Geo Filtering for nftables Brings Simplicity & Flexibility to Geolocation Matching

robi

This looks like a good upgrade, simplifying the blocklist use case.

https://github.com/wirefalls/geo-nft

Geolocation for nftables is a Bash script to create nftables sets of country specific IP address ranges for use with firewall rulesets. The project provides a simple and flexible way to implement geolocation filtering with nftables.

• A script written for the widely used Bash shell.
• Easy to set up, configure and customize with source code that's heavily commented.
• Uses the free geolocation database from db-ip.com (no EULA to accept).
• Automatically generates country-specific nftables address range sets.
• The script has a small memory footprint to run well on systems with limited RAM. A flexible configuration allows loading only minimum sets required if memory is tight.
• User settings are stored in a standard configuration file rather than using command line arguments.
• Packets can be geolocation filtered with a single nftables rule rather than two rules to mark and match packets like nftables map based solutions.
• The script allows access to all of the valid country code address ranges in the database.
• Automatically determines your installed version of nftables and recommends the correct "include" statements for your ruleset. The script also creates "include-all" files to allow you to include all geolocation sets with a single reference on older versions of nftables that don't support include wildcards.
• The User Guide explains how to define all element definitions for geolocation sets in one file, eliminating the chance of having out-of-sync definitions in multiple files when flushing and refilling sets with new data.
• Simplified directory structure to shorten "include" path names.
  The script creates ~500 IPv4 and IPv6 set files from the geolocation database in about 10 seconds on a low power quad-core 2200ge server with SSD storage.
• Tested on Ubuntu Server, Fedora Server, and Raspberry Pi OS.