From bb56f0fb9a8a944efb8a746fcbfac9b82172b225 Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Sun, 21 Jan 2024 11:44:13 +0100
Subject: [PATCH] bundles/nftables: add feature to block ips

---
 bundles/nftables/files/nftables.conf | 7 +++++++
 bundles/nftables/items.py            | 2 ++
 2 files changed, 9 insertions(+)

diff --git a/bundles/nftables/files/nftables.conf b/bundles/nftables/files/nftables.conf
index 83bf07f..c39e8be 100644
--- a/bundles/nftables/files/nftables.conf
+++ b/bundles/nftables/files/nftables.conf
@@ -14,6 +14,13 @@ table inet filter {
 
         iif lo accept
 
+% for address in sorted(blocked_v4):
+        ip saddr ${address} drop
+% endfor
+% for address in sorted(blocked_v6):
+        ip6 saddr ${address} drop
+% endfor
+
         icmp type timestamp-request drop
         icmp type timestamp-reply drop
         ip protocol icmp accept
diff --git a/bundles/nftables/items.py b/bundles/nftables/items.py
index 96eebcf..9bbe11f 100644
--- a/bundles/nftables/items.py
+++ b/bundles/nftables/items.py
@@ -17,6 +17,8 @@ files = {
     '/etc/nftables.conf': {
         'content_type': 'mako',
         'context': {
+            'blocked_v4': node.metadata.get('nftables/blocked_v4', set()),
+            'blocked_v6': node.metadata.get('nftables/blocked_v6', set()),
             'forward': node.metadata.get('nftables/forward', {}),
             'input': node.metadata.get('nftables/input', {}),
             'postrouting': node.metadata.get('nftables/postrouting', {}),