From 3922acb0757ce72522ec80766eae8e8d5b7c1047 Mon Sep 17 00:00:00 2001 From: C24Be Date: Thu, 26 Mar 2026 10:34:02 +0100 Subject: [PATCH] readme files --- blacklists/blacklist-vk-v4.txt | 7 - blacklists/blacklist-vk.txt | 7 - blacklists_iptables/README.md | 34 + blacklists_nftables/README.md | 42 ++ blacklists_nftables/blacklist-v4.nft | 2 +- blacklists_nftables/blacklist-v6.nft | 2 +- blacklists_nftables/blacklist-vk-v4.nft | 22 +- blacklists_nftables/blacklist-vk-v6.nft | 14 +- blacklists_nftables/blacklist-vk.nft | 125 ++++ blacklists_nftables/blacklist.nft | 859 ++++++++++++++++++++++++ blacklists_nginx/README.md | 15 + blacklists_route/README.md | 17 + blacklists_updater_nftables.sh | 17 +- generate_nft_blacklist.py | 23 +- 14 files changed, 1136 insertions(+), 50 deletions(-) create mode 100644 blacklists_nftables/blacklist-vk.nft create mode 100644 blacklists_nftables/blacklist.nft diff --git a/blacklists/blacklist-vk-v4.txt b/blacklists/blacklist-vk-v4.txt index f5dcbc3..8e5bafa 100644 --- a/blacklists/blacklist-vk-v4.txt +++ b/blacklists/blacklist-vk-v4.txt @@ -49,7 +49,6 @@ 185.241.192.0/23 185.241.194.0/23 185.29.128.0/22 -185.29.130.0/24 185.32.248.0/22 185.32.248.0/23 185.32.250.0/23 @@ -74,11 +73,6 @@ 195.211.20.0/22 195.211.22.0/24 195.211.23.0/24 -212.111.84.0/22 -212.233.120.0/22 -212.233.72.0/21 -212.233.88.0/21 -212.233.96.0/22 213.219.212.0/22 213.219.212.0/23 213.219.214.0/23 @@ -212,7 +206,6 @@ 90.156.216.0/23 90.156.218.0/23 90.156.232.0/21 -91.219.224.0/22 91.231.132.0/22 91.237.76.0/24 93.153.255.84/30 diff --git a/blacklists/blacklist-vk.txt b/blacklists/blacklist-vk.txt index 1e3ed71..914c9e4 100644 --- a/blacklists/blacklist-vk.txt +++ b/blacklists/blacklist-vk.txt @@ -49,7 +49,6 @@ 185.241.192.0/23 185.241.194.0/23 185.29.128.0/22 -185.29.130.0/24 185.32.248.0/22 185.32.248.0/23 185.32.250.0/23 @@ -74,11 +73,6 @@ 195.211.20.0/22 195.211.22.0/24 195.211.23.0/24 -212.111.84.0/22 -212.233.120.0/22 -212.233.72.0/21 -212.233.88.0/21 -212.233.96.0/22 213.219.212.0/22 213.219.212.0/23 213.219.214.0/23 @@ -213,7 +207,6 @@ 90.156.216.0/23 90.156.218.0/23 90.156.232.0/21 -91.219.224.0/22 91.231.132.0/22 91.237.76.0/24 93.153.255.84/30 diff --git a/blacklists_iptables/README.md b/blacklists_iptables/README.md index c83b9a6..d851931 100644 --- a/blacklists_iptables/README.md +++ b/blacklists_iptables/README.md @@ -8,3 +8,37 @@ Short: ready-to-use ipset files for iptables/ip6tables (general and VK-only, sep - https://raw.githubusercontent.com/C24Be/AS_Network_List/refs/heads/main/blacklists_iptables/blacklist-v6.ipset - https://raw.githubusercontent.com/C24Be/AS_Network_List/refs/heads/main/blacklists_iptables/blacklist-vk-v4.ipset - https://raw.githubusercontent.com/C24Be/AS_Network_List/refs/heads/main/blacklists_iptables/blacklist-vk-v6.ipset + +## How to use + +### 1) Protect VM from incoming connections (general blacklists) + +Load IPv4 and IPv6 sets: + +```bash +ipset restore < blacklist-v4.ipset +ipset restore < blacklist-v6.ipset +``` + +Apply inbound rules to traffic connecting to the VM: + +```bash +iptables -I INPUT -m set --match-set blacklist-v4 src -m conntrack --ctstate NEW -j DROP +ip6tables -I INPUT -m set --match-set blacklist-v6 src -m conntrack --ctstate NEW -j DROP +``` + +### 2) Block VK outbound traffic for VPN clients via NAT/FORWARD + +Load VK IPv4 and IPv6 sets: + +```bash +ipset restore < blacklist-vk-v4.ipset +ipset restore < blacklist-vk-v6.ipset +``` + +Apply forwarding rules for client egress traffic (replace ``): + +```bash +iptables -I FORWARD -i -m set --match-set blacklist-vk-v4 dst -j REJECT +ip6tables -I FORWARD -i -m set --match-set blacklist-vk-v6 dst -j REJECT +``` diff --git a/blacklists_nftables/README.md b/blacklists_nftables/README.md index a5431ca..d0d6c6f 100644 --- a/blacklists_nftables/README.md +++ b/blacklists_nftables/README.md @@ -4,7 +4,49 @@ Short: ready-to-use nftables blacklist files (general and VK-only, separated by ## Download links +- https://raw.githubusercontent.com/C24Be/AS_Network_List/refs/heads/main/blacklists_nftables/blacklist.nft - https://raw.githubusercontent.com/C24Be/AS_Network_List/refs/heads/main/blacklists_nftables/blacklist-v4.nft - https://raw.githubusercontent.com/C24Be/AS_Network_List/refs/heads/main/blacklists_nftables/blacklist-v6.nft +- https://raw.githubusercontent.com/C24Be/AS_Network_List/refs/heads/main/blacklists_nftables/blacklist-vk.nft - https://raw.githubusercontent.com/C24Be/AS_Network_List/refs/heads/main/blacklists_nftables/blacklist-vk-v4.nft - https://raw.githubusercontent.com/C24Be/AS_Network_List/refs/heads/main/blacklists_nftables/blacklist-vk-v6.nft + +## How to use + +### 1) Protect VM from incoming connections (general blacklists) + +Load either mixed or split general files: + +```bash +sudo nft -f blacklist.nft +# or: +sudo nft -f blacklist-v4.nft +sudo nft -f blacklist-v6.nft +``` + +Apply rules for inbound traffic to the VM: + +```bash +sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }' +sudo nft add rule inet filter input ip saddr @blacklist_v4 counter reject +sudo nft add rule inet filter input ip6 saddr @blacklist_v6 counter reject +``` + +### 2) Block VK outbound traffic for VPN clients via NAT/FORWARD + +Load either mixed or split VK files: + +```bash +sudo nft -f blacklist-vk.nft +# or: +sudo nft -f blacklist-vk-v4.nft +sudo nft -f blacklist-vk-v6.nft +``` + +Apply rules for forwarded client traffic (replace ``): + +```bash +sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }' +sudo nft add rule inet filter forward iifname "" ip daddr @blacklist_vk_v4 counter reject +sudo nft add rule inet filter forward iifname "" ip6 daddr @blacklist_vk_v6 counter reject +``` diff --git a/blacklists_nftables/blacklist-v4.nft b/blacklists_nftables/blacklist-v4.nft index 9e0e9e7..a86048e 100644 --- a/blacklists_nftables/blacklist-v4.nft +++ b/blacklists_nftables/blacklist-v4.nft @@ -1,5 +1,5 @@ # Autogenerated nftables blacklist -# Generated: 2026-03-26T08:47:07.050929Z +# Generated: 2026-03-26T09:30:12.422545Z # Source: /tmp/blacklist-v4.txt # IPv4: 804, IPv6: 0 # diff --git a/blacklists_nftables/blacklist-v6.nft b/blacklists_nftables/blacklist-v6.nft index 0eeff40..fe3005e 100644 --- a/blacklists_nftables/blacklist-v6.nft +++ b/blacklists_nftables/blacklist-v6.nft @@ -1,5 +1,5 @@ # Autogenerated nftables blacklist -# Generated: 2026-03-26T08:47:07.082244Z +# Generated: 2026-03-26T09:30:12.474423Z # Source: /tmp/blacklist-v6.txt # IPv4: 0, IPv6: 17 # diff --git a/blacklists_nftables/blacklist-vk-v4.nft b/blacklists_nftables/blacklist-vk-v4.nft index 2daf69b..c4d5432 100644 --- a/blacklists_nftables/blacklist-vk-v4.nft +++ b/blacklists_nftables/blacklist-vk-v4.nft @@ -1,18 +1,18 @@ # Autogenerated nftables blacklist -# Generated: 2026-03-26T08:47:07.112845Z -# Source: /home/runner/work/AS_Network_List/AS_Network_List/blacklists/blacklist-vk-v4.txt -# IPv4: 92, IPv6: 0 +# Generated: 2026-03-26T09:30:12.562983Z +# Source: /Users/oleg/DocsOS/C24Be/AS_Network_List/blacklists/blacklist-vk-v4.txt +# IPv4: 86, IPv6: 0 # # Usage: # sudo nft -f # # VK egress blocking for VPN clients via NAT/FORWARD # sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }' -# sudo nft add rule inet filter forward iifname "" ip daddr @blacklist_v4 counter reject -# sudo nft add rule inet filter forward iifname "" ip6 daddr @blacklist_v6 counter reject +# sudo nft add rule inet filter forward iifname "" ip daddr @blacklist_vk_v4 counter reject +# sudo nft add rule inet filter forward iifname "" ip6 daddr @blacklist_vk_v6 counter reject table inet filter { - set blacklist_v4 { + set blacklist_vk_v4 { type ipv4_addr flags interval elements = { @@ -56,7 +56,6 @@ table inet filter { 90.156.212.0/22, 90.156.216.0/22, 90.156.232.0/21, - 91.219.224.0/22, 91.231.132.0/22, 91.237.76.0/24, 93.153.255.84/30, @@ -98,11 +97,6 @@ table inet filter { 193.203.40.0/22, 194.84.16.12/30, 195.211.20.0/22, - 212.111.84.0/22, - 212.233.72.0/21, - 212.233.88.0/21, - 212.233.96.0/22, - 212.233.120.0/22, 213.219.212.0/22, 217.16.16.0/20, 217.20.144.0/20, @@ -111,7 +105,7 @@ table inet filter { } } - set blacklist_v6 { + set blacklist_vk_v6 { type ipv6_addr flags interval } @@ -122,6 +116,6 @@ table inet filter { ct state { established, related } accept - ip saddr @blacklist_v4 counter drop + ip saddr @blacklist_vk_v4 counter drop } } \ No newline at end of file diff --git a/blacklists_nftables/blacklist-vk-v6.nft b/blacklists_nftables/blacklist-vk-v6.nft index a5e5382..145c8e3 100644 --- a/blacklists_nftables/blacklist-vk-v6.nft +++ b/blacklists_nftables/blacklist-vk-v6.nft @@ -1,23 +1,23 @@ # Autogenerated nftables blacklist -# Generated: 2026-03-26T08:47:07.140784Z -# Source: /home/runner/work/AS_Network_List/AS_Network_List/blacklists/blacklist-vk-v6.txt +# Generated: 2026-03-26T09:30:12.604194Z +# Source: /Users/oleg/DocsOS/C24Be/AS_Network_List/blacklists/blacklist-vk-v6.txt # IPv4: 0, IPv6: 1 # # Usage: # sudo nft -f # # VK egress blocking for VPN clients via NAT/FORWARD # sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }' -# sudo nft add rule inet filter forward iifname "" ip daddr @blacklist_v4 counter reject -# sudo nft add rule inet filter forward iifname "" ip6 daddr @blacklist_v6 counter reject +# sudo nft add rule inet filter forward iifname "" ip daddr @blacklist_vk_v4 counter reject +# sudo nft add rule inet filter forward iifname "" ip6 daddr @blacklist_vk_v6 counter reject table inet filter { - set blacklist_v4 { + set blacklist_vk_v4 { type ipv4_addr flags interval } - set blacklist_v6 { + set blacklist_vk_v6 { type ipv6_addr flags interval elements = { @@ -31,6 +31,6 @@ table inet filter { ct state { established, related } accept - ip6 saddr @blacklist_v6 counter drop + ip6 saddr @blacklist_vk_v6 counter drop } } \ No newline at end of file diff --git a/blacklists_nftables/blacklist-vk.nft b/blacklists_nftables/blacklist-vk.nft new file mode 100644 index 0000000..d724208 --- /dev/null +++ b/blacklists_nftables/blacklist-vk.nft @@ -0,0 +1,125 @@ +# Autogenerated nftables blacklist +# Generated: 2026-03-26T09:30:12.514657Z +# Source: /Users/oleg/DocsOS/C24Be/AS_Network_List/blacklists/blacklist-vk.txt +# IPv4: 86, IPv6: 1 +# +# Usage: +# sudo nft -f +# # VK egress blocking for VPN clients via NAT/FORWARD +# sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }' +# sudo nft add rule inet filter forward iifname "" ip daddr @blacklist_vk_v4 counter reject +# sudo nft add rule inet filter forward iifname "" ip6 daddr @blacklist_vk_v6 counter reject + +table inet filter { + + set blacklist_vk_v4 { + type ipv4_addr + flags interval + elements = { + 5.61.16.0/21, + 5.61.232.0/21, + 5.101.40.0/22, + 5.181.60.0/22, + 5.188.140.0/22, + 37.139.32.0/22, + 37.139.40.0/22, + 45.84.128.0/22, + 45.136.20.0/22, + 62.217.160.0/20, + 79.137.132.0/24, + 79.137.139.0/24, + 79.137.157.0/24, + 79.137.164.0/24, + 79.137.167.0/24, + 79.137.174.0/23, + 79.137.180.0/24, + 79.137.240.0/21, + 83.166.232.0/21, + 83.166.248.0/21, + 83.217.216.0/22, + 83.222.28.0/22, + 84.23.52.0/22, + 85.114.31.108/30, + 85.192.32.0/22, + 85.198.106.0/23, + 87.239.104.0/21, + 87.240.128.0/18, + 87.242.112.0/22, + 89.208.84.0/22, + 89.208.196.0/22, + 89.208.208.0/22, + 89.208.216.0/21, + 89.208.228.0/22, + 89.221.228.0/22, + 89.221.232.0/21, + 90.156.148.0/22, + 90.156.212.0/22, + 90.156.216.0/22, + 90.156.232.0/21, + 91.231.132.0/22, + 91.237.76.0/24, + 93.153.255.84/30, + 93.186.224.0/20, + 94.100.176.0/20, + 94.139.244.0/22, + 95.142.192.0/20, + 95.163.32.0/19, + 95.163.180.0/22, + 95.163.208.0/21, + 95.163.216.0/22, + 95.163.248.0/21, + 95.213.0.0/17, + 109.120.180.0/22, + 109.120.188.0/22, + 128.140.168.0/21, + 130.49.224.0/19, + 146.185.208.0/22, + 146.185.240.0/22, + 155.212.192.0/20, + 176.112.168.0/21, + 178.22.88.0/21, + 178.237.16.0/20, + 185.5.136.0/22, + 185.6.244.0/22, + 185.16.148.0/22, + 185.16.244.0/22, + 185.29.128.0/22, + 185.32.248.0/22, + 185.86.144.0/22, + 185.100.104.0/22, + 185.130.112.0/22, + 185.131.68.0/22, + 185.180.200.0/22, + 185.187.63.0/24, + 185.226.52.0/22, + 185.241.192.0/22, + 188.93.56.0/21, + 193.203.40.0/22, + 194.84.16.12/30, + 195.211.20.0/22, + 213.219.212.0/22, + 217.16.16.0/20, + 217.20.144.0/20, + 217.69.128.0/20, + 217.174.188.0/23 + } + } + + set blacklist_vk_v6 { + type ipv6_addr + flags interval + elements = { + 2a00:bdc0::/29 + } + } + + chain input { + type filter hook input priority 0; + policy accept; + + ct state { established, related } accept + + ip saddr @blacklist_vk_v4 counter drop + ip6 saddr @blacklist_vk_v6 counter drop + } +} \ No newline at end of file diff --git a/blacklists_nftables/blacklist.nft b/blacklists_nftables/blacklist.nft new file mode 100644 index 0000000..2ef00e5 --- /dev/null +++ b/blacklists_nftables/blacklist.nft @@ -0,0 +1,859 @@ +# Autogenerated nftables blacklist +# Generated: 2026-03-26T09:30:12.364589Z +# Source: /Users/oleg/DocsOS/C24Be/AS_Network_List/blacklists/blacklist.txt +# IPv4: 804, IPv6: 17 +# +# Usage: +# sudo nft -f +# # VM protection from incoming blacklist sources +# sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }' +# sudo nft add rule inet filter input ip saddr @blacklist_v4 counter reject +# sudo nft add rule inet filter input ip6 saddr @blacklist_v6 counter reject + +table inet filter { + + set blacklist_v4 { + type ipv4_addr + flags interval + elements = { + 5.61.16.0/21, + 5.61.232.0/21, + 5.101.40.0/22, + 5.181.60.0/22, + 5.188.140.0/22, + 31.44.63.64/29, + 31.177.95.0/24, + 31.177.104.0/22, + 37.28.161.48/30, + 37.29.53.16/30, + 37.29.57.52/30, + 37.29.57.64/30, + 37.29.59.56/30, + 37.139.32.0/22, + 37.139.40.0/22, + 45.84.128.0/22, + 45.136.20.0/22, + 46.20.70.160/28, + 46.29.152.0/22, + 46.46.142.160/28, + 46.46.148.40/29, + 46.47.197.128/30, + 46.47.199.76/30, + 46.47.203.52/30, + 46.47.207.96/30, + 46.47.208.84/30, + 46.47.210.76/30, + 46.47.211.0/24, + 46.47.212.204/30, + 46.47.213.0/24, + 46.47.214.200/30, + 46.47.219.200/30, + 46.47.223.196/30, + 46.47.229.0/28, + 46.47.238.144/30, + 46.47.249.176/29, + 46.61.208.0/24, + 46.228.0.232/29, + 62.5.130.104/29, + 62.5.132.224/29, + 62.5.189.80/29, + 62.5.202.60/30, + 62.5.218.204/30, + 62.5.224.188/30, + 62.5.242.80/28, + 62.28.169.168/30, + 62.33.34.16/28, + 62.33.87.128/28, + 62.33.199.80/29, + 62.63.96.32/28, + 62.63.98.24/29, + 62.63.100.160/30, + 62.63.101.80/29, + 62.76.98.0/24, + 62.105.158.200/29, + 62.112.110.64/28, + 62.118.101.184/29, + 62.118.113.232/29, + 62.118.125.188/30, + 62.118.127.240/28, + 62.118.193.8/29, + 62.118.205.68/30, + 62.118.208.100/30, + 62.118.209.192/30, + 62.118.216.60/30, + 62.118.219.184/30, + 62.118.230.4/30, + 62.118.233.224/29, + 62.118.234.64/29, + 62.118.239.128/29, + 62.141.125.0/25, + 62.217.160.0/20, + 77.34.209.160/28, + 77.35.76.80/28, + 77.35.98.240/28, + 77.37.128.0/17, + 77.72.139.0/28, + 77.82.124.112/29, + 77.243.9.80/28, + 78.24.159.48/29, + 78.37.67.24/29, + 78.37.69.160/27, + 78.37.84.120/29, + 78.37.97.88/29, + 78.37.104.0/29, + 78.107.3.208/28, + 78.107.13.208/28, + 78.107.16.96/28, + 78.107.18.112/28, + 78.107.40.160/28, + 78.107.42.144/28, + 78.107.51.16/28, + 78.107.61.96/28, + 78.107.86.32/28, + 78.108.192.0/21, + 78.108.200.0/24, + 78.109.140.112/29, + 79.133.74.160/30, + 79.133.74.168/30, + 79.133.75.44/30, + 79.133.75.176/30, + 79.137.132.0/24, + 79.137.139.0/24, + 79.137.140.0/24, + 79.137.142.0/24, + 79.137.157.0/24, + 79.137.164.0/24, + 79.137.167.0/24, + 79.137.174.0/23, + 79.137.180.0/24, + 79.137.183.0/24, + 79.137.240.0/21, + 79.142.88.0/28, + 79.143.229.0/24, + 79.143.230.0/24, + 79.143.232.0/24, + 80.73.16.0/20, + 80.73.168.80/28, + 80.73.169.244/30, + 80.82.43.24/29, + 80.89.152.220/30, + 80.237.11.88/29, + 80.237.39.112/29, + 80.237.98.80/28, + 80.247.32.0/20, + 80.254.100.40/29, + 80.254.119.168/29, + 81.1.195.0/28, + 81.1.205.96/27, + 81.2.1.0/28, + 81.2.10.192/27, + 81.3.168.148/30, + 81.17.2.192/28, + 81.17.3.16/29, + 81.176.70.0/26, + 81.176.235.0/27, + 81.177.12.0/24, + 81.177.31.64/26, + 81.177.156.0/24, + 81.195.36.48/28, + 81.195.44.248/30, + 81.195.45.64/30, + 81.195.50.72/29, + 81.195.90.44/30, + 81.195.92.48/30, + 81.195.93.192/27, + 81.195.94.72/29, + 81.195.105.160/28, + 81.195.108.164/30, + 81.195.112.36/30, + 81.195.118.48/30, + 81.195.118.128/30, + 81.195.120.16/29, + 81.195.124.52/30, + 81.195.125.96/30, + 81.195.148.140/30, + 81.195.150.248/30, + 81.195.151.0/24, + 81.195.155.0/30, + 81.195.161.12/30, + 81.195.164.0/24, + 81.195.165.64/28, + 81.195.168.24/30, + 81.195.177.160/30, + 81.195.178.224/27, + 81.195.182.64/28, + 81.195.192.96/30, + 81.195.231.128/26, + 81.195.244.32/29, + 81.195.245.0/28, + 81.195.247.128/28, + 81.195.250.16/29, + 81.211.32.16/28, + 81.222.194.200/29, + 81.222.209.136/29, + 81.222.210.24/29, + 82.140.65.240/29, + 82.142.162.104/29, + 82.151.107.136/29, + 82.162.72.208/28, + 82.162.76.176/28, + 82.162.80.192/28, + 82.162.87.192/28, + 82.162.90.0/28, + 82.162.103.144/28, + 82.162.126.96/28, + 82.162.149.160/28, + 82.162.157.64/28, + 82.162.158.176/28, + 82.162.172.112/28, + 82.179.86.32/27, + 82.196.69.152/30, + 82.196.130.0/27, + 82.198.176.16/29, + 82.198.176.144/29, + 82.198.176.208/29, + 82.198.189.128/26, + 82.198.190.64/26, + 82.198.191.96/27, + 82.198.191.248/29, + 82.200.13.0/27, + 82.200.22.136/29, + 82.200.22.144/28, + 82.200.64.0/24, + 82.208.68.240/28, + 82.208.77.104/29, + 82.208.81.0/24, + 82.208.93.160/27, + 83.69.207.248/29, + 83.149.42.64/29, + 83.166.232.0/21, + 83.166.248.0/21, + 83.172.36.224/29, + 83.217.216.0/22, + 83.219.5.248/29, + 83.219.6.72/29, + 83.219.13.128/29, + 83.219.13.184/29, + 83.219.23.8/29, + 83.219.23.48/29, + 83.219.25.0/29, + 83.219.25.112/29, + 83.219.138.16/28, + 83.220.53.16/28, + 83.222.28.0/22, + 83.229.181.192/26, + 83.229.232.16/29, + 84.23.52.0/22, + 84.53.210.144/28, + 84.204.7.144/29, + 84.204.93.232/30, + 84.204.143.44/30, + 84.204.154.16/30, + 84.204.170.220/30, + 84.204.217.164/30, + 84.204.245.208/29, + 85.21.99.48/28, + 85.21.99.64/28, + 85.21.102.224/28, + 85.21.103.64/28, + 85.21.104.192/27, + 85.21.148.0/26, + 85.21.149.48/28, + 85.21.155.208/28, + 85.21.157.48/28, + 85.21.204.208/28, + 85.90.98.144/30, + 85.90.99.168/29, + 85.90.100.72/29, + 85.90.101.112/28, + 85.90.101.192/29, + 85.90.102.168/29, + 85.90.120.72/29, + 85.90.121.72/29, + 85.90.125.96/29, + 85.90.127.16/29, + 85.94.52.160/27, + 85.94.53.32/28, + 85.114.30.192/30, + 85.114.30.204/30, + 85.114.31.108/30, + 85.114.93.88/29, + 85.141.17.24/30, + 85.141.17.112/30, + 85.141.18.80/30, + 85.141.19.56/30, + 85.141.21.236/30, + 85.141.28.0/30, + 85.141.31.68/30, + 85.141.32.96/28, + 85.141.33.0/28, + 85.141.33.64/28, + 85.141.60.96/28, + 85.141.61.160/28, + 85.143.125.0/24, + 85.146.204.44/30, + 85.192.32.0/22, + 85.198.106.0/23, + 85.236.29.160/27, + 86.102.72.240/28, + 86.102.74.64/28, + 86.102.100.48/28, + 86.102.108.32/28, + 86.102.109.32/27, + 86.102.115.80/28, + 86.102.126.80/28, + 86.102.126.160/28, + 87.117.18.144/29, + 87.117.20.64/26, + 87.117.20.128/28, + 87.117.21.0/26, + 87.117.21.64/28, + 87.117.21.80/29, + 87.117.23.128/28, + 87.117.31.56/29, + 87.225.56.224/28, + 87.226.156.64/26, + 87.226.191.0/24, + 87.226.213.0/24, + 87.226.239.180/30, + 87.237.47.204/30, + 87.239.104.0/21, + 87.240.128.0/18, + 87.242.112.0/22, + 87.245.133.0/24, + 87.249.3.64/28, + 87.249.5.48/30, + 87.249.7.120/29, + 87.249.16.32/28, + 87.249.18.60/30, + 87.249.22.72/29, + 87.249.28.232/29, + 87.249.30.176/30, + 88.83.195.248/30, + 88.151.200.0/24, + 88.200.208.112/29, + 89.21.129.16/28, + 89.21.140.104/29, + 89.21.152.104/29, + 89.28.253.168/29, + 89.28.255.56/29, + 89.106.172.160/29, + 89.107.123.120/29, + 89.107.123.136/29, + 89.107.127.136/29, + 89.109.7.176/29, + 89.109.250.28/30, + 89.109.250.80/30, + 89.109.250.88/29, + 89.109.250.96/30, + 89.109.250.132/30, + 89.109.250.140/30, + 89.111.176.0/22, + 89.175.6.64/27, + 89.175.8.36/30, + 89.175.8.40/29, + 89.175.8.52/30, + 89.175.8.68/30, + 89.175.8.104/30, + 89.175.8.140/30, + 89.175.8.192/30, + 89.175.9.4/30, + 89.175.10.160/30, + 89.175.165.208/28, + 89.175.170.144/28, + 89.175.174.136/29, + 89.175.176.88/30, + 89.175.176.140/30, + 89.175.176.176/30, + 89.175.188.184/29, + 89.179.155.192/28, + 89.179.179.16/28, + 89.179.181.0/24, + 89.208.84.0/22, + 89.208.196.0/22, + 89.208.208.0/22, + 89.208.216.0/21, + 89.208.228.0/22, + 89.221.228.0/22, + 89.221.232.0/21, + 90.150.176.52/30, + 90.150.189.32/29, + 90.150.189.128/26, + 90.150.189.192/27, + 90.150.189.224/28, + 90.150.189.248/29, + 90.156.148.0/22, + 90.156.212.0/22, + 90.156.216.0/22, + 90.156.232.0/21, + 91.103.194.184/29, + 91.135.212.0/22, + 91.135.216.0/21, + 91.195.136.0/23, + 91.208.20.0/24, + 91.215.168.0/22, + 91.217.34.0/23, + 91.219.192.0/22, + 91.219.224.0/22, + 91.221.140.0/23, + 91.226.250.0/24, + 91.227.32.0/24, + 91.231.132.0/22, + 91.237.76.0/24, + 92.38.217.0/24, + 92.39.106.20/30, + 92.39.106.168/30, + 92.39.111.84/30, + 92.39.128.0/21, + 92.50.198.72/30, + 92.50.198.124/30, + 92.50.219.136/29, + 92.50.238.224/29, + 92.101.253.96/29, + 92.101.253.152/29, + 93.153.134.112/29, + 93.153.135.88/30, + 93.153.136.132/30, + 93.153.142.4/30, + 93.153.144.60/30, + 93.153.171.204/30, + 93.153.172.100/30, + 93.153.175.44/30, + 93.153.183.104/30, + 93.153.194.160/29, + 93.153.220.192/29, + 93.153.223.8/29, + 93.153.229.232/29, + 93.153.244.188/30, + 93.153.244.248/29, + 93.153.251.0/24, + 93.153.255.84/30, + 93.178.104.32/29, + 93.178.104.64/29, + 93.178.106.0/26, + 93.186.224.0/20, + 93.188.20.72/29, + 93.190.110.0/24, + 94.25.53.56/29, + 94.25.57.176/29, + 94.25.57.224/28, + 94.25.65.16/29, + 94.25.70.64/30, + 94.25.90.240/29, + 94.25.95.136/30, + 94.25.119.228/30, + 94.100.176.0/20, + 94.124.192.192/29, + 94.139.244.0/22, + 94.199.64.0/21, + 95.53.248.0/29, + 95.54.193.80/28, + 95.142.192.0/20, + 95.163.32.0/19, + 95.163.133.0/24, + 95.163.180.0/22, + 95.163.208.0/21, + 95.163.216.0/22, + 95.163.248.0/21, + 95.167.2.4/30, + 95.167.4.168/29, + 95.167.5.64/27, + 95.167.21.104/29, + 95.167.29.104/29, + 95.167.54.76/30, + 95.167.59.244/30, + 95.167.64.20/30, + 95.167.68.216/29, + 95.167.69.116/30, + 95.167.70.32/28, + 95.167.70.136/29, + 95.167.70.176/28, + 95.167.72.48/30, + 95.167.72.140/30, + 95.167.72.204/30, + 95.167.74.136/29, + 95.167.74.180/30, + 95.167.76.160/27, + 95.167.99.48/28, + 95.167.113.48/30, + 95.167.114.48/30, + 95.167.121.68/30, + 95.167.122.128/28, + 95.167.142.32/30, + 95.167.157.156/30, + 95.167.162.76/30, + 95.167.162.236/30, + 95.167.176.0/23, + 95.167.213.0/24, + 95.173.128.0/19, + 95.213.0.0/17, + 109.73.4.224/27, + 109.120.180.0/22, + 109.120.188.0/22, + 109.124.66.128/30, + 109.124.66.160/28, + 109.124.71.64/29, + 109.124.78.108/30, + 109.124.80.132/30, + 109.124.83.20/30, + 109.124.87.96/29, + 109.124.89.36/30, + 109.124.89.140/30, + 109.124.89.212/30, + 109.124.90.32/30, + 109.124.90.128/30, + 109.124.97.4/30, + 109.124.99.16/30, + 109.124.99.160/28, + 109.124.119.88/29, + 109.204.204.232/29, + 109.207.0.0/20, + 109.232.187.16/29, + 109.248.197.0/24, + 128.140.168.0/21, + 130.49.224.0/19, + 145.255.238.240/28, + 146.185.208.0/22, + 146.185.240.0/22, + 149.62.55.240/30, + 155.212.192.0/20, + 176.109.0.0/21, + 176.112.168.0/21, + 176.116.96.0/20, + 178.16.156.148/30, + 178.17.176.0/20, + 178.20.234.224/29, + 178.22.88.0/21, + 178.49.148.176/29, + 178.237.16.0/20, + 178.237.206.0/24, + 178.237.240.0/20, + 178.248.232.60/32, + 178.248.232.137/32, + 178.248.233.26/32, + 178.248.233.32/32, + 178.248.233.60/32, + 178.248.233.136/32, + 178.248.233.244/31, + 178.248.234.30/32, + 178.248.234.33/32, + 178.248.234.60/32, + 178.248.234.79/32, + 178.248.234.83/32, + 178.248.234.136/32, + 178.248.234.204/32, + 178.248.234.228/32, + 178.248.234.238/32, + 178.248.235.60/32, + 178.248.235.75/32, + 178.248.235.244/32, + 178.248.236.20/32, + 178.248.236.83/32, + 178.248.236.244/32, + 178.248.237.18/32, + 178.248.237.98/32, + 178.248.237.136/32, + 178.248.237.242/32, + 178.248.238.55/32, + 178.248.238.102/32, + 178.248.238.128/31, + 178.248.238.136/32, + 178.248.238.155/32, + 178.248.238.172/32, + 178.248.238.205/32, + 178.248.238.255/32, + 178.248.239.215/32, + 185.5.136.0/22, + 185.6.244.0/22, + 185.7.234.188/30, + 185.16.148.0/22, + 185.16.244.0/22, + 185.29.128.0/22, + 185.32.248.0/22, + 185.65.149.170/32, + 185.86.144.0/22, + 185.100.104.0/22, + 185.130.112.0/22, + 185.131.68.0/22, + 185.149.160.0/22, + 185.168.60.0/22, + 185.179.224.0/22, + 185.180.200.0/22, + 185.183.172.0/22, + 185.187.63.0/24, + 185.224.228.0/22, + 185.226.52.0/22, + 185.241.192.0/22, + 188.93.56.0/21, + 188.128.8.240/30, + 188.128.11.196/30, + 188.128.89.0/30, + 188.128.92.104/30, + 188.128.94.204/30, + 188.128.98.204/30, + 188.128.101.108/30, + 188.128.112.216/29, + 188.128.112.240/29, + 188.128.113.0/28, + 188.128.114.128/28, + 188.128.115.232/29, + 188.128.118.224/27, + 188.128.119.104/30, + 188.128.122.240/30, + 188.247.36.124/30, + 188.247.36.128/28, + 188.247.36.204/30, + 193.33.230.0/23, + 193.47.146.0/24, + 193.203.40.0/22, + 193.232.70.0/24, + 194.8.70.0/23, + 194.8.246.0/23, + 194.67.63.200/30, + 194.84.16.12/30, + 194.140.247.0/24, + 194.150.202.0/23, + 194.165.22.0/23, + 194.186.63.0/24, + 194.186.112.80/28, + 194.190.9.0/24, + 194.215.248.0/24, + 194.226.80.0/20, + 194.226.116.0/22, + 194.226.127.0/24, + 195.3.240.0/22, + 195.16.55.224/27, + 195.42.75.8/29, + 195.54.20.168/29, + 195.54.28.72/30, + 195.54.221.0/24, + 195.58.5.16/29, + 195.58.13.120/30, + 195.58.21.196/30, + 195.58.29.57/32, + 195.58.30.164/30, + 195.58.30.200/29, + 195.80.224.0/24, + 195.98.38.16/28, + 195.98.43.104/29, + 195.98.73.56/29, + 195.98.77.100/30, + 195.128.157.0/24, + 195.131.7.8/29, + 195.131.53.248/29, + 195.131.61.80/29, + 195.131.63.24/29, + 195.144.226.224/28, + 195.144.232.144/30, + 195.144.240.128/28, + 195.149.110.0/24, + 195.151.25.48/29, + 195.162.36.64/28, + 195.170.218.24/29, + 195.170.218.88/29, + 195.182.142.128/26, + 195.182.145.64/28, + 195.182.151.212/30, + 195.182.151.216/30, + 195.182.155.164/30, + 195.182.156.96/30, + 195.209.120.0/22, + 195.211.20.0/22, + 195.218.175.40/29, + 195.218.190.0/23, + 195.226.203.0/24, + 195.239.80.32/29, + 195.239.113.0/24, + 195.239.247.0/24, + 212.13.104.116/30, + 212.13.113.100/30, + 212.15.105.64/28, + 212.15.114.156/30, + 212.15.115.80/28, + 212.17.8.176/29, + 212.17.9.144/28, + 212.17.16.192/27, + 212.17.17.176/28, + 212.23.85.48/30, + 212.23.85.56/29, + 212.32.198.64/29, + 212.48.34.176/28, + 212.48.53.76/30, + 212.48.53.84/30, + 212.48.53.88/29, + 212.48.53.100/30, + 212.48.53.144/30, + 212.48.53.152/29, + 212.48.53.160/29, + 212.48.53.184/29, + 212.48.53.192/29, + 212.48.53.200/30, + 212.48.53.216/30, + 212.48.53.236/30, + 212.48.53.240/28, + 212.48.54.0/30, + 212.48.54.8/29, + 212.48.54.16/28, + 212.48.54.32/29, + 212.48.54.44/30, + 212.48.54.48/28, + 212.48.54.64/28, + 212.48.54.80/29, + 212.48.54.92/30, + 212.48.54.96/27, + 212.48.54.128/27, + 212.48.54.164/30, + 212.48.54.168/29, + 212.48.54.176/28, + 212.48.54.196/30, + 212.48.54.200/30, + 212.48.54.208/28, + 212.48.54.240/28, + 212.48.134.192/26, + 212.48.138.240/28, + 212.48.141.160/27, + 212.49.107.224/27, + 212.49.124.0/26, + 212.57.133.0/24, + 212.57.159.0/24, + 212.59.98.48/29, + 212.59.99.96/27, + 212.111.84.0/22, + 212.119.174.0/23, + 212.120.169.48/29, + 212.120.174.88/29, + 212.120.184.48/28, + 212.120.184.64/29, + 212.120.189.208/29, + 212.120.189.224/29, + 212.120.190.112/29, + 212.120.190.240/29, + 212.120.191.120/29, + 212.120.191.248/29, + 212.192.156.0/22, + 212.233.72.0/21, + 212.233.88.0/21, + 212.233.96.0/22, + 212.233.120.0/22, + 213.24.34.0/24, + 213.24.75.0/24, + 213.24.76.0/23, + 213.24.128.0/22, + 213.24.143.0/24, + 213.24.152.0/22, + 213.24.160.0/28, + 213.33.171.240/29, + 213.59.59.16/29, + 213.59.59.64/29, + 213.59.59.120/29, + 213.59.59.128/29, + 213.59.59.144/29, + 213.59.59.168/29, + 213.59.91.48/29, + 213.59.91.128/27, + 213.59.91.176/28, + 213.85.2.64/28, + 213.85.2.80/29, + 213.85.20.8/30, + 213.85.20.32/30, + 213.85.20.84/30, + 213.85.77.64/27, + 213.85.142.176/28, + 213.147.55.108/30, + 213.172.4.192/26, + 213.172.17.252/30, + 213.172.18.60/30, + 213.172.18.124/30, + 213.172.18.148/30, + 213.172.18.160/29, + 213.172.18.252/30, + 213.172.27.0/30, + 213.172.27.116/30, + 213.172.27.160/30, + 213.172.27.204/30, + 213.172.27.212/30, + 213.172.27.224/30, + 213.172.27.252/30, + 213.172.30.136/30, + 213.176.232.0/22, + 213.177.111.0/24, + 213.183.253.56/29, + 213.219.212.0/22, + 213.219.237.68/30, + 213.234.8.8/30, + 213.234.13.60/30, + 213.234.15.228/30, + 213.234.15.248/30, + 213.234.18.52/30, + 213.242.204.76/30, + 213.242.204.236/30, + 213.242.205.88/30, + 213.242.215.68/30, + 213.242.215.192/29, + 213.243.84.80/28, + 213.243.106.48/28, + 213.243.116.0/24, + 217.16.16.0/20, + 217.20.86.128/26, + 217.20.86.232/29, + 217.20.144.0/20, + 217.23.88.168/29, + 217.23.88.248/29, + 217.27.142.176/30, + 217.65.214.24/29, + 217.65.219.160/29, + 217.67.177.208/29, + 217.69.128.0/20, + 217.106.0.0/16, + 217.107.5.8/29, + 217.107.5.16/28, + 217.107.5.40/29, + 217.107.5.80/28, + 217.107.5.96/29, + 217.107.5.112/29, + 217.107.200.0/21, + 217.147.23.112/28, + 217.148.216.156/30, + 217.148.220.160/29, + 217.172.18.0/23, + 217.174.188.0/22, + 217.195.92.16/28, + 217.195.93.144/29, + 217.195.94.200/29 + } + } + + set blacklist_v6 { + type ipv6_addr + flags interval + elements = { + 2a00:1148::/29, + 2a00:46e0::/32, + 2a00:a300::/32, + 2a00:b4c0::/32, + 2a00:bdc0::/33, + 2a00:bdc0:8000::/34, + 2a00:bdc0:c000::/35, + 2a00:bdc0:e002::/47, + 2a00:bdc0:e004::/47, + 2a00:bdc0:e007::/48, + 2a00:bdc0:f000::/36, + 2a00:bdc1::/32, + 2a00:bdc2::/31, + 2a00:bdc4::/30, + 2a14:25c0::/32, + 2a14:25c5::/32, + 2a14:25c6::/31 + } + } + + chain input { + type filter hook input priority 0; + policy accept; + + ct state { established, related } accept + + ip saddr @blacklist_v4 counter drop + ip6 saddr @blacklist_v6 counter drop + } +} \ No newline at end of file diff --git a/blacklists_nginx/README.md b/blacklists_nginx/README.md index 5c42200..5eec924 100644 --- a/blacklists_nginx/README.md +++ b/blacklists_nginx/README.md @@ -7,3 +7,18 @@ Short: ready-to-use deny lists for nginx (mixed, IPv4-only, and IPv6-only). - https://raw.githubusercontent.com/C24Be/AS_Network_List/refs/heads/main/blacklists_nginx/blacklist.conf - https://raw.githubusercontent.com/C24Be/AS_Network_List/refs/heads/main/blacklists_nginx/blacklist-v4.conf - https://raw.githubusercontent.com/C24Be/AS_Network_List/refs/heads/main/blacklists_nginx/blacklist-v6.conf + +## How to use + +1. Download one file (`blacklist.conf`, `blacklist-v4.conf`, or `blacklist-v6.conf`). +2. Include it in your `server` or `location` block: + +```nginx +include /etc/nginx/blacklist.conf; +``` + +3. Test and reload nginx: + +```bash +sudo nginx -t && sudo systemctl reload nginx +``` diff --git a/blacklists_route/README.md b/blacklists_route/README.md index 3be853c..e5a0e04 100644 --- a/blacklists_route/README.md +++ b/blacklists_route/README.md @@ -6,3 +6,20 @@ Short: ready-to-use route files for VK networks with loopback routing (IPv4/IPv6 - https://raw.githubusercontent.com/C24Be/AS_Network_List/refs/heads/main/blacklists_route/blacklist-vk-v4.routes - https://raw.githubusercontent.com/C24Be/AS_Network_List/refs/heads/main/blacklists_route/blacklist-vk-v6.routes + +## How to use + +1. Download both route files. +2. Apply routes as root: + +```bash +sudo sh blacklist-vk-v4.routes +sudo sh blacklist-vk-v6.routes +``` + +3. Verify routes are present: + +```bash +ip route | grep -E '127\.0\.0\.1.*lo' +ip -6 route | grep -E '::1' +``` diff --git a/blacklists_updater_nftables.sh b/blacklists_updater_nftables.sh index 1b45929..abc1160 100755 --- a/blacklists_updater_nftables.sh +++ b/blacklists_updater_nftables.sh @@ -34,6 +34,11 @@ grep ':' "$VK_INPUT_FILE" | sort -u > "$VK_INPUT_V6_FILE" || true grep -v ':' "$VK_INPUT_FILE" | sort -u > "$VK_INPUT_V4_FILE" || true rm -f "$TMP_VK_FILE" +# Generate mixed IPv4/IPv6 blacklist (recommended single-file load) +python3 "$SCRIPT_DIR/generate_nft_blacklist.py" \ + "$INPUT_FILE" \ + "$OUTPUT_DIR/blacklist.nft" + # Generate IPv4-only blacklist TMP_V4_FILE="/tmp/blacklist-v4.txt" TMP_V6_FILE="/tmp/blacklist-v6.txt" @@ -49,6 +54,9 @@ python3 "$SCRIPT_DIR/generate_nft_blacklist.py" \ "$OUTPUT_DIR/blacklist-v6.nft" # Generate VK-only blacklists (network names: VK Cloud / VKCOMPANY / VKONTAKTE) +python3 "$SCRIPT_DIR/generate_nft_blacklist.py" \ + "$VK_INPUT_FILE" \ + "$OUTPUT_DIR/blacklist-vk.nft" python3 "$SCRIPT_DIR/generate_nft_blacklist.py" \ "$VK_INPUT_V4_FILE" \ "$OUTPUT_DIR/blacklist-vk-v4.nft" @@ -56,15 +64,13 @@ python3 "$SCRIPT_DIR/generate_nft_blacklist.py" \ "$VK_INPUT_V6_FILE" \ "$OUTPUT_DIR/blacklist-vk-v6.nft" -# Remove deprecated mixed summary files if they exist -rm -f "$OUTPUT_DIR/blacklist.nft" "$OUTPUT_DIR/blacklist-vk.nft" - # Clean up temp files rm -f "$TMP_V4_FILE" "$TMP_V6_FILE" echo "nftables blacklists generated successfully!" echo "" echo "VM incoming block examples (all lists, nftables):" +echo " sudo nft -f $OUTPUT_DIR/blacklist.nft" echo " sudo nft -f $OUTPUT_DIR/blacklist-v4.nft" echo " sudo nft -f $OUTPUT_DIR/blacklist-v6.nft" echo " sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }'" @@ -72,10 +78,11 @@ echo " sudo nft add rule inet filter input ip saddr @blacklist_v4 counter rejec echo " sudo nft add rule inet filter input ip6 saddr @blacklist_v6 counter reject" echo "" echo "VK outbound block examples for VPN clients via NAT (nftables):" +echo " sudo nft -f $OUTPUT_DIR/blacklist-vk.nft" echo " sudo nft -f $OUTPUT_DIR/blacklist-vk-v4.nft" echo " sudo nft -f $OUTPUT_DIR/blacklist-vk-v6.nft" echo " sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }'" -echo " sudo nft add rule inet filter forward iifname \"\" ip daddr @blacklist_v4 counter reject" -echo " sudo nft add rule inet filter forward iifname \"\" ip6 daddr @blacklist_v6 counter reject" +echo " sudo nft add rule inet filter forward iifname \"\" ip daddr @blacklist_vk_v4 counter reject" +echo " sudo nft add rule inet filter forward iifname \"\" ip6 daddr @blacklist_vk_v6 counter reject" echo "" echo "Tip: Do not install Messenger MAX on the same phone/device that has VPN access configured." diff --git a/generate_nft_blacklist.py b/generate_nft_blacklist.py index 87b7586..de82f8f 100755 --- a/generate_nft_blacklist.py +++ b/generate_nft_blacklist.py @@ -44,6 +44,13 @@ def aggregate_prefixes(lines): return agg_v4, agg_v6, invalid def make_nft_config(agg_v4, agg_v6, comment=None, usage_profile="vm_input"): + if usage_profile == "vk_forward": + set_v4_name = "blacklist_vk_v4" + set_v6_name = "blacklist_vk_v6" + else: + set_v4_name = "blacklist_v4" + set_v6_name = "blacklist_v6" + lines = [] lines.append("# Autogenerated nftables blacklist") lines.append(f"# Generated: {datetime.now(UTC).isoformat().replace('+00:00', 'Z')}") @@ -56,19 +63,19 @@ def make_nft_config(agg_v4, agg_v6, comment=None, usage_profile="vm_input"): if usage_profile == "vk_forward": lines.append("# # VK egress blocking for VPN clients via NAT/FORWARD") lines.append("# sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }'") - lines.append("# sudo nft add rule inet filter forward iifname \"\" ip daddr @blacklist_v4 counter reject") - lines.append("# sudo nft add rule inet filter forward iifname \"\" ip6 daddr @blacklist_v6 counter reject") + lines.append(f"# sudo nft add rule inet filter forward iifname \"\" ip daddr @{set_v4_name} counter reject") + lines.append(f"# sudo nft add rule inet filter forward iifname \"\" ip6 daddr @{set_v6_name} counter reject") else: lines.append("# # VM protection from incoming blacklist sources") lines.append("# sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }'") - lines.append("# sudo nft add rule inet filter input ip saddr @blacklist_v4 counter reject") - lines.append("# sudo nft add rule inet filter input ip6 saddr @blacklist_v6 counter reject") + lines.append(f"# sudo nft add rule inet filter input ip saddr @{set_v4_name} counter reject") + lines.append(f"# sudo nft add rule inet filter input ip6 saddr @{set_v6_name} counter reject") lines.append("") lines.append("table inet filter {") lines.append("") # Define IPv4 blacklist set - lines.append(" set blacklist_v4 {") + lines.append(f" set {set_v4_name} {{") lines.append(" type ipv4_addr") lines.append(" flags interval") if agg_v4: @@ -81,7 +88,7 @@ def make_nft_config(agg_v4, agg_v6, comment=None, usage_profile="vm_input"): lines.append("") # Define IPv6 blacklist set - lines.append(" set blacklist_v6 {") + lines.append(f" set {set_v6_name} {{") lines.append(" type ipv6_addr") lines.append(" flags interval") if agg_v6: @@ -101,9 +108,9 @@ def make_nft_config(agg_v4, agg_v6, comment=None, usage_profile="vm_input"): lines.append(" ct state { established, related } accept") lines.append("") if agg_v4: - lines.append(" ip saddr @blacklist_v4 counter drop") + lines.append(f" ip saddr @{set_v4_name} counter drop") if agg_v6: - lines.append(" ip6 saddr @blacklist_v6 counter drop") + lines.append(f" ip6 saddr @{set_v6_name} counter drop") lines.append(" }") lines.append("}") return "\n".join(lines)