Because I don't seem to be able to get the FIB statements in nft working
as I expect, I've decided to move to Plan B in my edge routers:
autogenerating ip sets, from the routing table, on my own.
The idea is to read the routing table from /proc/net/routes and rebuild
the table. Include a configuration file that details all static inside
netblocks and all static blackhole netblocks not contained in the
routing table. Then build any desired set from there. For example:
source-dest-block list: all network (like 127.0.0.0/8), all broadcast
(like 127.255.255.255/8), and all blackhole.
I run Red Hat Enterprise, so I can use NetworkManager hooks to trigger
dynamic changes to the routing table, such as when a VPN client has
established a connection. This facilitates site-to-site VPN links and
similar.
A fun little weekend Python 3 project.
(I looked to see if anyone else had done this, and didn't find anything.)
