Before VyOS 1.4 and the move to NFTables we (ADESTIS) had a blacklisting solution for VyOS which was based on script files and the task scheduler.
During that time it was easy to manipulate ipsets.
With VyOS 1.4 and NFTables it's different and my plan was to implement a blacklisting solution within VyOS itself
which can be configured through the VyOS config.
The plan is to create a python module for the implementation itself so that if needed it could be reused from other parts of VyOS.
In order to discuss the features I think it's a good starting point to outline the configuration structure because it makes it easier to understand the different parts:
firewall blacklisting settings abuseipdb key group <group-name> scheduling task <task-name> sources generic-source <url> abuseipdb - confidence-level <level> filter network <prefix> firewall-group <group-name> destination file <location> firewall-group <group-name> events - after-update - script <location> - [arguments] - before-update - script <location> - [arguments]
(common entries like description and disable are not named here but planned for all nodes/tagnodes)
The plan is to have one or multiple blacklisting groups which itself can query either generic urls or specific (at the moment we only have AbuseIP DB).
The collection and aggregation of the data is done according to the schedules.
Here it would be nice to reuse the existing system task-scheduler but for the moment it could get hard because it is not implemented as module.
(So there might be a separate task to first make it modular)
The aggregated data could then be filtered to remove whitelisting entries.
The filtered data could then be pushed out to either a file or to an firewall group.
For the last option another type of firewall group is required (if https://vyos.dev/T5493 will then exists already, maybe this could be used).
I am currently planing with events so that before and after updates custom actions could be triggered.