When using cs-firewall-bouncer with nftables, it does not appear to be possible to ban ranges of ip addresses. For example, after adding a range using sudo cscli decisions add --range 1.2.3.0/24, inspecting the content of the crowdsec table using sudo nft list table ip crowdsec shows that only ip 1.2.3.0 is banned.

The reason seems to be that the blocklist set definition is missing the “interval” flag (see Sets - nftables wiki). I’m not a go coder but I think changes would be needed in file nftables.go around lines 60 and 128.

Hello @lleddewk ,

Thanks for reporting the issue! We are working on fixing it

Hi I still have exactly the same problem and I am running:

cs-firewall-bouncer -V version: - BuildDate: GoVersion: 1.21.13 Platform: linux

on openwrt. Is there a solution to this already?

Thank you very much for your help and time.

Package:
crowdsec-firewall-bouncer
0.0.29-1

Openwrt: Powered by LuCI openwrt-23.05 branch (git-24.364.71483-75d2b84) / OpenWrt 23.05.3 (r23809-234f1a2efa)

You can find the pull request for range support: Support ranges in nftables by sbs2001 · Pull Request #85 · crowdsecurity/cs-firewall-bouncer · GitHub

Currently though we are unable to proceed with the implementation due to nftables seeing ranges overlapping as a hard error and we couldnt find a solution to this, so currently ranges are not support remediation type in nftables mode.