C
CrowdSec2mo ago
Enzan

cscli allows decisions on CIDR ranges, but nftables sets do not have the `interval` flag

TLDR: nftables sets created/managed by cs-firewall-bouncer are missing the interval flag, causing incorrect elements to be added for subnets. Today I manually added a decision to ban an IPv6 subnet, which cscli reported as successful, but then I noticed that traffic from IPs in the subnet was still getting past the crowdsec6 table's chains. I dug deeper and realized that it's because the banned subnet wasn't added correctly to the crowdsec6-blacklists-cscli set; it appears to have been added as a single IP. 
root@srv:~# cscli decisions add --range 2a06:4880::/32 --duration 90d --reason "[srv] manual ban"
INFO Decision successfully added                  

root@srv:~# nft list set ip6 crowdsec6 crowdsec6-blacklists-cscli
table ip6 crowdsec6 {
    set crowdsec6-blacklists-cscli {
        type ipv6_addr
        flags timeout
        elements = { 2a06:4880:: timeout 29d23h35m21s expires 29d22h28m56s800ms }
    }
}
root@srv:~# cscli decisions add --range 2a06:4880::/32 --duration 90d --reason "[srv] manual ban"
INFO Decision successfully added                  

root@srv:~# nft list set ip6 crowdsec6 crowdsec6-blacklists-cscli
table ip6 crowdsec6 {
    set crowdsec6-blacklists-cscli {
        type ipv6_addr
        flags timeout
        elements = { 2a06:4880:: timeout 29d23h35m21s expires 29d22h28m56s800ms }
    }
}
2a06:4880:: is not equivalent to 2a06:4880::/32, as seen below: 
root@srv:~# ipcalc 2a06:4880::
Full Address:    2a06:4880:0000:0000:0000:0000:0000:0000
Address:    2a06:4880::
Address space:    Global Unicast

root@srv:~# ipcalc 2a06:4880::/32
Full Network:    2a06:4880:0000:0000:0000:0000:0000:0000/32
Network:    2a06:4880::/32
Netmask:    ffff:ffff:: = 32

Address space:    Global Unicast
HostMin:    2a06:4880::
HostMax:    2a06:4880:ffff:ffff:ffff:ffff:ffff:ffff
Hosts/Net:    2^(96) = 79228162514264337593543950336
root@srv:~# ipcalc 2a06:4880::
Full Address:    2a06:4880:0000:0000:0000:0000:0000:0000
Address:    2a06:4880::
Address space:    Global Unicast

root@srv:~# ipcalc 2a06:4880::/32
Full Network:    2a06:4880:0000:0000:0000:0000:0000:0000/32
Network:    2a06:4880::/32
Netmask:    ffff:ffff:: = 32

Address space:    Global Unicast
HostMin:    2a06:4880::
HostMax:    2a06:4880:ffff:ffff:ffff:ffff:ffff:ffff
Hosts/Net:    2^(96) = 79228162514264337593543950336
5 Replies
CrowdSec
CrowdSec2mo ago
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.
Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
Enzan
EnzanOP2mo ago
As a test I attempted to manually add the subnet as an element, and I believe the result confirms the root cause, which is that the interval flag is missing from the set definition: 
root@srv:~# nft add element ip6 crowdsec6 crowdsec6-blacklists-cscli { 2a06:4880::/32 }
Error: You must add 'flags interval' to your set declaration if you want to add prefix elements
add element ip6 crowdsec6 crowdsec6-blacklists-cscli { 2a06:4880::/32 }
                                                       ^^^^^^^^^^^^^^
root@srv:~# nft add element ip6 crowdsec6 crowdsec6-blacklists-cscli { 2a06:4880::/32 }
Error: You must add 'flags interval' to your set declaration if you want to add prefix elements
add element ip6 crowdsec6 crowdsec6-blacklists-cscli { 2a06:4880::/32 }
                                                       ^^^^^^^^^^^^^^
I already did some googling & AI-ing, but it seems that currently there is no way to override how these sets are created in cs-firewall-bouncer's configuration to add the interval flag to the sets (it's also missing from the IPv4 crowdsec-blacklists-cscli set). I would love to be wrong here and find out that there is actually a way to configure cs-firewall-bouncer to create the sets with flags timeout,interval. Or that I'm overlooking some other simple solution. Ideally, I'd like to keep the tables fully managed and not have to resort to managing them myself; I'm not even sure if it would work if I configured cs-firewall-bouncer as set-only, since the sets would likely be recreated (incorrectly) on every restart. Any advice?
_KaszpiR_
_KaszpiR_2mo ago
That looks more like a bug report for github
Enzan
EnzanOP2mo ago
2a06:4880::/32 is a LOT of addresses, I know... probably for the best that it didn't work 😂 But still... the sets are missing a key attribute needed to support an existing cscli capability.
No description
Enzan
EnzanOP2mo ago
GH issue created: https://github.com/crowdsecurity/cs-firewall-bouncer/issues/412
GitHub
cscli allows decisions on CIDR ranges, but nftables sets are missin...
What happened? TLDR: nftables sets created/managed by cs-firewall-bouncer are missing the interval flag, causing incorrect elements to be added (IPv6) or total failure to add (IPv4) for subnets. To...

Did you find this page helpful?