# Download the blacklist
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist.nft

# Load the configuration
sudo nft -f blacklist.nft

# Verify it's loaded
sudo nft list ruleset

Automatic Updates

Add to crontab for daily updates:

0 2 * * * wget -O /etc/nftables.d/blacklist.nft https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist.nft && nft -f /etc/nftables.d/blacklist.nft

Configuration Details

The generated nftables configuration uses:

Sets with interval flag for efficient CIDR matching
Named sets (blacklist_v4 and blacklist_v6) for easy management
Counter directive to track dropped packets
Stateful filtering to allow established connections

Configuration Structure

table inet filter { set blacklist_v4 { type ipv4_addr flags interval elements = { 1.2.3.0/24, 5.6.7.0/24, ... } } set blacklist_v6 { type ipv6_addr flags interval elements = { 2001:db8::/32, ... } }

chain input { type filter hook input priority 0; policy accept;

ct state { established, related } accept

ip saddr @blacklist_v4 counter drop
ip6 saddr @blacklist_v6 counter drop

} }

Integration Options

Option 1: Standalone Configuration

Load the blacklist as a complete ruleset:

sudo nft -f blacklist.nft

Option 2: Include in Existing Configuration

If you have an existing nftables configuration:

Copy only the set definitions from the generated file
Add set lookups to your existing input chain:

ip saddr @blacklist_v4 counter drop
ip6 saddr @blacklist_v6 counter drop

Option 3: Persistent Configuration

For systemd-based systems:

# Copy to nftables config directory
sudo cp blacklist.nft /etc/nftables.d/

# Edit /etc/nftables.conf to include:
# include "/etc/nftables.d/blacklist.nft"

# Enable and restart
sudo systemctl enable nftables
sudo systemctl restart nftables

Checking IPs Against the Blacklist

Use the check_nft_blacklist.py script to verify if an IP is blocked:

# Check an IPv4 address
python3 check_nft_blacklist.py blacklist.nft 192.168.1.1

# Check an IPv6 address
python3 check_nft_blacklist.py blacklist.nft 2001:db8::1

Monitoring

View Dropped Packets

# View all rules with counters
sudo nft list chain inet filter input -a

# Monitor in real-time
sudo nft monitor

Check Set Contents

# View IPv4 blacklist
sudo nft list set inet filter blacklist_v4

# View IPv6 blacklist
sudo nft list set inet filter blacklist_v6

Advantages of nftables

Better Performance: O(1) lookup time with sets vs O(n) for sequential rules
Lower Memory Usage: More efficient than iptables for large rulesets
Atomic Updates: All rules updated in a single transaction
Modern Syntax: Cleaner, more readable configuration
Unified Tool: Single tool for IPv4, IPv6, and ARP filtering

File Format Comparison

Format	Use Case	Performance	Memory
nftables	Modern firewalls	Excellent	Low
iptables	Legacy systems	Good	Medium
nginx	Web layer	Good	Low

Troubleshooting

Configuration Won't Load

# Check syntax
sudo nft -c -f blacklist.nft

# View detailed errors
sudo nft -f blacklist.nft 2>&1 | less

Rules Not Blocking Traffic

# Verify sets are populated
sudo nft list set inet filter blacklist_v4 | wc -l

# Check rule priority
sudo nft list chain inet filter input

# Test with logging temporarily
sudo nft add rule inet filter input ip saddr @blacklist_v4 log prefix "BLOCKED: "

Performance Issues

If experiencing performance problems with very large sets:

Consider splitting into multiple smaller sets
Use blacklist-v4.nft or blacklist-v6.nft if only one protocol is needed
Ensure kernel supports nftables fully (Linux 4.0+)

Additional Resources

Contributing

Found an issue or have suggestions? Please open an issue or submit a pull request!