mondern slopify hand crafted code for the greater good.

(move from user specified blocklist download URLs to simply country codes with multiple providers available.)

README.md

@@ -1,31 +1,76 @@
 # routeros-geoip
 
-Generate RouterOS Address Lists based on country code. This can be used for creating up to date geo-ip blocking lists which can be loaded into RouterOS.
+Generate RouterOS address lists from GeoIP data for MikroTik routers. Supports multiple data providers for flexibility and redundancy.
 
-### Create Configuration
+## Supported Providers
 
-Create a json config file containing the address lists you want to block and a URL for source information.  Below is example.json
+| Provider | Source | URL |
+|----------|--------|-----|
+| `ipverse` (default) | RIR data via GitHub | [ipverse/country-ip-blocks](https://github.com/ipverse/country-ip-blocks) |
+| `ipdeny` | RIR data via ipdeny.com | [ipdeny.com](https://www.ipdeny.com/ipblocks/) |
+
+## Configuration
+
+Create a JSON config file specifying your list name, provider, and countries (ISO 3166-1 alpha-2 codes):
 
 ```json
 {
+    "list_name": "GeoBlock",
+    "provider": "ipverse",
     "countries": [
-        {
+        "ca",
-            "name": "CANADA",
+        "au"
-            "url": "https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/refs/heads/master/ipv4/ca.cidr"
-        },
-        {
-            "name": "AUSTRALIA",
-            "url": "https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/refs/heads/master/ipv4/au.cidr"
-        }
     ]
 }
 ```
 
-### Usage
+### Configuration Fields
+
+| Field | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `list_name` | Yes | — | RouterOS address list name |
+| `provider` | No | `ipverse` | GeoIP data provider |
+| `countries` | Yes | — | ISO 3166-1 alpha-2 country codes |
+
+## Usage
 
 ```sh
-# Example usage
+# Build
-./routeros-geoip myAddressList example.json
+go build -o routeros-geoip .
+
+# Generate blocklist
+./routeros-geoip blocklist.json
+
+# Import on your MikroTik router
+/import CountryIPBlocks.rsc
 ```
 
+## Example Output
 
+The generated `.rsc` file includes metadata headers and cleans up old entries before importing:
+
+```routeros
+# RouterOS GeoIP Address List: CountryIPBlocks
+# Generated: 2026-05-01T22:44:48Z
+# Countries: 14
+# Total entries: 33210
+#
+/ip firewall address-list remove [find list=CountryIPBlocks]
+/ip firewall address-list
+add address=24.152.0.0/19 comment="BRAZIL" list=CountryIPBlocks
+add address=45.4.4.0/22 comment="BRAZIL" list=CountryIPBlocks
+...
+```
+
+## Adding a New Provider
+
+Implement the `Provider` interface:
+
+```go
+type Provider interface {
+    Name() string
+    FetchCIDRs(countryCode string) ([]string, error)
+}
+```
+
+Then register it in `NewProvider()` in `provider.go`.

blocklist.json

@@ -0,0 +1,22 @@
+{
+    "list_name": "CountryIPBlocks",
+    "provider": "ipverse",
+    "countries": [
+        "br",
+        "by",
+        "cn",
+        "eg",
+        "id",
+        "in",
+        "ir",
+        "iq",
+        "il",
+        "lb",
+        "kp",
+        "pk",
+        "ru",
+        "tr",
+        "ua",
+        "vn"
+    ]
+}

config.go

@@ -0,0 +1,55 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"strings"
+)
+
+// Config represents the blocklist configuration file.
+type Config struct {
+	// ListName is the name for the RouterOS address list (e.g. "CountryIPBlocks").
+	ListName string `json:"list_name"`
+
+	// Provider specifies which GeoIP data source to use.
+	// Supported values: "ipverse" (default), "ipdeny"
+	Provider string `json:"provider"`
+
+	// Countries is a list of ISO 3166-1 alpha-2 country codes (lowercase).
+	Countries []string `json:"countries"`
+}
+
+// LoadConfig reads and validates a blocklist configuration file.
+func LoadConfig(filename string) (*Config, error) {
+	b, err := os.ReadFile(filename)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read config file %q: %v", filename, err)
+	}
+
+	var cfg Config
+	if err := json.Unmarshal(b, &cfg); err != nil {
+		return nil, fmt.Errorf("failed to parse config file %q: %v", filename, err)
+	}
+
+	// Validate
+	if cfg.ListName == "" {
+		return nil, fmt.Errorf("config: list_name is required")
+	}
+
+	if cfg.Provider == "" {
+		cfg.Provider = "ipverse" // default provider
+	}
+	cfg.Provider = strings.ToLower(cfg.Provider)
+
+	if len(cfg.Countries) == 0 {
+		return nil, fmt.Errorf("config: at least one country code is required")
+	}
+
+	// Normalize country codes to lowercase
+	for i := range cfg.Countries {
+		cfg.Countries[i] = strings.ToLower(strings.TrimSpace(cfg.Countries[i]))
+	}
+
+	return &cfg, nil
+}

countries.go

@@ -0,0 +1,175 @@
+package main
+
+// countryNames maps ISO 3166-1 alpha-2 country codes to uppercase display names
+// used in RouterOS address list comments.
+var countryNames = map[string]string{
+	"af": "AFGHANISTAN",
+	"al": "ALBANIA",
+	"dz": "ALGERIA",
+	"ao": "ANGOLA",
+	"ar": "ARGENTINA",
+	"am": "ARMENIA",
+	"au": "AUSTRALIA",
+	"at": "AUSTRIA",
+	"az": "AZERBAIJAN",
+	"bh": "BAHRAIN",
+	"bd": "BANGLADESH",
+	"by": "BELARUS",
+	"be": "BELGIUM",
+	"bz": "BELIZE",
+	"bj": "BENIN",
+	"bt": "BHUTAN",
+	"bo": "BOLIVIA",
+	"ba": "BOSNIA AND HERZEGOVINA",
+	"bw": "BOTSWANA",
+	"br": "BRAZIL",
+	"bn": "BRUNEI",
+	"bg": "BULGARIA",
+	"bf": "BURKINA FASO",
+	"bi": "BURUNDI",
+	"kh": "CAMBODIA",
+	"cm": "CAMEROON",
+	"ca": "CANADA",
+	"cf": "CENTRAL AFRICAN REPUBLIC",
+	"td": "CHAD",
+	"cl": "CHILE",
+	"cn": "CHINA",
+	"co": "COLOMBIA",
+	"cg": "CONGO",
+	"cd": "CONGO (DRC)",
+	"cr": "COSTA RICA",
+	"hr": "CROATIA",
+	"cu": "CUBA",
+	"cy": "CYPRUS",
+	"cz": "CZECH REPUBLIC",
+	"dk": "DENMARK",
+	"dj": "DJIBOUTI",
+	"do": "DOMINICAN REPUBLIC",
+	"ec": "ECUADOR",
+	"eg": "EGYPT",
+	"sv": "EL SALVADOR",
+	"gq": "EQUATORIAL GUINEA",
+	"er": "ERITREA",
+	"ee": "ESTONIA",
+	"et": "ETHIOPIA",
+	"fi": "FINLAND",
+	"fr": "FRANCE",
+	"ga": "GABON",
+	"gm": "GAMBIA",
+	"ge": "GEORGIA",
+	"de": "GERMANY",
+	"gh": "GHANA",
+	"gr": "GREECE",
+	"gt": "GUATEMALA",
+	"gn": "GUINEA",
+	"gy": "GUYANA",
+	"ht": "HAITI",
+	"hn": "HONDURAS",
+	"hk": "HONG KONG",
+	"hu": "HUNGARY",
+	"is": "ICELAND",
+	"in": "INDIA",
+	"id": "INDONESIA",
+	"ir": "IRAN",
+	"iq": "IRAQ",
+	"ie": "IRELAND",
+	"il": "ISRAEL",
+	"it": "ITALY",
+	"jm": "JAMAICA",
+	"jp": "JAPAN",
+	"jo": "JORDAN",
+	"kz": "KAZAKHSTAN",
+	"ke": "KENYA",
+	"kw": "KUWAIT",
+	"kg": "KYRGYZSTAN",
+	"la": "LAOS",
+	"lv": "LATVIA",
+	"lb": "LEBANON",
+	"ly": "LIBYA",
+	"lt": "LITHUANIA",
+	"lu": "LUXEMBOURG",
+	"mo": "MACAU",
+	"mg": "MADAGASCAR",
+	"mw": "MALAWI",
+	"my": "MALAYSIA",
+	"ml": "MALI",
+	"mt": "MALTA",
+	"mr": "MAURITANIA",
+	"mu": "MAURITIUS",
+	"mx": "MEXICO",
+	"md": "MOLDOVA",
+	"mn": "MONGOLIA",
+	"me": "MONTENEGRO",
+	"ma": "MOROCCO",
+	"mz": "MOZAMBIQUE",
+	"mm": "MYANMAR",
+	"na": "NAMIBIA",
+	"np": "NEPAL",
+	"nl": "NETHERLANDS",
+	"nz": "NEW ZEALAND",
+	"ni": "NICARAGUA",
+	"ne": "NIGER",
+	"ng": "NIGERIA",
+	"kp": "NORTH KOREA",
+	"mk": "NORTH MACEDONIA",
+	"no": "NORWAY",
+	"om": "OMAN",
+	"pk": "PAKISTAN",
+	"ps": "PALESTINE",
+	"pa": "PANAMA",
+	"pg": "PAPUA NEW GUINEA",
+	"py": "PARAGUAY",
+	"pe": "PERU",
+	"ph": "PHILIPPINES",
+	"pl": "POLAND",
+	"pt": "PORTUGAL",
+	"qa": "QATAR",
+	"ro": "ROMANIA",
+	"ru": "RUSSIA",
+	"rw": "RWANDA",
+	"sa": "SAUDI ARABIA",
+	"sn": "SENEGAL",
+	"rs": "SERBIA",
+	"sg": "SINGAPORE",
+	"sk": "SLOVAKIA",
+	"si": "SLOVENIA",
+	"so": "SOMALIA",
+	"za": "SOUTH AFRICA",
+	"kr": "SOUTH KOREA",
+	"ss": "SOUTH SUDAN",
+	"es": "SPAIN",
+	"lk": "SRI LANKA",
+	"sd": "SUDAN",
+	"se": "SWEDEN",
+	"ch": "SWITZERLAND",
+	"sy": "SYRIA",
+	"tw": "TAIWAN",
+	"tj": "TAJIKISTAN",
+	"tz": "TANZANIA",
+	"th": "THAILAND",
+	"tg": "TOGO",
+	"tn": "TUNISIA",
+	"tr": "TURKEY",
+	"tm": "TURKMENISTAN",
+	"ug": "UGANDA",
+	"ua": "UKRAINE",
+	"ae": "UNITED ARAB EMIRATES",
+	"gb": "UNITED KINGDOM",
+	"us": "UNITED STATES",
+	"uy": "URUGUAY",
+	"uz": "UZBEKISTAN",
+	"ve": "VENEZUELA",
+	"vn": "VIETNAM",
+	"ye": "YEMEN",
+	"zm": "ZAMBIA",
+	"zw": "ZIMBABWE",
+}
+
+// CountryName returns the display name for a country code.
+// Falls back to the uppercase country code if not found.
+func CountryName(code string) string {
+	if name, ok := countryNames[code]; ok {
+		return name
+	}
+	return code
+}

example.json

@@ -1,12 +0,0 @@
-{
-    "countries": [
-        {
-            "name": "CANADA",
-            "url": "https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/refs/heads/master/ipv4/ca.cidr"
-        },
-        {
-            "name": "AUSTRALIA",
-            "url": "https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/refs/heads/master/ipv4/au.cidr"
-        }
-    ]
-}

generator.go

@@ -0,0 +1,55 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"strings"
+	"time"
+)
+
+// CountryData holds the resolved CIDR blocks for a single country.
+type CountryData struct {
+	Code string   // ISO 3166-1 alpha-2 country code
+	Name string   // Display name for RouterOS comments
+	CIDRs []string // IPv4 CIDR blocks
+}
+
+// GenerateRSC produces a RouterOS .rsc script file that populates an address list.
+// The filename includes today's date, e.g. "CountryIPBlocks-2026-05-01.rsc".
+// Returns the generated filename.
+func GenerateRSC(countries []CountryData, listName string) (string, error) {
+	now := time.Now()
+	datedName := fmt.Sprintf("%s-%s", listName, now.Format("2006-01-02"))
+	filename := fmt.Sprintf("%s.rsc", datedName)
+
+	var b strings.Builder
+
+	// Header with metadata
+	b.WriteString(fmt.Sprintf("# RouterOS GeoIP Address List: %s\n", datedName))
+	b.WriteString(fmt.Sprintf("# Generated: %s\n", now.UTC().Format(time.RFC3339)))
+	b.WriteString(fmt.Sprintf("# Countries: %d\n", len(countries)))
+
+	totalCIDRs := 0
+	for _, c := range countries {
+		totalCIDRs += len(c.CIDRs)
+	}
+	b.WriteString(fmt.Sprintf("# Total entries: %d\n", totalCIDRs))
+	b.WriteString("#\n")
+
+	// Each run creates a uniquely-named list (e.g. CountryIPBlocks-2026-05-01).
+	// Workflow: import this file, then atomically swap your firewall rules to
+	// reference the new list, then remove the old dated list.
+	b.WriteString("/ip firewall address-list\n")
+
+	for _, country := range countries {
+		for _, cidr := range country.CIDRs {
+			b.WriteString(fmt.Sprintf("add address=%s comment=\"%s\" list=%s\n", cidr, country.Name, datedName))
+		}
+	}
+
+	if err := os.WriteFile(filename, []byte(b.String()), os.ModePerm); err != nil {
+		return "", fmt.Errorf("failed to write file %q: %v", filename, err)
+	}
+
+	return filename, nil
+}

main.go

@@ -1,109 +1,122 @@
 package main
 
 import (
-	"bufio"
-	"encoding/json"
 	"fmt"
 	"log"
-	"net"
-	"net/http"
 	"os"
+	"sync"
+	"time"
 )
 
-type Country struct {
-	Name        string `json:"name"`
-	Url         string `json:"url"`
-	v4Addresses []string
-}
-
-type JsonListFile struct {
-	Countries []Country `json:"countries"`
-}
-
 func main() {
-
+	if len(os.Args) < 2 {
-	// Validate arguments
+		fmt.Fprintf(os.Stderr, "Usage: %s <config.json>\n", os.Args[0])
-	if len(os.Args) < 3 {
+		fmt.Fprintf(os.Stderr, "\nGenerates a RouterOS address list (.rsc) from GeoIP data.\n")
-		log.Fatalf("usage: %s <blocklistname> <jsonlistfile>", os.Args[0])
+		fmt.Fprintf(os.Stderr, "\nExample:\n  %s blocklist.json\n", os.Args[0])
+		os.Exit(1)
 	}
-	blockListName := os.Args[1]
-	jsonListFile := os.Args[2]
 
-	// Load blocklist config file
+	configFile := os.Args[1]
-	countries, err := readJsonListFile(jsonListFile)
+
+	// Load configuration
+	cfg, err := LoadConfig(configFile)
 	if err != nil {
-		log.Fatalf("failed to read jsonlistfile '%s': %v", jsonListFile, err)
+		log.Fatalf("Error loading config: %v", err)
 	}
 
-	// Download up to date geoip CIDR data
+	// Initialize provider
-	for i := range countries {
+	provider, err := NewProvider(cfg.Provider)
-		fmt.Println("downloading cidr list for country:", countries[i].Name)
-		countries[i].v4Addresses, err = downloadAddressList(countries[i].Url)
-		if err != nil {
-			log.Fatalf("failed to download address list for county'%s': %v", countries[i].Name, err)
-		}
-	}
-
-	// Generate mikrotik block list
-	fmt.Printf("generating blocklist %s.rsc\n", blockListName)
-	err = generateOutput(countries, blockListName)
 	if err != nil {
-		log.Fatalf("failed to generate output file: %v", err)
+		log.Fatalf("Error initializing provider: %v", err)
-	}
-	fmt.Printf("\n\nCopy the file the router, then import the address list\n\n\t/import %s.rsc\n", blockListName)
-}
-
-func generateOutput(countries []Country, blockListName string) error {
-	output := "/ip firewall address-list\n"
-	for _, country := range countries {
-		for _, v4Address := range country.v4Addresses {
-			output += fmt.Sprintf("add address=%s comment=\"%s\" list=%s\n", v4Address, country.Name, blockListName)
-		}
 	}
 
-	err := os.WriteFile(fmt.Sprintf("%s.rsc", blockListName), []byte(output), os.ModePerm)
+	fmt.Printf("╔══════════════════════════════════════════╗\n")
-	if err != nil {
+	fmt.Printf("║       routeros-geoip generator          ║\n")
-		return fmt.Errorf("failed to write file '%s.rsc': %v", blockListName, err)
+	fmt.Printf("╚══════════════════════════════════════════╝\n")
-	}
+	fmt.Printf("  Provider:   %s\n", provider.Name())
-	return nil
+	fmt.Printf("  List name:  %s\n", cfg.ListName)
-}
+	fmt.Printf("  Countries:  %d\n\n", len(cfg.Countries))
 
-func downloadAddressList(url string) ([]string, error) {
+	// Download CIDR data for all countries concurrently
-	resp, err := http.Get(url)
+	type result struct {
-	if err != nil {
+		data CountryData
-		return nil, fmt.Errorf("http get error on url '%s': %v", url, err)
+		err  error
 	}
-	if resp.StatusCode != http.StatusOK {
+
-		return nil, fmt.Errorf("unexpected http status - expected '%d' but got '%d'", http.StatusOK, resp.StatusCode)
+	results := make([]result, len(cfg.Countries))
+	var wg sync.WaitGroup
+
+	start := time.Now()
+
+	for i, code := range cfg.Countries {
+		wg.Add(1)
+		go func(idx int, countryCode string) {
+			defer wg.Done()
+
+			name := CountryName(countryCode)
+			fmt.Printf("  ↓ downloading %s (%s)...\n", name, countryCode)
+
+			cidrs, err := provider.FetchCIDRs(countryCode)
+			if err != nil {
+				results[idx] = result{err: fmt.Errorf("%s (%s): %v", name, countryCode, err)}
+				return
+			}
+
+			results[idx] = result{
+				data: CountryData{
+					Code:  countryCode,
+					Name:  name,
+					CIDRs: cidrs,
+				},
+			}
+			fmt.Printf("  ✓ %s: %d CIDRs\n", name, len(cidrs))
+		}(i, code)
 	}
-	scanner := bufio.NewScanner(resp.Body)
+
-	scanner.Split(bufio.ScanLines)
+	wg.Wait()
-	v4Addresses := make([]string, 0)
+	elapsed := time.Since(start)
-	for scanner.Scan() {
+
-		line := scanner.Text()
+	// Collect results and check for errors
-		_, ipnet, err := net.ParseCIDR(line)
+	var countries []CountryData
-		if err != nil {
+	var errors []error
-			log.Printf("skipping line: failed to parse line '%s' to cidr: %v", line, err)
+
+	for _, r := range results {
+		if r.err != nil {
+			errors = append(errors, r.err)
 			continue
 		}
-		v4Addresses = append(v4Addresses, ipnet.String())
+		countries = append(countries, r.data)
 	}
-	return v4Addresses, nil
-}
 
-// reads the json config file containing the lists of countries you want to block
+	if len(errors) > 0 {
-func readJsonListFile(filename string) ([]Country, error) {
+		fmt.Printf("\n⚠ Errors occurred:\n")
-	b, err := os.ReadFile(filename)
+		for _, err := range errors {
+			fmt.Printf("  ✗ %v\n", err)
+		}
+		if len(countries) == 0 {
+			log.Fatalf("All downloads failed, cannot generate output")
+		}
+		fmt.Printf("\nContinuing with %d/%d countries...\n", len(countries), len(cfg.Countries))
+	}
+
+	// Generate output
+	fmt.Printf("\n  Generating output...\n")
+	outputFile, err := GenerateRSC(countries, cfg.ListName)
 	if err != nil {
-		return nil, fmt.Errorf("failed to open file %s: %v", filename, err)
+		log.Fatalf("Error generating output: %v", err)
 	}
 
-	jsonListFile := JsonListFile{}
+	totalCIDRs := 0
-
+	for _, c := range countries {
-	err = json.Unmarshal(b, &jsonListFile)
+		totalCIDRs += len(c.CIDRs)
-	if err != nil {
-		return nil, fmt.Errorf("failed to unmarshal json file to jsonListFile struct: %v", err)
 	}
 
-	return jsonListFile.Countries, nil
+	fmt.Printf("\n╔══════════════════════════════════════════════════════╗\n")
+	fmt.Printf("║  Done! %-46s║\n", fmt.Sprintf("(%s)", elapsed.Round(time.Millisecond)))
+	fmt.Printf("╠══════════════════════════════════════════════════════╣\n")
+	fmt.Printf("║  Output:  %-43s║\n", outputFile)
+	fmt.Printf("║  Entries: %-43s║\n", fmt.Sprintf("%d CIDRs across %d countries", totalCIDRs, len(countries)))
+	fmt.Printf("╚══════════════════════════════════════════════════════╝\n")
+	fmt.Printf("\nImport on your MikroTik router:\n")
+	fmt.Printf("  /import %s\n\n", outputFile)
 }

provider.go

@@ -0,0 +1,27 @@
+package main
+
+import "fmt"
+
+// Provider defines the interface for GeoIP data sources.
+// Each provider knows how to fetch IPv4 CIDR blocks for a given country.
+type Provider interface {
+	// Name returns the human-readable name of this provider.
+	Name() string
+
+	// FetchCIDRs downloads and returns a slice of IPv4 CIDR strings
+	// for the given ISO 3166-1 alpha-2 country code (lowercase).
+	FetchCIDRs(countryCode string) ([]string, error)
+}
+
+// NewProvider creates a Provider by name.
+// Supported providers: "ipverse", "ipdeny"
+func NewProvider(name string) (Provider, error) {
+	switch name {
+	case "ipverse":
+		return &IPverseProvider{}, nil
+	case "ipdeny":
+		return &IPDenyProvider{}, nil
+	default:
+		return nil, fmt.Errorf("unknown provider %q (supported: ipverse, ipdeny)", name)
+	}
+}

provider_ipdeny.go

@@ -0,0 +1,24 @@
+package main
+
+import (
+	"fmt"
+	"strings"
+)
+
+const ipdenyBaseURL = "https://www.ipdeny.com/ipblocks/data/aggregated"
+
+// IPDenyProvider fetches GeoIP data from ipdeny.com.
+// IPDeny provides aggregated country-level IP blocks derived from RIR data.
+// Website: https://www.ipdeny.com/ipblocks/
+type IPDenyProvider struct{}
+
+func (p *IPDenyProvider) Name() string {
+	return "ipdeny"
+}
+
+// FetchCIDRs downloads IPv4 CIDR blocks for a country from ipdeny.
+// URL format: https://www.ipdeny.com/ipblocks/data/aggregated/{cc}-aggregated.zone
+func (p *IPDenyProvider) FetchCIDRs(countryCode string) ([]string, error) {
+	url := fmt.Sprintf("%s/%s-aggregated.zone", ipdenyBaseURL, strings.ToLower(countryCode))
+	return downloadAndParseCIDRs(url)
+}

provider_ipverse.go

@@ -0,0 +1,67 @@
+package main
+
+import (
+	"bufio"
+	"fmt"
+	"net"
+	"net/http"
+	"strings"
+)
+
+const ipverseBaseURL = "https://raw.githubusercontent.com/ipverse/country-ip-blocks/master/country"
+
+// IPverseProvider fetches GeoIP data from the ipverse/country-ip-blocks GitHub repository.
+// Data is sourced from Regional Internet Registries (RIRs) and aggregated by ipverse.
+// Repository: https://github.com/ipverse/country-ip-blocks
+type IPverseProvider struct{}
+
+func (p *IPverseProvider) Name() string {
+	return "ipverse"
+}
+
+// FetchCIDRs downloads IPv4 CIDR blocks for a country from ipverse.
+// URL format: https://raw.githubusercontent.com/ipverse/country-ip-blocks/master/country/{cc}/ipv4-aggregated.txt
+func (p *IPverseProvider) FetchCIDRs(countryCode string) ([]string, error) {
+	url := fmt.Sprintf("%s/%s/ipv4-aggregated.txt", ipverseBaseURL, strings.ToLower(countryCode))
+	return downloadAndParseCIDRs(url)
+}
+
+// downloadAndParseCIDRs is a shared helper that downloads a URL containing
+// one CIDR per line and returns validated CIDR strings.
+func downloadAndParseCIDRs(url string) ([]string, error) {
+	resp, err := http.Get(url)
+	if err != nil {
+		return nil, fmt.Errorf("http get error on url %q: %v", url, err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("unexpected http status %d from %q", resp.StatusCode, url)
+	}
+
+	scanner := bufio.NewScanner(resp.Body)
+	scanner.Split(bufio.ScanLines)
+
+	var cidrs []string
+	for scanner.Scan() {
+		line := strings.TrimSpace(scanner.Text())
+
+		// Skip empty lines and comments
+		if line == "" || strings.HasPrefix(line, "#") {
+			continue
+		}
+
+		_, ipnet, err := net.ParseCIDR(line)
+		if err != nil {
+			// Skip unparseable lines rather than failing the whole country
+			continue
+		}
+		cidrs = append(cidrs, ipnet.String())
+	}
+
+	if err := scanner.Err(); err != nil {
+		return nil, fmt.Errorf("error reading response body from %q: %v", url, err)
+	}
+
+	return cidrs, nil
+}