cscli allows decisions on CIDR ranges, but nftables sets do not have the `interval` flag

TLDR: nftables sets created/managed by cs-firewall-bouncer are missing the

interval

interval

flag, causing incorrect elements to be added for subnets.

Today I manually added a decision to ban an IPv6 subnet, which cscli reported as successful, but then I noticed that traffic from IPs in the subnet was still getting past the crowdsec6 table's chains. I dug deeper and realized that it's because the banned subnet wasn't added correctly to the

crowdsec6-blacklists-cscli

crowdsec6-blacklists-cscli

set; it appears to have been added as a single IP.

root@srv:~# cscli decisions add --range 2a06:4880::/32 --duration 90d --reason "[srv] manual ban"
INFO Decision successfully added                  

root@srv:~# nft list set ip6 crowdsec6 crowdsec6-blacklists-cscli
table ip6 crowdsec6 {
    set crowdsec6-blacklists-cscli {
        type ipv6_addr
        flags timeout
        elements = { 2a06:4880:: timeout 29d23h35m21s expires 29d22h28m56s800ms }
    }
}

root@srv:~# cscli decisions add --range 2a06:4880::/32 --duration 90d --reason "[srv] manual ban"
INFO Decision successfully added                  

root@srv:~# nft list set ip6 crowdsec6 crowdsec6-blacklists-cscli
table ip6 crowdsec6 {
    set crowdsec6-blacklists-cscli {
        type ipv6_addr
        flags timeout
        elements = { 2a06:4880:: timeout 29d23h35m21s expires 29d22h28m56s800ms }
    }
}

2a06:4880::

2a06:4880::

is not equivalent to

2a06:4880::/32

2a06:4880::/32

, as seen below:

root@srv:~# ipcalc 2a06:4880::
Full Address:    2a06:4880:0000:0000:0000:0000:0000:0000
Address:    2a06:4880::
Address space:    Global Unicast

root@srv:~# ipcalc 2a06:4880::/32
Full Network:    2a06:4880:0000:0000:0000:0000:0000:0000/32
Network:    2a06:4880::/32
Netmask:    ffff:ffff:: = 32

Address space:    Global Unicast
HostMin:    2a06:4880::
HostMax:    2a06:4880:ffff:ffff:ffff:ffff:ffff:ffff
Hosts/Net:    2^(96) = 79228162514264337593543950336

root@srv:~# ipcalc 2a06:4880::
Full Address:    2a06:4880:0000:0000:0000:0000:0000:0000
Address:    2a06:4880::
Address space:    Global Unicast

root@srv:~# ipcalc 2a06:4880::/32
Full Network:    2a06:4880:0000:0000:0000:0000:0000:0000/32
Network:    2a06:4880::/32
Netmask:    ffff:ffff:: = 32

Address space:    Global Unicast
HostMin:    2a06:4880::
HostMax:    2a06:4880:ffff:ffff:ffff:ffff:ffff:ffff
Hosts/Net:    2^(96) = 79228162514264337593543950336

cscli allows decisions on CIDR ranges, but nftables sets do not have the `interval` flag

TLDR: nftables sets created/managed by cs-firewall-bouncer are missing the

interval

interval

crowdsec6-blacklists-cscli

crowdsec6-blacklists-cscli

set; it appears to have been added as a single IP.

root@srv:~# cscli decisions add --range 2a06:4880::/32 --duration 90d --reason "[srv] manual ban"
INFO Decision successfully added                  

root@srv:~# nft list set ip6 crowdsec6 crowdsec6-blacklists-cscli
table ip6 crowdsec6 {
    set crowdsec6-blacklists-cscli {
        type ipv6_addr
        flags timeout
        elements = { 2a06:4880:: timeout 29d23h35m21s expires 29d22h28m56s800ms }
    }
}

root@srv:~# cscli decisions add --range 2a06:4880::/32 --duration 90d --reason "[srv] manual ban"
INFO Decision successfully added                  

root@srv:~# nft list set ip6 crowdsec6 crowdsec6-blacklists-cscli
table ip6 crowdsec6 {
    set crowdsec6-blacklists-cscli {
        type ipv6_addr
        flags timeout
        elements = { 2a06:4880:: timeout 29d23h35m21s expires 29d22h28m56s800ms }
    }
}

2a06:4880::

2a06:4880::

is not equivalent to

2a06:4880::/32

2a06:4880::/32

, as seen below:

root@srv:~# ipcalc 2a06:4880::
Full Address:    2a06:4880:0000:0000:0000:0000:0000:0000
Address:    2a06:4880::
Address space:    Global Unicast

root@srv:~# ipcalc 2a06:4880::/32
Full Network:    2a06:4880:0000:0000:0000:0000:0000:0000/32
Network:    2a06:4880::/32
Netmask:    ffff:ffff:: = 32

Address space:    Global Unicast
HostMin:    2a06:4880::
HostMax:    2a06:4880:ffff:ffff:ffff:ffff:ffff:ffff
Hosts/Net:    2^(96) = 79228162514264337593543950336

root@srv:~# ipcalc 2a06:4880::
Full Address:    2a06:4880:0000:0000:0000:0000:0000:0000
Address:    2a06:4880::
Address space:    Global Unicast

root@srv:~# ipcalc 2a06:4880::/32
Full Network:    2a06:4880:0000:0000:0000:0000:0000:0000/32
Network:    2a06:4880::/32
Netmask:    ffff:ffff:: = 32

Address space:    Global Unicast
HostMin:    2a06:4880::
HostMax:    2a06:4880:ffff:ffff:ffff:ffff:ffff:ffff
Hosts/Net:    2^(96) = 79228162514264337593543950336

cscli allows decisions on CIDR ranges, but nftables sets do not have the `interval` flag

Similar Threads

cscli allows decisions on CIDR ranges, but nftables sets do not have the `interval` flag

Similar Threads

Similar Threads

Similar Threads