yanistyle/AS_Network_List
1
0
Fork 0
mirror of https://github.com/C24Be/AS_Network_List.git synced 2026-03-30 22:28:50 +03:00
Code Issues Packages Projects Releases Wiki Activity

big update

Browse Source
This commit is contained in:
C24Be
2026-03-27 19:11:52 +01:00
parent 5d9070946d
commit cfed9adddf
32 changed files with 371 additions and 4119 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
generate_nft_blacklist.py
View File

@@ -47,9 +47,13 @@ def make_nft_config(agg_v4, agg_v6, comment=None, usage_profile="vm_input"):
if usage_profile == "vk_forward":
set_v4_name = "blacklist_vk_v4"
set_v6_name = "blacklist_vk_v6"
rule_v4 = f'sudo nft add rule inet filter forward iifname "<VPN_IFACE>" ip daddr @{set_v4_name} counter reject'
rule_v6 = f'sudo nft add rule inet filter forward iifname "<VPN_IFACE>" ip6 daddr @{set_v6_name} counter reject'
else:
set_v4_name = "blacklist_v4"
set_v6_name = "blacklist_v6"
rule_v4 = f"sudo nft add rule inet filter input ip saddr @{set_v4_name} counter reject"
rule_v6 = f"sudo nft add rule inet filter input ip6 saddr @{set_v6_name} counter reject"
lines = []
lines.append("# Autogenerated nftables blacklist")
@@ -63,13 +67,13 @@ def make_nft_config(agg_v4, agg_v6, comment=None, usage_profile="vm_input"):
if usage_profile == "vk_forward":
lines.append("# # VK egress blocking for VPN clients via NAT/FORWARD")
lines.append("# sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }'")
lines.append(f"# sudo nft add rule inet filter forward iifname \"<VPN_IFACE>\" ip daddr @{set_v4_name} counter reject")
lines.append(f"# sudo nft add rule inet filter forward iifname \"<VPN_IFACE>\" ip6 daddr @{set_v6_name} counter reject")
lines.append(f"# {rule_v4}")
lines.append(f"# {rule_v6}")
else:
lines.append("# # VM protection from incoming blacklist sources")
lines.append("# sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }'")
lines.append(f"# sudo nft add rule inet filter input ip saddr @{set_v4_name} counter reject")
lines.append(f"# sudo nft add rule inet filter input ip6 saddr @{set_v6_name} counter reject")
lines.append(f"# {rule_v4}")
lines.append(f"# {rule_v6}")
lines.append("")
lines.append("table inet filter {")
lines.append("")
@@ -82,7 +86,8 @@ def make_nft_config(agg_v4, agg_v6, comment=None, usage_profile="vm_input"):
lines.append(" elements = {")
for i, net in enumerate(agg_v4):
comma = "," if i < len(agg_v4) - 1 else ""
lines.append(f" {net.with_prefixlen}{comma}")
rendered_net = net.with_prefixlen if hasattr(net, "with_prefixlen") else str(net)
lines.append(f" {rendered_net}{comma}")
lines.append(" }")
lines.append(" }")
lines.append("")
@@ -95,23 +100,12 @@ def make_nft_config(agg_v4, agg_v6, comment=None, usage_profile="vm_input"):
lines.append(" elements = {")
for i, net in enumerate(agg_v6):
comma = "," if i < len(agg_v6) - 1 else ""
lines.append(f" {net.with_prefixlen}{comma}")
rendered_net = net.with_prefixlen if hasattr(net, "with_prefixlen") else str(net)
lines.append(f" {rendered_net}{comma}")
lines.append(" }")
lines.append(" }")
lines.append("")
# Define input chain with set lookups
lines.append(" chain input {")
lines.append(" type filter hook input priority 0;")
lines.append(" policy accept;")
lines.append("")
lines.append(" ct state { established, related } accept")
lines.append("")
if agg_v4:
lines.append(f" ip saddr @{set_v4_name} counter drop")
if agg_v6:
lines.append(f" ip6 saddr @{set_v6_name} counter drop")
lines.append(" }")
lines.append("}")
return "\n".join(lines)
@@ -168,9 +162,12 @@ def main(argv):
print("Done.")
print("Load with: sudo nft -f <output.conf>")
print("View counters: sudo nft list chain inet filter input -a")
print("View sets: sudo nft list set inet filter blacklist_v4")
print(" sudo nft list set inet filter blacklist_v6")
if profile == "vk_forward":
print("View sets: sudo nft list set inet filter blacklist_vk_v4")
print(" sudo nft list set inet filter blacklist_vk_v6")
else:
print("View sets: sudo nft list set inet filter blacklist_v4")
print(" sudo nft list set inet filter blacklist_v6")
return 0
if __name__ == "__main__":