pkgs/generate-blocked-prefixes: Deduplicate prefixes before generating firewall rules

2025-08-14 20:20:33 +02:00
parent 13b8ccd087
commit 643478b724
2 changed files with 112 additions and 763 deletions
--- a/pkgs/generate-blocked-prefixes/generate-blocked-prefixes.py
+++ b/pkgs/generate-blocked-prefixes/generate-blocked-prefixes.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python3

+import ipaddress
 import requests

 blocked_asns = [
@@ -8,16 +9,31 @@ blocked_asns = [

 r = requests.get('https://bgp.tools/table.txt', stream=True, headers={
    "User-Agent": "https://git.clerie.de/clerie/nixfiles",
-    })
+})
+
+selected_ipv6_prefixes = []
+selected_ipv4_prefixes = []
+
+for line in r.iter_lines(decode_unicode=True):
+    prefix_string, asn_string = line.split()
+
+    if asn_string in blocked_asns:
+        prefix = ipaddress.ip_network(prefix_string)
+
+        if prefix.version == 6:
+            selected_ipv6_prefixes.append(prefix)
+        else:
+            selected_ipv4_prefixes.append(prefix)
+
+selected_ipv6_prefixes = list(ipaddress.collapse_addresses(selected_ipv6_prefixes))
+selected_ipv4_prefixes = list(ipaddress.collapse_addresses(selected_ipv4_prefixes))
+
+selected_ipv6_prefixes.sort()
+selected_ipv4_prefixes.sort()

 with open("hosts/web-2/blocked-prefixes.txt", "w") as blocked_ips_file:
-    for line in r.iter_lines(decode_unicode=True):
-        ip, asn = line.split()
-
-        if asn in blocked_asns:
-            if ":" in ip:
-                blocked_ips_file.write(f"ip6tables -I nixos-fw -s {ip} -j nixos-fw-refuse\n")
-            else:
-                blocked_ips_file.write(f"iptables -I nixos-fw -s {ip} -j nixos-fw-refuse\n")
-
+    for ipv6_prefix in selected_ipv6_prefixes:
+            blocked_ips_file.write(f"ip6tables -I nixos-fw -s {ipv6_prefix} -j nixos-fw-refuse\n")

+    for ipv4_prefix in selected_ipv4_prefixes:
+            blocked_ips_file.write(f"iptables -I nixos-fw -s {ipv4_prefix} -j nixos-fw-refuse\n")