diff --git a/blacklists/blacklist-vk-v4.txt b/blacklists/blacklist-vk-v4.txt index f5dcbc3..8e5bafa 100644 --- a/blacklists/blacklist-vk-v4.txt +++ b/blacklists/blacklist-vk-v4.txt @@ -49,7 +49,6 @@ 185.241.192.0/23 185.241.194.0/23 185.29.128.0/22 -185.29.130.0/24 185.32.248.0/22 185.32.248.0/23 185.32.250.0/23 @@ -74,11 +73,6 @@ 195.211.20.0/22 195.211.22.0/24 195.211.23.0/24 -212.111.84.0/22 -212.233.120.0/22 -212.233.72.0/21 -212.233.88.0/21 -212.233.96.0/22 213.219.212.0/22 213.219.212.0/23 213.219.214.0/23 @@ -212,7 +206,6 @@ 90.156.216.0/23 90.156.218.0/23 90.156.232.0/21 -91.219.224.0/22 91.231.132.0/22 91.237.76.0/24 93.153.255.84/30 diff --git a/blacklists/blacklist-vk.txt b/blacklists/blacklist-vk.txt index 1e3ed71..914c9e4 100644 --- a/blacklists/blacklist-vk.txt +++ b/blacklists/blacklist-vk.txt @@ -49,7 +49,6 @@ 185.241.192.0/23 185.241.194.0/23 185.29.128.0/22 -185.29.130.0/24 185.32.248.0/22 185.32.248.0/23 185.32.250.0/23 @@ -74,11 +73,6 @@ 195.211.20.0/22 195.211.22.0/24 195.211.23.0/24 -212.111.84.0/22 -212.233.120.0/22 -212.233.72.0/21 -212.233.88.0/21 -212.233.96.0/22 213.219.212.0/22 213.219.212.0/23 213.219.214.0/23 @@ -213,7 +207,6 @@ 90.156.216.0/23 90.156.218.0/23 90.156.232.0/21 -91.219.224.0/22 91.231.132.0/22 91.237.76.0/24 93.153.255.84/30 diff --git a/blacklists_nftables/blacklist-v4.nft b/blacklists_nftables/blacklist-v4.nft index 0c1f772..b37ddef 100644 --- a/blacklists_nftables/blacklist-v4.nft +++ b/blacklists_nftables/blacklist-v4.nft @@ -1,7 +1,14 @@ # Autogenerated nftables blacklist -# Generated: 2026-03-26T08:29:31.547137Z +# Generated: 2026-03-26T08:32:56.419478Z # Source: /tmp/blacklist-v4.txt # IPv4: 804, IPv6: 0 +# +# Usage: +# sudo nft -f +# # VM protection from incoming blacklist sources +# sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }' +# sudo nft add rule inet filter input ip saddr @blacklist_v4 counter reject +# sudo nft add rule inet filter input ip6 saddr @blacklist_v6 counter reject table inet filter { diff --git a/blacklists_nftables/blacklist-v6.nft b/blacklists_nftables/blacklist-v6.nft index 6c39fc4..68d1c38 100644 --- a/blacklists_nftables/blacklist-v6.nft +++ b/blacklists_nftables/blacklist-v6.nft @@ -1,7 +1,14 @@ # Autogenerated nftables blacklist -# Generated: 2026-03-26T08:29:31.582581Z +# Generated: 2026-03-26T08:32:56.467121Z # Source: /tmp/blacklist-v6.txt # IPv4: 0, IPv6: 17 +# +# Usage: +# sudo nft -f +# # VM protection from incoming blacklist sources +# sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }' +# sudo nft add rule inet filter input ip saddr @blacklist_v4 counter reject +# sudo nft add rule inet filter input ip6 saddr @blacklist_v6 counter reject table inet filter { diff --git a/blacklists_nftables/blacklist-vk-v4.nft b/blacklists_nftables/blacklist-vk-v4.nft index 0a36f69..7eadbb7 100644 --- a/blacklists_nftables/blacklist-vk-v4.nft +++ b/blacklists_nftables/blacklist-vk-v4.nft @@ -1,7 +1,14 @@ # Autogenerated nftables blacklist -# Generated: 2026-03-26T08:29:31.614243Z -# Source: /home/runner/work/AS_Network_List/AS_Network_List/blacklists/blacklist-vk-v4.txt -# IPv4: 92, IPv6: 0 +# Generated: 2026-03-26T08:32:56.513020Z +# Source: /Users/oleg/DocsOS/C24Be/AS_Network_List/blacklists/blacklist-vk-v4.txt +# IPv4: 86, IPv6: 0 +# +# Usage: +# sudo nft -f +# # VK egress blocking for VPN clients via NAT/FORWARD +# sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }' +# sudo nft add rule inet filter forward iifname "" ip daddr @blacklist_v4 counter reject +# sudo nft add rule inet filter forward iifname "" ip6 daddr @blacklist_v6 counter reject table inet filter { @@ -49,7 +56,6 @@ table inet filter { 90.156.212.0/22, 90.156.216.0/22, 90.156.232.0/21, - 91.219.224.0/22, 91.231.132.0/22, 91.237.76.0/24, 93.153.255.84/30, @@ -91,11 +97,6 @@ table inet filter { 193.203.40.0/22, 194.84.16.12/30, 195.211.20.0/22, - 212.111.84.0/22, - 212.233.72.0/21, - 212.233.88.0/21, - 212.233.96.0/22, - 212.233.120.0/22, 213.219.212.0/22, 217.16.16.0/20, 217.20.144.0/20, diff --git a/blacklists_nftables/blacklist-vk-v6.nft b/blacklists_nftables/blacklist-vk-v6.nft index 2a2350e..b75c378 100644 --- a/blacklists_nftables/blacklist-vk-v6.nft +++ b/blacklists_nftables/blacklist-vk-v6.nft @@ -1,7 +1,14 @@ # Autogenerated nftables blacklist -# Generated: 2026-03-26T08:29:31.643517Z -# Source: /home/runner/work/AS_Network_List/AS_Network_List/blacklists/blacklist-vk-v6.txt +# Generated: 2026-03-26T08:32:56.555261Z +# Source: /Users/oleg/DocsOS/C24Be/AS_Network_List/blacklists/blacklist-vk-v6.txt # IPv4: 0, IPv6: 1 +# +# Usage: +# sudo nft -f +# # VK egress blocking for VPN clients via NAT/FORWARD +# sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }' +# sudo nft add rule inet filter forward iifname "" ip daddr @blacklist_v4 counter reject +# sudo nft add rule inet filter forward iifname "" ip6 daddr @blacklist_v6 counter reject table inet filter { diff --git a/generate_nft_blacklist.py b/generate_nft_blacklist.py index 01693c0..6b7d7f6 100755 --- a/generate_nft_blacklist.py +++ b/generate_nft_blacklist.py @@ -13,7 +13,7 @@ Usage: import sys from ipaddress import ip_network, collapse_addresses from pathlib import Path -from datetime import datetime +from datetime import datetime, UTC def read_lines(path_or_dash): if path_or_dash == "-": @@ -43,13 +43,26 @@ def aggregate_prefixes(lines): agg_v6 = list(collapse_addresses(sorted(v6, key=lambda x: (int(x.network_address), x.prefixlen)))) return agg_v4, agg_v6, invalid -def make_nft_config(agg_v4, agg_v6, comment=None): +def make_nft_config(agg_v4, agg_v6, comment=None, usage_profile="vm_input"): lines = [] lines.append("# Autogenerated nftables blacklist") - lines.append(f"# Generated: {datetime.utcnow().isoformat()}Z") + lines.append(f"# Generated: {datetime.now(UTC).isoformat().replace('+00:00', 'Z')}") if comment: lines.append(f"# {comment}") lines.append(f"# IPv4: {len(agg_v4)}, IPv6: {len(agg_v6)}") + lines.append("#") + lines.append("# Usage:") + lines.append("# sudo nft -f ") + if usage_profile == "vk_forward": + lines.append("# # VK egress blocking for VPN clients via NAT/FORWARD") + lines.append("# sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }'") + lines.append("# sudo nft add rule inet filter forward iifname \"\" ip daddr @blacklist_v4 counter reject") + lines.append("# sudo nft add rule inet filter forward iifname \"\" ip6 daddr @blacklist_v6 counter reject") + else: + lines.append("# # VM protection from incoming blacklist sources") + lines.append("# sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }'") + lines.append("# sudo nft add rule inet filter input ip saddr @blacklist_v4 counter reject") + lines.append("# sudo nft add rule inet filter input ip6 saddr @blacklist_v6 counter reject") lines.append("") lines.append("table inet filter {") lines.append("") @@ -119,7 +132,8 @@ def main(argv): if not any(line.strip() and not line.strip().startswith("#") for line in lines): print("WARNING: input contains no prefixes (empty or only comments). Nothing to aggregate.") - nft_conf = make_nft_config([], [], comment="Empty input produced no prefixes") + profile = "vk_forward" if "vk" in Path(infile).name.lower() else "vm_input" + nft_conf = make_nft_config([], [], comment="Empty input produced no prefixes", usage_profile=profile) write_output(outfile, nft_conf) return 0 @@ -137,7 +151,8 @@ def main(argv): for n in agg_v6: print(" v6:", n) - nft_conf = make_nft_config(agg_v4, agg_v6, comment=f"Source: {infile}") + profile = "vk_forward" if "vk" in Path(infile).name.lower() else "vm_input" + nft_conf = make_nft_config(agg_v4, agg_v6, comment=f"Source: {infile}", usage_profile=profile) try: write_output(outfile, nft_conf) except Exception as e: