Just an FYI if you pull cidr blocks by country, either doing it yourself directly from arin et al or by using someone elses list like ipdeny.com the CIDR blocks are not necessarily compacted. i.e. it is often not the most minimal CIDR representation. I use is this little python script, which works on list of CIDR blocks of IPV4 or IPV6, to compact the list of cidr blocks. I feed the output compacted CIDR blocks to the firewall ipset script. In case anyone finds this useful here is my CidrMerge.py : UseageL ----- cut here ----- #!/usr/bin/python # # Read from stdin a list of cidr blocks and compacts them if possible # Resulting compacted CIDR blocks are written to stdout. # Works on any file with IPV4 or IPV6 cidr blocks. # # Usage : CidrMerge.py < file # # Gene C. # # 20180503 # import sys import netaddr def main(): num_args = len(sys.argv) # # Open file - read one line at a time and output # lines=sys.stdin.readlines() if len(lines) == 1: lines = lines[0].split() # # create merged set of entire input lines # set1 = netaddr.IPSet(lines) # # Write them out # for cidr in set1.iter_cidrs() : print (cidr) return # ----------------------------------------------------- if __name__ == '__main__': main() # # -------------------- All Done ------------------------