |  0
 blacklists_nginx/.keep_folder    |  0
 blacklists_routes/.keep_folder   |  0
 blacklists_updater_iptables.sh   | 70 ++------------------------------
 blacklists_updater_nftables.sh   | 21 ++++------
 blacklists_updater_nginx.sh      |  4 +-
 blacklists_updater_txt.sh        |  2 +
 10 files changed, 25 insertions(+), 86 deletions(-)
 delete mode 100644 blacklists/.keep_folder
 delete mode 100644 blacklists_iptables/.keep_folder
 delete mode 100644 blacklists_nftables/.keep_folder
 delete mode 100644 blacklists_nginx/.keep_folder
 delete mode 100644 blacklists_routes/.keep_folder

diff --git a/README.md b/README.md
index 37c3671..4787cc2 100644
--- a/README.md
+++ b/README.md
@@ -63,10 +63,8 @@ This repository contains Python scripts that allow you to retrieve network lists
 
 **nftables Format** (`blacklists_nftables/` folder):
 
-* `blacklist.nft`: nftables configuration for mixed IPv4/IPv6 (**daily generated**)
 * `blacklist-v4.nft`: nftables configuration for IPv4 only (**daily generated**)
 * `blacklist-v6.nft`: nftables configuration for IPv6 only (**daily generated**)
-* `blacklist-vk.nft`: nftables configuration for VK-only networks (**daily generated**)
 * `blacklist-vk-v4.nft`: nftables configuration for VK-only IPv4 networks (**daily generated**)
 * `blacklist-vk-v6.nft`: nftables configuration for VK-only IPv6 networks (**daily generated**)
 * `README.md`: Complete usage documentation for nftables integration
@@ -120,8 +118,10 @@ ip6tables -I INPUT -m set --match-set blacklist-v6 src -j DROP
 **For nftables:**
 ````bash
 # Download and load into nftables
-wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist.nft
-sudo nft -f blacklist.nft
+wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist-v4.nft
+wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist-v6.nft
+sudo nft -f blacklist-v4.nft
+sudo nft -f blacklist-v6.nft
 
 # Protect VM from incoming blacklist sources
 sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }'
@@ -129,8 +129,10 @@ sudo nft add rule inet filter input ip saddr @blacklist_v4 counter reject
 sudo nft add rule inet filter input ip6 saddr @blacklist_v6 counter reject
 
 # VK-only outbound blocking for VPN clients via NAT/FORWARD
-wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist-vk.nft
-sudo nft -f blacklist-vk.nft
+wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist-vk-v4.nft
+wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist-vk-v6.nft
+sudo nft -f blacklist-vk-v4.nft
+sudo nft -f blacklist-vk-v6.nft
 sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }'
 sudo nft add rule inet filter forward iifname "<VPN_IFACE>" ip daddr @blacklist_v4 counter reject
 sudo nft add rule inet filter forward iifname "<VPN_IFACE>" ip6 daddr @blacklist_v6 counter reject
diff --git a/blacklists/.keep_folder b/blacklists/.keep_folder
deleted file mode 100644
index e69de29..0000000
diff --git a/blacklists_iptables/.keep_folder b/blacklists_iptables/.keep_folder
deleted file mode 100644
index e69de29..0000000
diff --git a/blacklists_nftables/.keep_folder b/blacklists_nftables/.keep_folder
deleted file mode 100644
index e69de29..0000000
diff --git a/blacklists_nginx/.keep_folder b/blacklists_nginx/.keep_folder
deleted file mode 100644
index e69de29..0000000
diff --git a/blacklists_routes/.keep_folder b/blacklists_routes/.keep_folder
deleted file mode 100644
index e69de29..0000000
diff --git a/blacklists_updater_iptables.sh b/blacklists_updater_iptables.sh
index 8260380..484ecd0 100755
--- a/blacklists_updater_iptables.sh
+++ b/blacklists_updater_iptables.sh
@@ -20,15 +20,13 @@ blacklist_vk_v6_file="${SCRIPT_DIR}/blacklists/blacklist-vk-v6.txt"
 
 # Output directory and files
 iptables_output_dir="${SCRIPT_DIR}/blacklists_iptables"
-iptables_output_file="${iptables_output_dir}/blacklist.ipset"
 iptables_v4_output_file="${iptables_output_dir}/blacklist-v4.ipset"
 iptables_v6_output_file="${iptables_output_dir}/blacklist-v6.ipset"
-iptables_vk_output_file="${iptables_output_dir}/blacklist-vk.ipset"
 iptables_vk_v4_output_file="${iptables_output_dir}/blacklist-vk-v4.ipset"
 iptables_vk_v6_output_file="${iptables_output_dir}/blacklist-vk-v6.ipset"
 
-# Create iptables directory if it doesn't exist
-mkdir -p "${iptables_output_dir}"
+# Create required directories if they don't exist
+mkdir -p "${iptables_output_dir}" "${SCRIPT_DIR}/blacklists"
 
 # Build additional VK-only blacklist from network names in auto/*.txt files
 tmp_vk_file="$(mktemp "${SCRIPT_DIR}/blacklists/.blacklist-vk.XXXXXX")"
@@ -106,70 +104,10 @@ generate_ipset_config "${blacklist_v6_file}" "${iptables_v6_output_file}" "(IPv6
 generate_ipset_config "${blacklist_vk_v4_file}" "${iptables_vk_v4_output_file}" "(VK names, IPv4 only)" "blacklist-vk-v4" "inet"
 generate_ipset_config "${blacklist_vk_v6_file}" "${iptables_vk_v6_output_file}" "(VK names, IPv6 only)" "blacklist-vk-v6" "inet6"
 
-# For mixed file, we need to create two sets (IPv4 and IPv6) as ipset doesn't support mixed families
-cat > "${iptables_output_file}" << EOF
-# IPSet blacklist configuration (mixed IPv4/IPv6)
-# Auto-generated from $(basename ${blacklist_file})
-# Last updated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
-#
-# Usage:
-#   1. Load the ipset:
-#      ipset restore < $(basename ${iptables_output_file})
-#
-#   2. Use with iptables/ip6tables:
-#      iptables -I INPUT -m set --match-set blacklist-v4 src -m conntrack --ctstate NEW -j DROP
-#      iptables -I FORWARD -m set --match-set blacklist-v4 src -m conntrack --ctstate NEW -j DROP
-#      ip6tables -I INPUT -m set --match-set blacklist-v6 src -m conntrack --ctstate NEW -j DROP
-#      ip6tables -I FORWARD -m set --match-set blacklist-v6 src -m conntrack --ctstate NEW -j DROP
-#
-#   3. To flush/delete the sets:
-#      ipset flush blacklist-v4 && ipset destroy blacklist-v4
-#      ipset flush blacklist-v6 && ipset destroy blacklist-v6
-#
-
-EOF
-
-# Append both IPv4 and IPv6 sets to the mixed file
-tail -n +2 "${iptables_v4_output_file}" | grep -E "^(create|add)" >> "${iptables_output_file}"
-echo "" >> "${iptables_output_file}"
-tail -n +2 "${iptables_v6_output_file}" | grep -E "^(create|add)" >> "${iptables_output_file}"
-
-echo "✓ Generated (mixed IPv4/IPv6): ${iptables_output_file}"
-echo "  Total entries: $(wc -l < "${blacklist_file}" | tr -d ' ')"
-
-# Generate mixed VK-only ipset file (contains both v4 and v6 sets)
-cat > "${iptables_vk_output_file}" << EOF
-# IPSet blacklist configuration (VK names: VK Cloud / VKCOMPANY / VKONTAKTE)
-# Auto-generated from name-filtered auto/*.txt sources
-# Last updated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
-#
-# Usage:
-#   1. Load the ipset:
-#      ipset restore < $(basename "${iptables_vk_output_file}")
-#
-#   2. Use with iptables/ip6tables:
-#      iptables -I OUTPUT -m set --match-set blacklist-vk-v4 dst -j REJECT
-#      iptables -I FORWARD -m set --match-set blacklist-vk-v4 dst -j REJECT
-#      ip6tables -I OUTPUT -m set --match-set blacklist-vk-v6 dst -j REJECT
-#      ip6tables -I FORWARD -m set --match-set blacklist-vk-v6 dst -j REJECT
-#
-#   3. To flush/delete the sets:
-#      ipset flush blacklist-vk-v4 && ipset destroy blacklist-vk-v4
-#      ipset flush blacklist-vk-v6 && ipset destroy blacklist-vk-v6
-#
-
-EOF
-
-tail -n +2 "${iptables_vk_v4_output_file}" | grep -E "^(create|add)" >> "${iptables_vk_output_file}"
-echo "" >> "${iptables_vk_output_file}"
-tail -n +2 "${iptables_vk_v6_output_file}" | grep -E "^(create|add)" >> "${iptables_vk_output_file}"
-
-echo "✓ Generated (VK names, mixed IPv4/IPv6): ${iptables_vk_output_file}"
-echo "  Total entries: $(wc -l < "${blacklist_vk_file}" | tr -d ' ')"
-
 echo ""
 echo "VK outgoing block examples (iptables/ipset):"
-echo "  ipset restore < ${iptables_vk_output_file}"
+echo "  ipset restore < ${iptables_vk_v4_output_file}"
+echo "  ipset restore < ${iptables_vk_v6_output_file}"
 echo "  iptables -I OUTPUT -m set --match-set blacklist-vk-v4 dst -j REJECT"
 echo "  iptables -I FORWARD -m set --match-set blacklist-vk-v4 dst -j REJECT"
 echo "  ip6tables -I OUTPUT -m set --match-set blacklist-vk-v6 dst -j REJECT"
diff --git a/blacklists_updater_nftables.sh b/blacklists_updater_nftables.sh
index 7e488ce..1b45929 100755
--- a/blacklists_updater_nftables.sh
+++ b/blacklists_updater_nftables.sh
@@ -18,8 +18,8 @@ VK_INPUT_FILE="$SCRIPT_DIR/blacklists/blacklist-vk.txt"
 VK_INPUT_V4_FILE="$SCRIPT_DIR/blacklists/blacklist-vk-v4.txt"
 VK_INPUT_V6_FILE="$SCRIPT_DIR/blacklists/blacklist-vk-v6.txt"
 
-# Create output directory if it doesn't exist
-mkdir -p "$OUTPUT_DIR"
+# Create required directories if they don't exist
+mkdir -p "$OUTPUT_DIR" "$SCRIPT_DIR/blacklists"
 
 echo "Generating nftables blacklists..."
 
@@ -34,11 +34,6 @@ grep ':' "$VK_INPUT_FILE" | sort -u > "$VK_INPUT_V6_FILE" || true
 grep -v ':' "$VK_INPUT_FILE" | sort -u > "$VK_INPUT_V4_FILE" || true
 rm -f "$TMP_VK_FILE"
 
-# Generate mixed IPv4/IPv6 blacklist
-python3 "$SCRIPT_DIR/generate_nft_blacklist.py" \
-    "$INPUT_FILE" \
-    "$OUTPUT_DIR/blacklist.nft"
-
 # Generate IPv4-only blacklist
 TMP_V4_FILE="/tmp/blacklist-v4.txt"
 TMP_V6_FILE="/tmp/blacklist-v6.txt"
@@ -54,9 +49,6 @@ python3 "$SCRIPT_DIR/generate_nft_blacklist.py" \
     "$OUTPUT_DIR/blacklist-v6.nft"
 
 # Generate VK-only blacklists (network names: VK Cloud / VKCOMPANY / VKONTAKTE)
-python3 "$SCRIPT_DIR/generate_nft_blacklist.py" \
-    "$VK_INPUT_FILE" \
-    "$OUTPUT_DIR/blacklist-vk.nft"
 python3 "$SCRIPT_DIR/generate_nft_blacklist.py" \
     "$VK_INPUT_V4_FILE" \
     "$OUTPUT_DIR/blacklist-vk-v4.nft"
@@ -64,19 +56,24 @@ python3 "$SCRIPT_DIR/generate_nft_blacklist.py" \
     "$VK_INPUT_V6_FILE" \
     "$OUTPUT_DIR/blacklist-vk-v6.nft"
 
+# Remove deprecated mixed summary files if they exist
+rm -f "$OUTPUT_DIR/blacklist.nft" "$OUTPUT_DIR/blacklist-vk.nft"
+
 # Clean up temp files
 rm -f "$TMP_V4_FILE" "$TMP_V6_FILE"
 
 echo "nftables blacklists generated successfully!"
 echo ""
 echo "VM incoming block examples (all lists, nftables):"
-echo "  sudo nft -f $OUTPUT_DIR/blacklist.nft"
+echo "  sudo nft -f $OUTPUT_DIR/blacklist-v4.nft"
+echo "  sudo nft -f $OUTPUT_DIR/blacklist-v6.nft"
 echo "  sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }'"
 echo "  sudo nft add rule inet filter input ip saddr @blacklist_v4 counter reject"
 echo "  sudo nft add rule inet filter input ip6 saddr @blacklist_v6 counter reject"
 echo ""
 echo "VK outbound block examples for VPN clients via NAT (nftables):"
-echo "  sudo nft -f $OUTPUT_DIR/blacklist-vk.nft"
+echo "  sudo nft -f $OUTPUT_DIR/blacklist-vk-v4.nft"
+echo "  sudo nft -f $OUTPUT_DIR/blacklist-vk-v6.nft"
 echo "  sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }'"
 echo "  sudo nft add rule inet filter forward iifname \"<VPN_IFACE>\" ip daddr @blacklist_v4 counter reject"
 echo "  sudo nft add rule inet filter forward iifname \"<VPN_IFACE>\" ip6 daddr @blacklist_v6 counter reject"
diff --git a/blacklists_updater_nginx.sh b/blacklists_updater_nginx.sh
index 3cab619..e0b0e7b 100755
--- a/blacklists_updater_nginx.sh
+++ b/blacklists_updater_nginx.sh
@@ -11,8 +11,8 @@ nginx_output_file="${nginx_output_dir}/blacklist.conf"
 nginx_v4_output_file="${nginx_output_dir}/blacklist-v4.conf"
 nginx_v6_output_file="${nginx_output_dir}/blacklist-v6.conf"
 
-# Create nginx directory if it doesn't exist
-mkdir -p "${nginx_output_dir}"
+# Create required directories if they don't exist
+mkdir -p "${nginx_output_dir}" "blacklists"
 
 # Function to generate nginx config from input file
 generate_nginx_config() {
diff --git a/blacklists_updater_txt.sh b/blacklists_updater_txt.sh
index 5475a90..764c8c0 100755
--- a/blacklists_updater_txt.sh
+++ b/blacklists_updater_txt.sh
@@ -11,6 +11,8 @@ black_names="uvd|umvd|fgup|grchc|roskomnad|federalnaya sluzhba|ufsb|zonatelecom|
 # M100 - mail.ru
 white_names="ruvds"
 
+mkdir -p blacklists auto
+
 grep -iE "${black_names}" auto/all-ru-asn.txt   | grep -viE "${white_names}" | awk '{ print "# AS-Name: " $0 "\n" $1}' > ${auto_black_ass}
 ./network_list_from_as.py ${auto_black_ass} > ${outfile_w_comments}
 ./network_list_from_netname.py lists/ru-gov-netnames.txt >> ${outfile_w_comments}