Ban an IPv6 range -> decision for /64 created, but not added to nft set

Hello,
thanks for implementing banning an IPv6 range in 1.4! Unfortunately the /64’s are not added to my nftables set.

my profiles.yaml:

name: default_ipv4_remediation 
filters: 
  - Alert.Remediation == true && Alert.GetScope() == "Ip" 
decisions: 
  - type: ban 
    duration: 4h 
duration_expr: "Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)" # increased duration every time an attacker comes back 
on_success: break 
--- 
name: default_ipv6_remediation 
filters: 
  - Alert.Remediation == true && Alert.GetScope() == "Range" 
decisions: 
  - type: ban 
    duration: 4h 
    scope: range 
duration_expr: "Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)" # increased duration every time an attacker comes back 
on_success: break 

the postoverflow works:

$ sudo cscli decisions list | grep /64
[...]
| 1242 | crowdsec | range:2a01:4f9:5a:xxxx::/64 | crowdsecurity/http-bad-user-agent      | ban    | DE      | 24940 Hetzner Online GmbH      |      2 | 3h52m16.089825275s  |     1430 |
| 1154 | crowdsec | range:2a01:4f9:5a:xxxx::/64 | crowdsecurity/http-bad-user-agent      | ban    | DE      | 24940 Hetzner Online GmbH      |      2 | 2h40m29.310927098s  |     1342 |

If I restart the crowdsec-firewall-bouncer process with debug I only see IPv4 addresses added:

time="09-10-2022 09:25:16" level=debug msg="adding 192.0.2.23 to buffer "

But no IPv6 addresses. The nft set stays empty:

table ip6 crowdsec6 {
        set crowdsec6-blacklists {
                type ipv6_addr
                flags timeout
        }

        chain crowdsec6-chain {
                type filter hook input priority filter - 10; policy accept;
                ip6 saddr @crowdsec6-blacklists counter packets 0 bytes 0 drop
        }
}

(I have set-only: true configured but also tested with false, no change).

Any help would be much apprechiated, thanks!

Hello !

Thanks for the post. Do you mind sharing your firewall-bouncer config please ?

Thanks

Hey @thibault,

of course, here we go:

mode: nftables 
pid_dir: /var/run/ 
update_frequency: 10s 
daemonize: true 
log_mode: file 
log_dir: /var/log/ 
log_level: info 
log_compression: true 
log_max_size: 2 
log_max_backups: 3 
log_max_age: 30 
api_url: http://127.0.0.1:8081/ 
api_key: <redacted>                       
insecure_skip_verify: false 
disable_ipv6: false 
deny_action: DROP 
deny_log: false 
supported_decisions_types: 
  - ban 
#to change log prefix 
#deny_log_prefix: "crowdsec: " 
#to change the blacklists name 
blacklists_ipv4: crowdsec-blacklists 
blacklists_ipv6: crowdsec6-blacklists 
## nftables 
nftables: 
  ipv4: 
    enabled: true 
    set-only: true 
    table: crowdsec 
    chain: crowdsec-chain 
  ipv6: 
    enabled: true 
    set-only: true 
    table: crowdsec6 
    chain: crowdsec6-chain 

I use set-only: true to enable counters on the drop nftables rules and be able to visualize the drops via nftables-exporter/prometheus/grafana and to set type filter hook input priority filter - 10 to have the crowdsec chains deterministically evaluated before the default filter tables (which have a prioriy of 0).

But I also tried with set-only: false, didn’t work as well.

When disabling crowdsecurity/ipv6_to_range the /128 are added to the nftables set.

Thanks for looking into this!

This outstanding PR here may be the reason the ranges are not being added?

I discussed this in depth with the core team, why the PR is outstanding for a while is NFTables seem to not like overlapping ranges or IP’s that exist within a range that is added.

So this causes issue with us having to sync the ipset. As technically it wont exist as it is rejected as per nftables. So I will need to discuss this with @thibault

thanks for looking into this @iiAmLoz & @thibault !

Hello,

@iiAmLoz @thibault I’d still be very interested in banning ranges like /64 with the nftables firewall bouncer. I see the PR is still open.
Did you find any time to discuss this?

thanks a lot!

There is a limitation in nftables where two ranges cannot be overlapping within a set. So this has made this hard to implement as if the user is unaware they could inadvertently hinder their system.

I am interested in this feature as well!

iiAmLoz, could not crowdsec do prefix aggregation before returning IP addresses list?