Operating

IP Blocklist

The blocklist subsystem ingests threat-intelligence and operator-defined IP/CIDR feeds, then enforces them via FlowSpec source-prefix drop rules (destination 0.0.0.0/0). It requires both FlowSpec on peers and blocklist enforcement enabled.

Blocklist enforcement requires flowspec.enabled = true on the engine and FlowSpec-capable BGP peers. See BGP FlowSpec first.

[blocklist] section

[blocklist]
enabled = true
enforce = true
refresh_interval_minutes = 60
manual_entries = 192.0.2.100,198.51.100.0/24
KeyDefaultDescription
enabledfalseEnable periodic feed refresh and ingestion
enforcetruePush FlowSpec drop rules for each entry
refresh_interval_minutes60Automatic refresh interval
manual_entries(empty)Comma-separated static IPs/CIDRs merged with feeds

[blocklist_feed_N] sections

Declare one INI section per feed. Replace N with 1, 2, …:

[blocklist_feed_1]
name = internal-deny
enabled = true
url = file:///etc/coredetection/blocklist.txt

[blocklist_feed_2]
name = threat-intel
enabled = true
url = https://example.com/feeds/bad-ips.txt

Feed file format: plain text, one IP or CIDR per line. Lines starting with # or ; are comments.

Supported URL schemes

SchemeExample
https://https://feeds.example.com/deny.txt
http://http://internal/feeds/deny.txt
file://file:///etc/coredetection/blocklist.txt
Local path/var/lib/coredetection/deny.list

Refresh & status

Automatic refresh runs every refresh_interval_minutes. Force an immediate reload:

curl -X POST -H "X-API-Key: YOUR_KEY" \
  http://localhost:9009/CoreDetection/api/v0/blocklist/refresh

Check subsystem status:

curl -H "X-API-Key: YOUR_KEY" \
  http://localhost:9009/CoreDetection/api/v0/blocklist/status

Example response fields: entry_count, applied_rules, feed_count, flowspec_ready, last_refresh_ok.

Update via API

curl -X PUT -H "X-API-Key: YOUR_KEY" -H "Content-Type: application/json" \
  -d '{"enabled":true,"enforce":true,"refresh_interval_minutes":30,"manual_entries":["203.0.113.99"],"feeds":[{"id":"1","name":"internal-deny","url":"file:///etc/coredetection/blocklist.txt","enabled":true}]}' \
  http://localhost:9009/CoreDetection/api/v0/blocklist/config

PUT applies live and persists to config.ini (including [blocklist_feed_N] sections). After editing feeds manually in the file, call POST /reload or POST /blocklist/refresh.

Requires FlowSpec

Enforcement path:

  1. Feed refresh merges all entries (feeds + manual_entries)
  2. For each entry, engine announces a FlowSpec rule: match src-prefix → action drop, destination 0.0.0.0/0
  3. Peers must accept FlowSpec NLRI — verify with GET /blocklist/status (flowspec_ready: true)

If enforce = false, entries are ingested and visible via GET /blocklist/entries but no FlowSpec rules are pushed.

Next steps