nftables bouncer ignores ipset_type and fails to block CIDR subnets due to missing interval flag

[Tamila-2017]

What happened?

When mode: nftables is configured, the firewall bouncer fails to drop traffic from blocked CIDR subnets (e.g., manual range decisions like /24).

The bouncer dynamically creates the nftables sets using strictly type ipv4_addr and completely omits the flags interval parameter. In nftables, omitting the interval flag forces the Linux kernel to drop the netmask entirely and evaluate the entry as a single host IP (matching only the .0 network address). As a consequence, malicious traffic originating from any real host inside that range (e.g., 87.251.64.149) successfully bypasses the firewall and hits protected services.

Furthermore, setting ipset_type: cidr in the configuration file has no impact on how the bouncer provisions native nftables sets.

What did you expect to happen?

The bouncer should recognize CIDR blocks or respect the ipset_type: cidr option by appending the interval flag during native nftables set creation. The expected set definition generated in the kernel should look like this:

set crowdsec-blacklists-cscli {
    type ipv4_addr
    flags interval, timeout
}

How can we reproduce it (as minimally and precisely as possible)?

Configure crowdsec-firewall-bouncer to use mode: nftables and ipset_type: cidr in /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml.
Add a manual subnet ban via cscli: sudo cscli decisions add --range 87.251.64.0/24 --reason "ssh brute force".
Check the active nftables state: sudo nft list table ip crowdsec.
Observe that the generated set crowdsec-blacklists-cscli has type ipv4_addr but lacks flags interval.
Observe that attempts to connect from any real host within that subnet (e.g., 87.251.64.149) are still allowed and bypass the firewall.

Anything else we need to know?

Manually dropping the bouncer-created table and adding a custom set with flags interval, timeout completely remediates the issue, confirming that the network subsystem and kernel function correctly when proper flags are provided.
Here is the faulty state currently generated by the bouncer:

table ip crowdsec {
    set crowdsec-blacklists-cscli {
        type ipv4_addr
        flags timeout
        elements = { 87.251.64.0 timeout 4d47m expires 4d43m }
    }
}

Bouncer log output during initialization:

time="2026-06-15T18:21:57+03:00" level=info msg="backend type: nftables"
time="2026-06-15T18:21:57+03:00" level=info msg="nftables initiated"
time="2026-06-15T18:21:57+03:00" level=info msg="Created set and rule for origin cscli and type ipv4_addr in chain crowdsec-chain-input"
time="2026-06-15T18:21:57+03:00" level=info msg="19916 decisions added"

Crowdsec version

Details

$ cscli version version: v1.6.0

OS version

Details

``` $ cscli version version: v1.6.0

</details>


### Enabled collections and parsers

<details>

```console
sudo cscli hub list -o raw
crowdsecurity/apache2,enabled,0.1,apache2 support : parser and generic http scenarios ,collections
crowdsecurity/base-http-scenarios,enabled,0.6,http common : scanners detection,collections
crowdsecurity/http-cve,enabled,1.9,,collections
crowdsecurity/linux,enabled,0.2,core linux support : syslog+ssh,collections
crowdsecurity/nginx,enabled,0.2,nginx support : parser and generic http scenarios,collections
crowdsecurity/sshd,enabled,0.2,sshd support : parser and brute-force detection,collections
crowdsecurity/apache2-logs,enabled,1.3,Parse Apache2 access and error logs,parsers
crowdsecurity/dateparse-enrich,enabled,0.2,,parsers
crowdsecurity/http-logs,enabled,1.1,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers
crowdsecurity/nginx-logs,enabled,1.3,Parse nginx access and error logs,parsers
crowdsecurity/sshd-logs,enabled,2.0,Parse openSSH logs,parsers
crowdsecurity/syslog-logs,enabled,0.8,,parsers
crowdsecurity/whitelists,enabled,0.2,Whitelist events from private ipv4 addresses,parsers
crowdsecurity/CVE-2022-26134,enabled,0.1,Detect CVE-2022-26134 exploits,scenarios
crowdsecurity/CVE-2022-35914,enabled,0.1,Detect CVE-2022-35914 exploits,scenarios
crowdsecurity/CVE-2022-37042,enabled,0.1,Detect CVE-2022-37042 exploits,scenarios
crowdsecurity/CVE-2022-40684,enabled,0.2,Detect cve-2022-40684 exploitation attempts,scenarios
crowdsecurity/CVE-2022-41082,enabled,0.3,Detect CVE-2022-41082 exploits,scenarios
crowdsecurity/CVE-2022-41697,enabled,0.1,Detect CVE-2022-41697 enumeration,scenarios
crowdsecurity/CVE-2022-42889,enabled,0.2,Detect CVE-2022-42889 exploits (Text4Shell),scenarios
crowdsecurity/CVE-2022-44877,enabled,0.2,Detect CVE-2022-44877 exploits,scenarios
crowdsecurity/CVE-2022-46169,enabled,0.1,Detect CVE-2022-46169 brute forcing,scenarios
crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.4,Detect cve-2021-44228 exploitation attemps,scenarios
crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.1,Detect cve-2020-5902 exploitation attemps,scenarios
crowdsecurity/fortinet-cve-2018-13379,enabled,0.2,Detect cve-2018-13379 exploitation attemps,scenarios
crowdsecurity/grafana-cve-2021-43798,enabled,0.1,Detect cve-2021-43798 exploitation attemps,scenarios
crowdsecurity/http-backdoors-attempts,enabled,0.3,Detect attempt to common backdoors,scenarios
crowdsecurity/http-bad-user-agent,enabled,0.7,Detect bad user-agents,scenarios
crowdsecurity/http-crawl-non_statics,enabled,0.3,Detect aggressive crawl from single ip,scenarios
crowdsecurity/http-cve-2021-41773,enabled,0.1,cve-2021-41773,scenarios
crowdsecurity/http-cve-2021-42013,enabled,0.1,cve-2021-42013,scenarios
crowdsecurity/http-generic-bf,enabled,0.4,Detect generic http brute force,scenarios
crowdsecurity/http-open-proxy,enabled,0.3,Detect scan for open proxy,scenarios
crowdsecurity/http-path-traversal-probing,enabled,0.2,Detect path traversal attempt,scenarios
crowdsecurity/http-probing,enabled,0.2,Detect site scanning/probing from a single ip,scenarios
crowdsecurity/http-sensitive-files,enabled,0.2,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios
crowdsecurity/http-sqli-probing,enabled,0.2,A scenario that detects SQL injection probing with minimal false positives,scenarios
crowdsecurity/http-xss-probing,enabled,0.2,A scenario that detects XSS probing with minimal false positives,scenarios
crowdsecurity/jira_cve-2021-26086,enabled,0.1,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios
crowdsecurity/nginx-req-limit-exceeded,enabled,0.1,Detects IPs which violate nginx's user set request limit.,scenarios
crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.2,Detect cve-2019-11510 exploitation attemps,scenarios
crowdsecurity/spring4shell_cve-2022-22965,enabled,0.2,Detect cve-2022-22965 probing,scenarios
crowdsecurity/ssh-bf,enabled,0.1,Detect ssh bruteforce,scenarios
crowdsecurity/ssh-slow-bf,enabled,0.2,Detect slow ssh bruteforce,scenarios
crowdsecurity/thinkphp-cve-2018-20062,enabled,0.3,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios
crowdsecurity/vmware-cve-2022-22954,enabled,0.2,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios
crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.1,Detect VMSA-2021-0027 exploitation attemps,scenarios
ltsich/http-w00tw00t,enabled,0.1,detect w00tw00t,scenarios```

</details>


### Acquisition config

<details>

sudo cat /etc/crowdsec/acquis.yaml
filenames:

• /var/log/nginx/*.log
• ./tests/nginx/nginx.log
  #this is not a syslog log, indicate which kind of logs it is
  labels:
  type: nginx

---

filenames:

• /var/log/auth.log
• /var/log/syslog
  labels:
  type: syslog

---

source: journalctl
journalctl_filter:

• "_SYSTEMD_UNIT=ssh.service"
  labels:
  type: syslog

---

filename: /var/log/apache2/*.log
labels:
type: apache2

</details>


### Config show

<details>

sudo cscli config show
Global:

• Configuration Folder : /etc/crowdsec
• Data Folder : /var/lib/crowdsec/data
• Hub Folder : /var/lib/crowdsec/hub
• Simulation File : /etc/crowdsec/simulation.yaml
• Log Folder : /var/log/
• Log level : info
• Log Media : file
  Crowdsec:
• Acquisition File : /etc/crowdsec/acquis.yaml
• Parsers routines : 1
• Acquisition Folder : /etc/crowdsec/acquis.d
  cscli:
• Output : human
• Hub Branch :
• Hub Folder : /var/lib/crowdsec/hub
  Local API Server:
• Listen URL : 127.0.0.1:8080
• Profile File : /etc/crowdsec/profiles.yaml
• Trusted IPs:
  • 127.0.0.1
  • ::1
• Database:
  • Type : sqlite
  • Path : /var/lib/crowdsec/data/crowdsec.db
  • Flush age : 7d
  • Flush size : 5000

</details>


### Prometheus metrics

<details>

``` sudo cscli metrics

Acquisition Metrics:
╭─────────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────╮
│                     Source                      │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │
├─────────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┤
│ file:/var/log/auth.log                          │ 100        │ 14           │ 86             │ 36                     │
│ file:/var/log/nginx/access.log                  │ 331        │ 330          │ 1              │ 181                    │
│ file:/var/log/nginx/error.log                   │ 1          │ -            │ 1              │ -                      │
│ file:/var/log/syslog                            │ 23         │ -            │ 23             │ -                      │
│ journalctl:journalctl-_SYSTEMD_UNIT=ssh.service │ 25         │ 14           │ 11             │ 28                     │
╰─────────────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────╯

Bucket Metrics:
╭──────────────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────╮
│                Bucket                │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │
├──────────────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤
│ crowdsecurity/http-bad-user-agent    │ -             │ 6         │ 11           │ 17     │ 5       │
│ crowdsecurity/http-crawl-non_statics │ 1             │ -         │ 34           │ 116    │ 33      │
│ crowdsecurity/http-probing           │ -             │ -         │ 6            │ 9      │ 6       │
│ crowdsecurity/http-sensitive-files   │ -             │ 7         │ 8            │ 39     │ 1       │
│ crowdsecurity/ssh-bf                 │ -             │ 4         │ 6            │ 28     │ 2       │
│ crowdsecurity/ssh-bf_user-enum       │ -             │ -         │ 2            │ 4      │ 2       │
│ crowdsecurity/ssh-slow-bf            │ -             │ 2         │ 4            │ 28     │ 2       │
│ crowdsecurity/ssh-slow-bf_user-enum  │ -             │ -         │ 2            │ 4      │ 2       │
╰──────────────────────────────────────┴───────────────┴───────────┴──────────────┴────────┴─────────╯

Parser Metrics:
╭─────────────────────────────────┬──────┬────────┬──────────╮
│             Parsers             │ Hits │ Parsed │ Unparsed │
├─────────────────────────────────┼──────┼────────┼──────────┤
│ child-crowdsecurity/http-logs   │ 990  │ 662    │ 328      │
│ child-crowdsecurity/nginx-logs  │ 334  │ 330    │ 4        │
│ child-crowdsecurity/sshd-logs   │ 440  │ 28     │ 412      │
│ child-crowdsecurity/syslog-logs │ 148  │ 148    │ -        │
│ crowdsecurity/dateparse-enrich  │ 358  │ 358    │ -        │
│ crowdsecurity/http-logs         │ 330  │ 330    │ -        │
│ crowdsecurity/nginx-logs        │ 332  │ 330    │ 2        │
│ crowdsecurity/non-syslog        │ 332  │ 332    │ -        │
│ crowdsecurity/sshd-logs         │ 50   │ 28     │ 22       │
│ crowdsecurity/syslog-logs       │ 148  │ 148    │ -        │
│ crowdsecurity/whitelists        │ 358  │ 358    │ -        │
╰─────────────────────────────────┴──────┴────────┴──────────╯

Local Api Metrics:
╭──────────────────────┬────────┬──────╮
│        Route         │ Method │ Hits │
├──────────────────────┼────────┼──────┤
│ /v1/alerts           │ POST   │ 10   │
│ /v1/decisions/stream │ GET    │ 864  │
│ /v1/heartbeat        │ GET    │ 143  │
│ /v1/usage-metrics    │ POST   │ 9    │
│ /v1/watchers/login   │ POST   │ 4    │
╰──────────────────────┴────────┴──────╯

Local Api Machines Metrics:
╭──────────────────────────────────┬───────────────┬────────┬──────╮
│             Machine              │     Route     │ Method │ Hits │
├──────────────────────────────────┼───────────────┼────────┼──────┤
│ dc30949693adb74a8d33371ad8d8e960 │ /v1/heartbeat │ GET    │ 143  │
│ dc30949693adb74a8d33371ad8d8e960 │ /v1/alerts    │ POST   │ 10   │
╰──────────────────────────────────┴───────────────┴────────┴──────╯

Local Api Bouncers Metrics:
╭────────────────────────────────┬──────────────────────┬────────┬──────╮
│            Bouncer             │        Route         │ Method │ Hits │
├────────────────────────────────┼──────────────────────┼────────┼──────┤
│ cs-firewall-bouncer-1781465393 │ /v1/decisions/stream │ GET    │ 864  │
╰────────────────────────────────┴──────────────────────┴────────┴──────╯

Local Api Decisions:
╭──────────────────────────────────────┬──────────┬────────┬───────╮
│                Reason                │  Origin  │ Action │ Count │
├──────────────────────────────────────┼──────────┼────────┼───────┤
│ http:bruteforce                      │ CAPI     │ ban    │ 126   │
│ http:crawl                           │ CAPI     │ ban    │ 21    │
│ http:dos                             │ CAPI     │ ban    │ 128   │
│ http:exploit                         │ CAPI     │ ban    │ 207   │
│ http:scan                            │ CAPI     │ ban    │ 16520 │
│ crowdsecurity/http-cve-2021-41773    │ crowdsec │ ban    │ 1     │
│ crowdsecurity/http-sensitive-files   │ crowdsec │ ban    │ 4     │
│ ssh:bruteforce                       │ CAPI     │ ban    │ 3370  │
│ crowdsecurity/http-bad-user-agent    │ crowdsec │ ban    │ 6     │
│ crowdsecurity/http-crawl-non_statics │ crowdsec │ ban    │ 2     │
│ crowdsecurity/ssh-bf                 │ crowdsec │ ban    │ 3     │
│ crowdsecurity/ssh-slow-bf            │ crowdsec │ ban    │ 3     │
│ Постоянно ломится на мой VDS         │ cscli    │ ban    │ 1     │
╰──────────────────────────────────────┴──────────┴────────┴───────╯

Local Api Alerts:
╭──────────────────────────────────────┬───────╮
│                Reason                │ Count │
├──────────────────────────────────────┼───────┤
│ crowdsecurity/http-bad-user-agent    │ 14    │
│ crowdsecurity/http-crawl-non_statics │ 5     │
│ crowdsecurity/http-open-proxy        │ 3     │
│ crowdsecurity/http-sensitive-files   │ 13    │
│ crowdsecurity/ssh-bf                 │ 11    │
│ Постоянно ломится на мой VDS         │ 2     │
│ crowdsecurity/CVE-2022-41082         │ 2     │
│ crowdsecurity/http-cve-2021-41773    │ 9     │
│ crowdsecurity/http-cve-2021-42013    │ 4     │
│ crowdsecurity/http-probing           │ 4     │
│ crowdsecurity/ssh-slow-bf            │ 11    │
╰──────────────────────────────────────┴───────╯

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

Details

None / Standard configuration

[github-actions]

@Tamila-2017: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.