feat(modules/dgn-firewall): Ban specific ASNs

REUSE.toml

@@ -2,7 +2,7 @@ version = 1
 [[annotations]]
 SPDX-FileCopyrightText = "NONE"
 SPDX-License-Identifier = "CC0-1.0"
-path = ["**/.envrc", "**/Cargo.lock", "**/_hardware-configuration.nix", ".gitignore", "REUSE.toml", "shell.nix"]
+path = ["**/.envrc", "**/Cargo.lock", "**/_hardware-configuration.nix", ".gitignore", "REUSE.toml", "shell.nix", "modules/nixos/dgn-firewall/asn/*"]
 precedence = "closest"
 
 [[annotations]]

default.nix

@@ -70,6 +70,7 @@ let
       ".gitignore"
       "REUSE.toml"
       "shell.nix"
+      "modules/nixos/dgn-firewall/asn/*"
     ];
 
     annotations = [

modules/nixos/dgn-firewall/asn/AS63293.json

@@ -0,0 +1 @@
+{"v4":["102.132.112.0/24","102.132.113.0/24","102.132.114.0/24","102.132.115.0/24","102.132.115.0/24","102.132.116.0/24","102.132.117.0/24","102.132.118.0/24","102.132.119.0/24","102.132.120.0/24","102.132.121.0/24","102.132.122.0/24","102.132.123.0/24","102.132.124.0/24","102.132.125.0/24","102.132.126.0/24","102.132.127.0/24","102.221.188.0/24","102.221.189.0/24","102.221.190.0/24","102.221.191.0/24","129.134.128.0/24","129.134.129.0/24","129.134.130.0/24","129.134.131.0/24","129.134.132.0/24","129.134.135.0/24","129.134.136.0/24","129.134.137.0/24","129.134.138.0/24","129.134.139.0/24","129.134.140.0/24","129.134.143.0/24","129.134.144.0/24","129.134.147.0/24","129.134.148.0/24","129.134.149.0/24","129.134.150.0/24","129.134.154.0/24","129.134.155.0/24","129.134.156.0/24","129.134.157.0/24","129.134.158.0/24","129.134.159.0/24","129.134.160.0/24","129.134.160.0/26","129.134.161.0/24","129.134.162.0/24","129.134.163.0/24","129.134.164.0/24","129.134.165.0/24","129.134.168.0/24","129.134.169.0/24","129.134.170.0/24","129.134.171.0/24","129.134.172.0/24","129.134.173.0/24","129.134.174.0/24","129.134.175.0/24","129.134.176.0/24","129.134.177.0/24","129.134.178.0/24","129.134.179.0/24","129.134.180.0/24","129.134.181.0/24","129.134.182.0/24","129.134.183.0/24","129.134.184.0/24","129.134.185.0/24","129.134.186.0/24","129.134.187.0/24","129.134.188.0/24","129.134.189.0/24","129.134.190.0/24","129.134.191.0/24","157.240.128.0/24","157.240.129.0/24","157.240.131.0/24","157.240.155.0/24","157.240.156.0/24","157.240.157.0/24","157.240.158.0/24","157.240.159.0/24","157.240.160.0/24","157.240.169.0/24","157.240.170.0/24","157.240.172.0/24","157.240.173.0/24","157.240.173.0/24","157.240.174.0/24","157.240.175.0/24","157.240.176.0/24","157.240.176.0/24","157.240.177.0/24","157.240.178.0/24","157.240.179.0/24","157.240.179.0/24","157.240.180.0/24","157.240.181.0/24","157.240.182.0/24","157.240.183.0/24","157.240.184.0/24","157.240.185.0/24","157.240.186.0/24","157.240.187.0/24","157.240.188.0/24","157.240.189.0/24","157.240.190.0/24","157.240.191.0/24","196.49.68.0/23"],"v6":["2a03:2887:ff00::/48","2a03:2887:ff02::/48","2a03:2887:ff03::/48","2a03:2887:ff04::/48","2a03:2887:ff05::/48","2a03:2887:ff06::/48","2a03:2887:ff07::/48","2a03:2887:ff08::/48","2a03:2887:ff09::/48","2a03:2887:ff0a::/48","2a03:2887:ff18::/48","2a03:2887:ff19::/48","2a03:2887:ff19::/48","2a03:2887:ff1b::/48","2a03:2887:ff1c::/48","2a03:2887:ff1d::/48","2a03:2887:ff1e::/48","2a03:2887:ff1f::/48","2a03:2887:ff21::/48","2a03:2887:ff23::/48","2a03:2887:ff24::/48","2a03:2887:ff25::/48","2a03:2887:ff27::/48","2a03:2887:ff28::/48","2a03:2887:ff29::/48","2a03:2887:ff2a::/48","2a03:2887:ff2b::/48","2a03:2887:ff2e::/48","2a03:2887:ff2f::/48","2a03:2887:ff30::/48","2a03:2887:ff33::/48","2a03:2887:ff35::/48","2a03:2887:ff36::/48","2a03:2887:ff37::/48","2a03:2887:ff38::/48","2a03:2887:ff39::/48","2a03:2887:ff3a::/48","2a03:2887:ff3b::/48","2a03:2887:ff3f::/48","2a03:2887:ff40::/48","2a03:2887:ff41::/48","2a03:2887:ff42::/48","2a03:2887:ff43::/48","2a03:2887:ff44::/48","2a03:2887:ff45::/48","2a03:2887:ff48::/48","2a03:2887:ff49::/48","2a03:2887:ff4a::/48","2a03:2887:ff4b::/48","2a03:2887:ff4d::/48","2a03:2887:ff4e::/48","2a03:2887:ff4f::/48","2a03:2887:ff50::/48","2a03:2887:ff51::/48","2a03:2887:ff52::/48","2a03:2887:ff53::/48","2a03:2887:ff54::/48","2a03:2887:ff55::/48","2a03:2887:ff56::/48","2a03:2887:ff57::/48","2a03:2887:ff58::/48","2a03:2887:ff59::/48","2a03:2887:ff60::/48","2a03:2887:ff61::/48","2a03:2887:ff62::/48","2a03:2887:ff63::/48","2a03:2887:ff64::/48","2a03:2887:ff65::/48","2a03:2887:ff66::/48","2a03:2887:ff67::/48","2a03:2887:ff68::/48","2a03:2887:ff69::/48","2a03:2887:ff70::/48","2a10:f781:10:cee0::/64","2c0f:ef78::/48","2c0f:ef78:1::/48","2c0f:ef78:3::/48","2c0f:ef78:3::/48","2c0f:ef78:5::/48","2c0f:ef78:6::/48","2c0f:ef78:9::/48","2c0f:ef78:c::/48","2c0f:ef78:d::/48","2c0f:ef78:e::/48","2c0f:ef78:f::/48","2c0f:ef78:10::/48","2c0f:ef78:11::/48","2c0f:ef78:12::/48"]}

modules/nixos/dgn-firewall/default.nix

@@ -11,6 +11,8 @@
 
 let
   inherit (lib)
+    catAttrs
+    concatLists
     concatStringsSep
     length
     optionalAttrs
@@ -28,11 +30,58 @@ let
   nft = s: [ "nft" ] ++ [ s ];
 
   streams' = import ./streams.nix;
+
+  data = builtins.map (id: builtins.fromJSON (builtins.readFile ./asn/${id}.json)) [
+    # Alibaba
+    "AS37963"
+    "AS45102"
+    "AS24429"
+
+    # Meta
+    "AS32934"
+    "AS63293"
+
+    # Amazon
+    "AS16509"
+  ];
+
+  getElements = v: concatStringsSep "," (concatLists (catAttrs v data));
 in
 
 {
   # Switch to nftables
-  networking.nftables.enable = true;
+  networking.nftables = {
+    enable = true;
+
+    tables.asn-ban = {
+      family = "inet";
+      content = ''
+        set blocked_v4 {
+          type ipv4_addr
+          flags interval
+          elements = {
+            ${getElements "v4"}
+          }
+          auto-merge
+        }
+
+        set blocked_v6 {
+          type ipv6_addr
+          flags interval
+          elements = {
+            ${getElements "v6"}
+          }
+          auto-merge
+        }
+
+        chain output {
+          type filter hook input priority 0; policy accept
+          ip saddr @blocked_v4 drop
+          ip6 saddr @blocked_v6 drop
+        }
+      '';
+    };
+  };
 
   services.reaction = {
     enable = true;