Shell script to generate blacklists by country code

gistfile1.txt

#!/bin/sh

# This is a script I use on my own personal servers to block the following countries:
# Belarus: for supporting Russia
# China: for human rights abuses in Xinjiang
# Hong Kong: because China claims this is "their" territory and the HK government seems to agree
# Russia: Invasion of Ukraine (ohh, and BTW… Пу́тін — хуйло́ / Пу́тин — хуйло́)

# Provided in the public domain without any guarantee or warranty whatsoever, use at your own risk.
# Typical usage in `pf`:
# include "/etc/pf.blacklist-ipv4"
# include "/etc/pf.blacklist-ipv6"
# block drop in on egress inet from <blacklist_zone_ipv4> to any
# block drop in on egress inet6 from <blacklist_zone_ipv6> to any
# block drop out on egress inet from any to <blacklist_zone_ipv4>
# block drop out on egress inet6 from any to <blacklist_zone_ipv6>

set -ex

IPV4_BASE_URI=https://www.ipdeny.com/ipblocks/data/aggregated
IPV6_BASE_URI=https://www.ipdeny.com/ipv6/ipaddresses/aggregated
BLACKLIST="by cn hk ru"

BLACKLIST_DIR=$( mktemp -d )
trap "rm -fr ${BLACKLIST_DIR}" INT TERM QUIT ERR EXIT

# Acquire the zone files
for zone in ${BLACKLIST}; do
        curl -o ${BLACKLIST_DIR}/${zone}-ipv4.zone ${IPV4_BASE_URI}/${zone}-aggregated.zone
        curl -o ${BLACKLIST_DIR}/${zone}-ipv6.zone ${IPV6_BASE_URI}/${zone}-aggregated.zone
done

# Build up the tables
for table in ipv4 ipv6; do
        cat <<EOF > ${BLACKLIST_DIR}/pf.blacklist-${table}
table <blacklist_zone_${table}> {

EOF
        for zone in ${BLACKLIST_DIR}/*-${table}.zone; do
                echo "# $( basename ${zone} )"
                cat ${zone}
                echo ""
        done >> ${BLACKLIST_DIR}/pf.blacklist-${table}
        cat <<EOF >> ${BLACKLIST_DIR}/pf.blacklist-${table}
}
EOF
done

# Move to /etc
mv ${BLACKLIST_DIR}/pf.blacklist-* /etc