readme files

2026-03-30 14:18:53 +03:00 · 2026-03-26 10:34:02 +01:00
parent 17d64070c6
commit 3922acb075
14 changed files with 1136 additions and 50 deletions
--- a/generate_nft_blacklist.py
+++ b/generate_nft_blacklist.py
@@ -44,6 +44,13 @@ def aggregate_prefixes(lines):
    return agg_v4, agg_v6, invalid

 def make_nft_config(agg_v4, agg_v6, comment=None, usage_profile="vm_input"):
+    if usage_profile == "vk_forward":
+        set_v4_name = "blacklist_vk_v4"
+        set_v6_name = "blacklist_vk_v6"
+    else:
+        set_v4_name = "blacklist_v4"
+        set_v6_name = "blacklist_v6"
+
    lines = []
    lines.append("# Autogenerated nftables blacklist")
    lines.append(f"# Generated: {datetime.now(UTC).isoformat().replace('+00:00', 'Z')}")
@@ -56,19 +63,19 @@ def make_nft_config(agg_v4, agg_v6, comment=None, usage_profile="vm_input"):
    if usage_profile == "vk_forward":
        lines.append("#   # VK egress blocking for VPN clients via NAT/FORWARD")
        lines.append("#   sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }'")
-        lines.append("#   sudo nft add rule inet filter forward iifname \"<VPN_IFACE>\" ip daddr @blacklist_v4 counter reject")
-        lines.append("#   sudo nft add rule inet filter forward iifname \"<VPN_IFACE>\" ip6 daddr @blacklist_v6 counter reject")
+        lines.append(f"#   sudo nft add rule inet filter forward iifname \"<VPN_IFACE>\" ip daddr @{set_v4_name} counter reject")
+        lines.append(f"#   sudo nft add rule inet filter forward iifname \"<VPN_IFACE>\" ip6 daddr @{set_v6_name} counter reject")
    else:
        lines.append("#   # VM protection from incoming blacklist sources")
        lines.append("#   sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }'")
-        lines.append("#   sudo nft add rule inet filter input ip saddr @blacklist_v4 counter reject")
-        lines.append("#   sudo nft add rule inet filter input ip6 saddr @blacklist_v6 counter reject")
+        lines.append(f"#   sudo nft add rule inet filter input ip saddr @{set_v4_name} counter reject")
+        lines.append(f"#   sudo nft add rule inet filter input ip6 saddr @{set_v6_name} counter reject")
    lines.append("")
    lines.append("table inet filter {")
    lines.append("")

    # Define IPv4 blacklist set
-    lines.append("    set blacklist_v4 {")
+    lines.append(f"    set {set_v4_name} {{")
    lines.append("        type ipv4_addr")
    lines.append("        flags interval")
    if agg_v4:
@@ -81,7 +88,7 @@ def make_nft_config(agg_v4, agg_v6, comment=None, usage_profile="vm_input"):
    lines.append("")

    # Define IPv6 blacklist set
-    lines.append("    set blacklist_v6 {")
+    lines.append(f"    set {set_v6_name} {{")
    lines.append("        type ipv6_addr")
    lines.append("        flags interval")
    if agg_v6:
@@ -101,9 +108,9 @@ def make_nft_config(agg_v4, agg_v6, comment=None, usage_profile="vm_input"):
    lines.append("        ct state { established, related } accept")
    lines.append("")
    if agg_v4:
-        lines.append("        ip saddr @blacklist_v4 counter drop")
+        lines.append(f"        ip saddr @{set_v4_name} counter drop")
    if agg_v6:
-        lines.append("        ip6 saddr @blacklist_v6 counter drop")
+        lines.append(f"        ip6 saddr @{set_v6_name} counter drop")
    lines.append("    }")
    lines.append("}")
    return "\n".join(lines)