I use set-only: true to enable counters on the drop nftables rules and be able to visualize the drops via nftables-exporter/prometheus/grafana and to set type filter hook input priority filter - 10 to have the crowdsec chains deterministically evaluated before the default filter tables (which have a prioriy of 0).
But I also tried with set-only: false, didn’t work as well.
When disabling crowdsecurity/ipv6_to_range the /128 are added to the nftables set.
I discussed this in depth with the core team, why the PR is outstanding for a while is NFTables seem to not like overlapping ranges or IP’s that exist within a range that is added.
So this causes issue with us having to sync the ipset. As technically it wont exist as it is rejected as per nftables. So I will need to discuss this with @thibault
@iiAmLoz@thibault I’d still be very interested in banning ranges like /64 with the nftables firewall bouncer. I see the PR is still open.
Did you find any time to discuss this?
There is a limitation in nftables where two ranges cannot be overlapping within a set. So this has made this hard to implement as if the user is unaware they could inadvertently hinder their system.