some fixes

2026-03-29 21:58:59 +03:00 · 2026-03-26 09:33:42 +01:00
parent 75e044c01d
commit 1d0162e69f
7 changed files with 55 additions and 32 deletions
--- a/blacklists/blacklist-vk-v4.txt
+++ b/blacklists/blacklist-vk-v4.txt
@@ -49,7 +49,6 @@
 185.241.192.0/23
 185.241.194.0/23
 185.29.128.0/22
-185.29.130.0/24
 185.32.248.0/22
 185.32.248.0/23
 185.32.250.0/23
@@ -74,11 +73,6 @@
 195.211.20.0/22
 195.211.22.0/24
 195.211.23.0/24
-212.111.84.0/22
-212.233.120.0/22
-212.233.72.0/21
-212.233.88.0/21
-212.233.96.0/22
 213.219.212.0/22
 213.219.212.0/23
 213.219.214.0/23
@@ -212,7 +206,6 @@
 90.156.216.0/23
 90.156.218.0/23
 90.156.232.0/21
-91.219.224.0/22
 91.231.132.0/22
 91.237.76.0/24
 93.153.255.84/30
--- a/blacklists/blacklist-vk.txt
+++ b/blacklists/blacklist-vk.txt
@@ -49,7 +49,6 @@
 185.241.192.0/23
 185.241.194.0/23
 185.29.128.0/22
-185.29.130.0/24
 185.32.248.0/22
 185.32.248.0/23
 185.32.250.0/23
@@ -74,11 +73,6 @@
 195.211.20.0/22
 195.211.22.0/24
 195.211.23.0/24
-212.111.84.0/22
-212.233.120.0/22
-212.233.72.0/21
-212.233.88.0/21
-212.233.96.0/22
 213.219.212.0/22
 213.219.212.0/23
 213.219.214.0/23
@@ -213,7 +207,6 @@
 90.156.216.0/23
 90.156.218.0/23
 90.156.232.0/21
-91.219.224.0/22
 91.231.132.0/22
 91.237.76.0/24
 93.153.255.84/30
--- a/blacklists_nftables/blacklist-v4.nft
+++ b/blacklists_nftables/blacklist-v4.nft
@@ -1,7 +1,14 @@
 # Autogenerated nftables blacklist
-# Generated: 2026-03-26T08:29:31.547137Z
+# Generated: 2026-03-26T08:32:56.419478Z
 # Source: /tmp/blacklist-v4.txt
 # IPv4: 804, IPv6: 0
+#
+# Usage:
+#   sudo nft -f <this-file>
+#   # VM protection from incoming blacklist sources
+#   sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }'
+#   sudo nft add rule inet filter input ip saddr @blacklist_v4 counter reject
+#   sudo nft add rule inet filter input ip6 saddr @blacklist_v6 counter reject

 table inet filter {

--- a/blacklists_nftables/blacklist-v6.nft
+++ b/blacklists_nftables/blacklist-v6.nft
@@ -1,7 +1,14 @@
 # Autogenerated nftables blacklist
-# Generated: 2026-03-26T08:29:31.582581Z
+# Generated: 2026-03-26T08:32:56.467121Z
 # Source: /tmp/blacklist-v6.txt
 # IPv4: 0, IPv6: 17
+#
+# Usage:
+#   sudo nft -f <this-file>
+#   # VM protection from incoming blacklist sources
+#   sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }'
+#   sudo nft add rule inet filter input ip saddr @blacklist_v4 counter reject
+#   sudo nft add rule inet filter input ip6 saddr @blacklist_v6 counter reject

 table inet filter {

--- a/blacklists_nftables/blacklist-vk-v4.nft
+++ b/blacklists_nftables/blacklist-vk-v4.nft
@@ -1,7 +1,14 @@
 # Autogenerated nftables blacklist
-# Generated: 2026-03-26T08:29:31.614243Z
-# Source: /home/runner/work/AS_Network_List/AS_Network_List/blacklists/blacklist-vk-v4.txt
-# IPv4: 92, IPv6: 0
+# Generated: 2026-03-26T08:32:56.513020Z
+# Source: /Users/oleg/DocsOS/C24Be/AS_Network_List/blacklists/blacklist-vk-v4.txt
+# IPv4: 86, IPv6: 0
+#
+# Usage:
+#   sudo nft -f <this-file>
+#   # VK egress blocking for VPN clients via NAT/FORWARD
+#   sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }'
+#   sudo nft add rule inet filter forward iifname "<VPN_IFACE>" ip daddr @blacklist_v4 counter reject
+#   sudo nft add rule inet filter forward iifname "<VPN_IFACE>" ip6 daddr @blacklist_v6 counter reject

 table inet filter {

@@ -49,7 +56,6 @@ table inet filter {
            90.156.212.0/22,
            90.156.216.0/22,
            90.156.232.0/21,
-            91.219.224.0/22,
            91.231.132.0/22,
            91.237.76.0/24,
            93.153.255.84/30,
@@ -91,11 +97,6 @@ table inet filter {
            193.203.40.0/22,
            194.84.16.12/30,
            195.211.20.0/22,
-            212.111.84.0/22,
-            212.233.72.0/21,
-            212.233.88.0/21,
-            212.233.96.0/22,
-            212.233.120.0/22,
            213.219.212.0/22,
            217.16.16.0/20,
            217.20.144.0/20,
--- a/blacklists_nftables/blacklist-vk-v6.nft
+++ b/blacklists_nftables/blacklist-vk-v6.nft
@@ -1,7 +1,14 @@
 # Autogenerated nftables blacklist
-# Generated: 2026-03-26T08:29:31.643517Z
-# Source: /home/runner/work/AS_Network_List/AS_Network_List/blacklists/blacklist-vk-v6.txt
+# Generated: 2026-03-26T08:32:56.555261Z
+# Source: /Users/oleg/DocsOS/C24Be/AS_Network_List/blacklists/blacklist-vk-v6.txt
 # IPv4: 0, IPv6: 1
+#
+# Usage:
+#   sudo nft -f <this-file>
+#   # VK egress blocking for VPN clients via NAT/FORWARD
+#   sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }'
+#   sudo nft add rule inet filter forward iifname "<VPN_IFACE>" ip daddr @blacklist_v4 counter reject
+#   sudo nft add rule inet filter forward iifname "<VPN_IFACE>" ip6 daddr @blacklist_v6 counter reject

 table inet filter {

--- a/generate_nft_blacklist.py
+++ b/generate_nft_blacklist.py
@@ -13,7 +13,7 @@ Usage:
 import sys
 from ipaddress import ip_network, collapse_addresses
 from pathlib import Path
-from datetime import datetime
+from datetime import datetime, UTC

 def read_lines(path_or_dash):
    if path_or_dash == "-":
@@ -43,13 +43,26 @@ def aggregate_prefixes(lines):
    agg_v6 = list(collapse_addresses(sorted(v6, key=lambda x: (int(x.network_address), x.prefixlen))))
    return agg_v4, agg_v6, invalid

-def make_nft_config(agg_v4, agg_v6, comment=None):
+def make_nft_config(agg_v4, agg_v6, comment=None, usage_profile="vm_input"):
    lines = []
    lines.append("# Autogenerated nftables blacklist")
-    lines.append(f"# Generated: {datetime.utcnow().isoformat()}Z")
+    lines.append(f"# Generated: {datetime.now(UTC).isoformat().replace('+00:00', 'Z')}")
    if comment:
        lines.append(f"# {comment}")
    lines.append(f"# IPv4: {len(agg_v4)}, IPv6: {len(agg_v6)}")
+    lines.append("#")
+    lines.append("# Usage:")
+    lines.append("#   sudo nft -f <this-file>")
+    if usage_profile == "vk_forward":
+        lines.append("#   # VK egress blocking for VPN clients via NAT/FORWARD")
+        lines.append("#   sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }'")
+        lines.append("#   sudo nft add rule inet filter forward iifname \"<VPN_IFACE>\" ip daddr @blacklist_v4 counter reject")
+        lines.append("#   sudo nft add rule inet filter forward iifname \"<VPN_IFACE>\" ip6 daddr @blacklist_v6 counter reject")
+    else:
+        lines.append("#   # VM protection from incoming blacklist sources")
+        lines.append("#   sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }'")
+        lines.append("#   sudo nft add rule inet filter input ip saddr @blacklist_v4 counter reject")
+        lines.append("#   sudo nft add rule inet filter input ip6 saddr @blacklist_v6 counter reject")
    lines.append("")
    lines.append("table inet filter {")
    lines.append("")
@@ -119,7 +132,8 @@ def main(argv):

    if not any(line.strip() and not line.strip().startswith("#") for line in lines):
        print("WARNING: input contains no prefixes (empty or only comments). Nothing to aggregate.")
-        nft_conf = make_nft_config([], [], comment="Empty input produced no prefixes")
+        profile = "vk_forward" if "vk" in Path(infile).name.lower() else "vm_input"
+        nft_conf = make_nft_config([], [], comment="Empty input produced no prefixes", usage_profile=profile)
        write_output(outfile, nft_conf)
        return 0

@@ -137,7 +151,8 @@ def main(argv):
    for n in agg_v6:
        print("  v6:", n)

-    nft_conf = make_nft_config(agg_v4, agg_v6, comment=f"Source: {infile}")
+    profile = "vk_forward" if "vk" in Path(infile).name.lower() else "vm_input"
+    nft_conf = make_nft_config(agg_v4, agg_v6, comment=f"Source: {infile}", usage_profile=profile)
    try:
        write_output(outfile, nft_conf)
    except Exception as e: