Summary
Add list of networks to firewall/group/network-group for PBR from file.
Use case
In China, Google/Facebook/X are blocked, that's why I tried to add clash support on VyOS.
I planned to import a list of China IANA networks, in PBR I can add a rule, if destination matches, traffic would not go thru VPN (clash or others).
With PBR, I can also add source matching rules to let all traffic from some clients forwarded to VPN.
On UBNT, I wrote a script to perform ipset -! add. I planned to do similar but nftables doesn't have similar simple command.
My new plan is:
- add cfg node like set firewall group network-group CHINA_IP source-file path-to-list-file, nat.py reads list and add to network list, source-file and network can be mutually exclusive.
- add op command like update firewall-group CHINA_IP to reload from list-file
Users write their own scripts to maintain the list-file.
The list-file uses simple format, one network each line.
Additional information
There is geoip in firewall/ipvX but not in firewall/group.
Several github project for such lists.
https://github.com/17mon/china_ip_list
https://github.com/ruijzhan/chnroute