mimas: migrate to nftable and configure whole as blocks

Author: mweinelt

build/mimas/default.nix

@@ -4,6 +4,7 @@
     ../hydra.nix
     ../hydra-proxy.nix
     ./boot.nix
+    ./firewall.nix
     ./network.nix
   ];
 

build/mimas/firewall.nix

@@ -0,0 +1,58 @@
+{
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  nft-asblock = pkgs.callPackage ./nft-asblock { };
+
+  asblocks = [
+    45102 # ALIBABA-CN-NET
+    132203 # TENCENT-NET-AP-CN
+  ];
+in
+
+{
+  networking.nftables = {
+    enable = true;
+    tables."abuse" = {
+      family = "inet";
+      content = ''
+        set blocked4 {
+          type ipv4_addr;
+          flags interval, timeout;
+          auto-merge;
+          timeout 6h;
+        }
+        set blocked6 {
+          type ipv6_addr;
+          auto-merge;
+          flags interval, timeout;
+          timeout 6h;
+        }
+        chain input-abuse {
+          type filter hook input priority filter - 5;
+
+          ip saddr @blocked4 counter drop;
+          ip6 saddr @blocked6 counter drop;
+        }
+      '';
+    };
+  };
+
+  systemd.services.nft-asblock = {
+    path = with pkgs; [ nftables ];
+    serviceConfig = {
+      AmbientCapabilities = [ "CAP_NET_ADMIN" ];
+      DynamicUser = true;
+      User = "nft-asblock";
+      Group = "nft-asblock";
+      ExecStart = toString ([
+        (lib.getExe nft-asblock)
+      ] ++ asblocks);
+      StateDirectory = "nft-asblock";
+    };
+  };
+
+}

build/mimas/nft-asblock/.gitignore

@@ -0,0 +1,4 @@
+dist
+.ruff_cache
+.venv
+__pycache__

build/mimas/nft-asblock/default.nix

@@ -0,0 +1,20 @@
+{ python3Packages }:
+
+with python3Packages;
+
+buildPythonApplication {
+  pname = "nft-asblock";
+  version = "0.0";
+  format = "pyproject";
+
+  src = ./.;
+
+  build-system = [ uv-build ];
+
+  dependencies = [
+    httpx
+    typer
+  ];
+
+  meta.mainProgram = "nft-asblock";
+}

build/mimas/nft-asblock/pyproject.toml

@@ -0,0 +1,19 @@
+[build-system]
+requires = ["uv-build"]
+build-backend = "uv_build"
+
+[project]
+name = "nft-asblock"
+version = "0.1.0"
+description = "Block prefixes for whole Autonomus Systems with nftable sets"
+requires-python = ">=3.12"
+dependencies = [
+    "httpx",
+    "typer",
+]
+
+[project.scripts]
+nft-asblock = "nft_asblock.__main__:cli"
+
+[tool.ruff.lint]
+select = ["I"]

build/mimas/nft-asblock/src/nft_asblock/__init__.py

@@ -0,0 +1,79 @@
+import sys
+import time
+from ipaddress import ip_network
+from pathlib import Path
+from subprocess import CalledProcessError, run
+from typing import Final
+
+import httpx
+import typer
+
+RTTABLE_CACHE: Final = Path("/var/lib/nft-asblock/table.txt")
+NFT_TABLE: Final = "abuse"
+NFT_IPV4_SET: Final = "blocked4"
+NFT_IPV6_SET: Final = "blocked6"
+
+
+def get_rttable() -> str:
+    def fetch() -> str:
+        url = "https://bgp.tools/table.txt"
+        headers = {"User-Agent": "nixos.org infra - [email protected]"}
+        response = httpx.get(url, headers=headers)
+        assert response.status_code == 200
+        return response.text
+
+    try:
+        mtime = RTTABLE_CACHE.stat().st_mtime
+    except FileNotFoundError:
+        mtime = None
+
+    # don't pull more often than every two hours
+    if not mtime or time.time() - mtime > 2 * 3600:
+        print("Pulling routing table from bgp.tools", file=sys.stderr)
+        data = fetch()
+        with RTTABLE_CACHE.open("w") as fd:
+            fd.write(data)
+    else:
+        print("Loading routing table from cache", file=sys.stderr)
+        with RTTABLE_CACHE.open() as fd:
+            data = fd.read()
+
+    return data
+
+
+def nft_block(prefixes: set[str]) -> None:
+    networks = map(ip_network, prefixes)
+
+    for network in networks:
+        print(f"\nBlocking {network}...", file=sys.stderr, end="")
+        try:
+            run(
+                [
+                    "nft",
+                    "add",
+                    "element",
+                    "inet",
+                    NFT_TABLE,
+                    NFT_IPV4_SET if network.version == 4 else NFT_IPV6_SET,
+                    "{",
+                    str(network),
+                    "}",
+                ],
+                check=True,
+            )
+        except CalledProcessError:
+            continue
+
+
+def main(autnums: list[str]) -> None:
+    rttable = get_rttable()
+
+    prefixes = set()
+    for line in rttable.splitlines():
+        try:
+            prefix, autnum = line.split()
+        except ValueError:
+            continue
+        if autnum in autnums:
+            prefixes.add(prefix)
+    nft_block(prefixes)

build/mimas/nft-asblock/src/nft_asblock/__main__.py

@@ -0,0 +1,11 @@
+import typer
+
+from nft_asblock import main
+
+
+def cli():
+    typer.run(main)
+
+
+if __name__ == "__main__":
+    cli()