IP Blocklist
The blocklist subsystem ingests threat-intelligence and operator-defined IP/CIDR feeds, then enforces them via FlowSpec source-prefix drop rules (destination 0.0.0.0/0). It requires both FlowSpec on peers and blocklist enforcement enabled.
flowspec.enabled = true on the engine and FlowSpec-capable BGP peers. See BGP FlowSpec first.[blocklist] section
[blocklist]
enabled = true
enforce = true
refresh_interval_minutes = 60
manual_entries = 192.0.2.100,198.51.100.0/24| Key | Default | Description |
|---|---|---|
enabled | false | Enable periodic feed refresh and ingestion |
enforce | true | Push FlowSpec drop rules for each entry |
refresh_interval_minutes | 60 | Automatic refresh interval |
manual_entries | (empty) | Comma-separated static IPs/CIDRs merged with feeds |
[blocklist_feed_N] sections
Declare one INI section per feed. Replace N with 1, 2, …:
[blocklist_feed_1]
name = internal-deny
enabled = true
url = file:///etc/coredetection/blocklist.txt
[blocklist_feed_2]
name = threat-intel
enabled = true
url = https://example.com/feeds/bad-ips.txtFeed file format: plain text, one IP or CIDR per line. Lines starting with # or ; are comments.
Supported URL schemes
| Scheme | Example |
|---|---|
https:// | https://feeds.example.com/deny.txt |
http:// | http://internal/feeds/deny.txt |
file:// | file:///etc/coredetection/blocklist.txt |
| Local path | /var/lib/coredetection/deny.list |
Refresh & status
Automatic refresh runs every refresh_interval_minutes. Force an immediate reload:
curl -X POST -H "X-API-Key: YOUR_KEY" \
http://localhost:9009/CoreDetection/api/v0/blocklist/refreshCheck subsystem status:
curl -H "X-API-Key: YOUR_KEY" \
http://localhost:9009/CoreDetection/api/v0/blocklist/statusExample response fields: entry_count, applied_rules, feed_count, flowspec_ready, last_refresh_ok.
Update via API
curl -X PUT -H "X-API-Key: YOUR_KEY" -H "Content-Type: application/json" \
-d '{"enabled":true,"enforce":true,"refresh_interval_minutes":30,"manual_entries":["203.0.113.99"],"feeds":[{"id":"1","name":"internal-deny","url":"file:///etc/coredetection/blocklist.txt","enabled":true}]}' \
http://localhost:9009/CoreDetection/api/v0/blocklist/configPUT applies live and persists to config.ini (including [blocklist_feed_N] sections). After editing feeds manually in the file, call POST /reload or POST /blocklist/refresh.
Requires FlowSpec
Enforcement path:
- Feed refresh merges all entries (feeds +
manual_entries) - For each entry, engine announces a FlowSpec rule: match
src-prefix→ actiondrop, destination0.0.0.0/0 - Peers must accept FlowSpec NLRI — verify with
GET /blocklist/status(flowspec_ready: true)
If enforce = false, entries are ingested and visible via GET /blocklist/entries but no FlowSpec rules are pushed.
Next steps
- Enable FlowSpec — FlowSpec guide
- API endpoints — REST API Reference
- Config keys — Configuration → IP Blocklist