https://github.com/mweinelt/nft-prefix-import

Populate nftables sets with prefixes for selected autonomous systems
https://github.com/mweinelt/nft-prefix-import

abuse bgp network nftables

Last synced: 9 months ago
JSON representation

Populate nftables sets with prefixes for selected autonomous systems

• Host: GitHub
• URL: https://github.com/mweinelt/nft-prefix-import
• Owner: mweinelt
• License: eupl-1.2
• Created: 2025-08-26T02:55:11.000Z (10 months ago)
• Default Branch: main
• Last Pushed: 2025-08-27T23:50:07.000Z (10 months ago)
• Last Synced: 2025-09-14T18:09:04.846Z (9 months ago)
• Topics: abuse, bgp, network, nftables
• Language: Python
• Homepage:
• Size: 18.6 KB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: COPYING

Awesome Lists containing this project

README

          
# nft-prefix-import

Tool to import prefixes for whole autonomous systems into nftables sets for

efficient matching in subsequent firewalling decisions.

## Usage

To use `nft-prefix-import` we source routing information from

. The terms say to not request data more often than every

two hours and to provide a useful user-agent where you can be contacted.

To that end the tool caches the downloaded routing information and reuses

the information for up to two hours before requesting new data.

```shell

$ nft-prefix-import --help

Usage: nft-prefix-import [OPTIONS] AUTNUMS...

Arguments:

  AUTNUMS...  List of autonomous systems (AS) numbers  [required]

Options:

  --user-agent TEXT  [env var: USER_AGENT; required]

  --table TEXT       Table in nftables to target  [default: filter]

  --ipv4set TEXT     Set for IPv4 prefixes  [default: ipv4prefixes]

  --ipv6set TEXT     Set for IPv6 prefixes  [default: ipv6prefixes]

  --help             Show this message and exit.

```

## Example

The following example shows a possible nftables structure, that works with the default settings.

```nft

table inet filter {

  set ipv4prefixes {

    type ipv4_addr;

    flags interval, timeout;

    auto-merge;

    timeout 12h;

  }

  set ipv6prefixes {

    type ipv6_addr;

    auto-merge;

    flags interval, timeout;

    timeout 12h;

  }

  chain input {

    type filter hook input priority filter;

    # other rules here

    # block access to https for selected autnums

    ip saddr @ipv4prefixes tcp dport 443 counter drop;

    ip6 saddr @ipv6prefixes tcp dport 443 counter drop;

    # other rules here

  }

}

```