yanistyle/AS_Network_List
1
0
Fork 0
mirror of https://github.com/C24Be/AS_Network_List.git synced 2026-03-30 06:08:50 +03:00
Code Issues Packages Projects Releases Wiki Activity

some fixes

Browse Source
This commit is contained in:
C24Be
2026-03-26 09:33:42 +01:00
parent 75e044c01d
commit 1d0162e69f
7 changed files with 55 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
generate_nft_blacklist.py
View File

@@ -13,7 +13,7 @@ Usage:
import sys
from ipaddress import ip_network, collapse_addresses
from pathlib import Path
from datetime import datetime
from datetime import datetime, UTC
def read_lines(path_or_dash):
if path_or_dash == "-":
@@ -43,13 +43,26 @@ def aggregate_prefixes(lines):
agg_v6 = list(collapse_addresses(sorted(v6, key=lambda x: (int(x.network_address), x.prefixlen))))
return agg_v4, agg_v6, invalid
def make_nft_config(agg_v4, agg_v6, comment=None):
def make_nft_config(agg_v4, agg_v6, comment=None, usage_profile="vm_input"):
lines = []
lines.append("# Autogenerated nftables blacklist")
lines.append(f"# Generated: {datetime.utcnow().isoformat()}Z")
lines.append(f"# Generated: {datetime.now(UTC).isoformat().replace('+00:00', 'Z')}")
if comment:
lines.append(f"# {comment}")
lines.append(f"# IPv4: {len(agg_v4)}, IPv6: {len(agg_v6)}")
lines.append("#")
lines.append("# Usage:")
lines.append("# sudo nft -f <this-file>")
if usage_profile == "vk_forward":
lines.append("# # VK egress blocking for VPN clients via NAT/FORWARD")
lines.append("# sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }'")
lines.append("# sudo nft add rule inet filter forward iifname \"<VPN_IFACE>\" ip daddr @blacklist_v4 counter reject")
lines.append("# sudo nft add rule inet filter forward iifname \"<VPN_IFACE>\" ip6 daddr @blacklist_v6 counter reject")
else:
lines.append("# # VM protection from incoming blacklist sources")
lines.append("# sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }'")
lines.append("# sudo nft add rule inet filter input ip saddr @blacklist_v4 counter reject")
lines.append("# sudo nft add rule inet filter input ip6 saddr @blacklist_v6 counter reject")
lines.append("")
lines.append("table inet filter {")
lines.append("")
@@ -119,7 +132,8 @@ def main(argv):
if not any(line.strip() and not line.strip().startswith("#") for line in lines):
print("WARNING: input contains no prefixes (empty or only comments). Nothing to aggregate.")
nft_conf = make_nft_config([], [], comment="Empty input produced no prefixes")
profile = "vk_forward" if "vk" in Path(infile).name.lower() else "vm_input"
nft_conf = make_nft_config([], [], comment="Empty input produced no prefixes", usage_profile=profile)
write_output(outfile, nft_conf)
return 0
@@ -137,7 +151,8 @@ def main(argv):
for n in agg_v6:
print(" v6:", n)
nft_conf = make_nft_config(agg_v4, agg_v6, comment=f"Source: {infile}")
profile = "vk_forward" if "vk" in Path(infile).name.lower() else "vm_input"
nft_conf = make_nft_config(agg_v4, agg_v6, comment=f"Source: {infile}", usage_profile=profile)
try:
write_output(outfile, nft_conf)
except Exception as e: