Disce aut Discede
Learn or Leave
Add post

Blackhole nftables rule
Tags : script bash nftables netfilter firewall block blackhole blacklist acl rule ip

given this global nftables configuration:

$ cat /etc/nftables.conf
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0;
    }
    chain forward {
        type filter hook forward priority 0;
    }
    chain output {
        type filter hook output priority 0;
    }
}

include "/etc/nftables.d/*.conf"

create this local configuration snippet:

$ cat /etc/nftables.d/blackhole.conf
#!/usr/sbin/nft -f

table inet blackhole {
  set clients {
    type ipv4_addr
    size 65536
    flags interval,timeout
  }

  chain input {
    type filter hook input priority -10; policy accept;
    iifname "lo" return
    iifname "disce" return
    ip saddr @clients counter drop
  }
}

use this script to list/add/remove space-separated prefixes (IPs or subnets) from that blackhole rule:

#!/bin/bash
ACTION="add"

if [[ $# -lt 1 ]] ; then
    echo '$0 [-a|-d|-l] ip ip ... ip'
    exit 0
fi

if [[ $1 == "-a" ]] ; then
    ACTION="add"
    shift
fi

if [[ $1 == "-d" ]] ; then
    ACTION="delete"
    shift
fi

if [[ $1 == "-l" ]] ; then
    nft list set inet blackhole clients
    exit 0
fi

while test $# -gt 0
do
    nft ${ACTION} element inet blackhole clients { $1 }
    shift
done