When using cs-firewall-bouncer with nftables, it does not appear to be possible to ban ranges of ip addresses. For example, after adding a range using sudo cscli decisions add --range 1.2.3.0/24
, inspecting the content of the crowdsec table using sudo nft list table ip crowdsec
shows that only ip 1.2.3.0 is banned.
The reason seems to be that the blocklist set definition is missing the “interval” flag (see Sets - nftables wiki). I’m not a go coder but I think changes would be needed in file nftables.go
around lines 60 and 128.