Change Details

**Summary** Add list of networks to firewall/group/network-group for PBR from file. **Use case** In China, Google/Facebook/X are blocked, that's why I tried to add clash support on VyOS. I planned to import a list of China IANA networks, in PBR I can add a rule, if destination matches, traffic would not go thru VPN (clash or others). With PBR, I can also add source matching rules to let traffic from some clients forwarded to VPN. On UBNT, I wrote a script to perform `ipset -! add`. I planned to to similar but nftables doesn't have similar simple command. My new plan is: 1. add cfg node like `set firewall group network-group CHINA_IP source-file path-to-list-file`, nat.py reads list and add to network list, source-file and network can be mutually exclusive. 2. add op command like `update firewall-group CHINA_IP` to reload from list-file Users write their own scripts to maintain the list-file. The list-file uses simple format, one network each line. **Additional information** There is geoip in firewall/ipvX but not in firewall/group. Several github project for such lists. https://github.com/17mon/china_ip_list https://github.com/ruijzhan/chnroute

**Summary** Add list of networks to firewall/group/network-group for PBR from file. **Use case** In China, Google/Facebook/X are blocked, that's why I tried to add clash support on VyOS. I planned to import a list of China IANA networks, in PBR I can add a rule, if destination matches, traffic would not go thru VPN (clash or others). With PBR, I can also add source matching rules to let traffic from some clients forwarded to VPN. On UBNT, I wrote a script to perform `ipset -! add`. I planned to do similar but nftables doesn't have similar simple command. My new plan is: 1. add cfg node like `set firewall group network-group CHINA_IP source-file path-to-list-file`, nat.py reads list and add to network list, source-file and network can be mutually exclusive. 2. add op command like `update firewall-group CHINA_IP` to reload from list-file Users write their own scripts to maintain the list-file. The list-file uses simple format, one network each line. **Additional information** There is geoip in firewall/ipvX but not in firewall/group. Several github project for such lists. https://github.com/17mon/china_ip_list https://github.com/ruijzhan/chnroute

**Summary** Add list of networks to firewall/group/network-group for PBR from file. **Use case** In China, Google/Facebook/X are blocked, that's why I tried to add clash support on VyOS. I planned to import a list of China IANA networks, in PBR I can add a rule, if destination matches, traffic would not go thru VPN (clash or others). With PBR, I can also add source matching rules to let traffic from some clients forwarded to VPN. On UBNT, I wrote a script to perform `ipset -! add`. I planned to todo similar but nftables doesn't have similar simple command. My new plan is: 1. add cfg node like `set firewall group network-group CHINA_IP source-file path-to-list-file`, nat.py reads list and add to network list, source-file and network can be mutually exclusive. 2. add op command like `update firewall-group CHINA_IP` to reload from list-file Users write their own scripts to maintain the list-file. The list-file uses simple format, one network each line. **Additional information** There is geoip in firewall/ipvX but not in firewall/group. Several github project for such lists. https://github.com/17mon/china_ip_list https://github.com/ruijzhan/chnroute