nftables: range ip is not added in nftables

[daikoz]

What happened?

When add a range of IP in crowdsec decision, I don't see a rule in nftables.
Work fine with one IP.

What did you expect to happen?

Block IP range with nft rules.

How can we reproduce it (as minimally and precisely as possible)?

Add a range ip in crowdsec decision

# cscli decisions add --range 159.138.96.0/20 --type ban -R spam -d 5000h
INFO Decision successfully added

Check if range ip is added

# cscli decisions list
╭────────┬────────┬───────────────────────┬────────┬────────┬─────────┬────┬────────┬─────────────┬──────────╮
│   ID   │ Source │      Scope:Value      │ Reason │ Action │ Country │ AS │ Events │  expiration │ Alert ID │
├────────┼────────┼───────────────────────┼────────┼────────┼─────────┼────┼────────┼─────────────┼──────────┤
│ 303001 │ cscli  │ Range:159.138.96.0/20 │ spam   │ ban    │         │    │ 1      │ 4999h59m53s │ 90       │
╰────────┴────────┴───────────────────────┴────────┴────────┴─────────┴────┴────────┴─────────────┴──────────╯

Check nft tables filter

# nft list ruleset | grep "159.138."
                elements = { 159.138.96.0 timeout 208d7h59m53s expires 208d7h58m14s572ms }

Range IP 159.138.96.0/20 is not added in ntfables by cs-firewall-bouncer

Anything else we need to know?

No response

version

remediation component version:

# cscli bouncers list
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Name                            IP Address  Valid  Last API pull         Type                       Version                                                                  Auth Type
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 cs-firewall-bouncer-1730651800  127.0.0.1   ✔️     2025-02-28T08:19:30Z  crowdsec-firewall-bouncer  v0.0.31-debian-pragmatic-amd64-4b99c161b2c1837d76c5fa89e1df83803dfbcc87  api-key
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

$ crowdsec-firewall-bouncer --version
version: v0.0.31-debian-pragmatic-amd64-4b99c161b2c1837d76c5fa89e1df83803dfbcc87
BuildDate: 2024-09-26_12:15:22
GoVersion: 1.22.2
Platform: linux

crowdsec --version

version: v1.6.3-debian-pragmatic-amd64-4851945a

crowdsec version

crowdsec version:

$ crowdsec --version
# paste output here

OS version

# On Linux:
$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

$ uname -a
Linux dev 6.1.0-26-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.112-1 (2024-09-30) x86_64 GNU/Linux

[github-actions]

@daikoz: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Documentation to see if your issue can be self resolved.
2. You can also join our Discord

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[LaurenceJJones]

Hey thank you for your issue !

Currently nftables mode in this remediation does not support ranges, as you can see in #85 it pretty difficult to cover every edge case as nftables see's overlapping ranges as an error.