fix(cs-firewall-bouncer): Add missing DROP rules for blacklisted IPs

The init script created nftables sets and chains but never added the actual DROP rules to block traffic from blacklisted IPs. This caused the bouncer to populate sets correctly but traffic was never blocked. Added DROP rules for: - IPv4 input chain (crowdsec-blacklists) - IPv4 forward chain (crowdsec-blacklists) - IPv6 input chain (crowdsec6-blacklists) - IPv6 forward chain (crowdsec6-blacklists) Each rule respects the deny_log and deny_action configuration options. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-16 08:27:46 +01:00 · 2026-01-16 08:27:46 +01:00 · f72ea0da32
commit f72ea0da32
parent 3f2fdaae47
2 changed files with 25 additions and 1 deletions
--- a/package/secubox/secubox-app-cs-firewall-bouncer/Makefile
+++ b/package/secubox/secubox-app-cs-firewall-bouncer/Makefile
@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=secubox-app-cs-firewall-bouncer
 PKG_VERSION:=0.0.31
-PKG_RELEASE:=1
+PKG_RELEASE:=2

 # Source from upstream CrowdSec
 # Note: v0.0.31 is the last version compatible with Go 1.23 (OpenWrt 24.10 SDK)
--- a/package/secubox/secubox-app-cs-firewall-bouncer/files/crowdsec-firewall-bouncer.initd
+++ b/package/secubox/secubox-app-cs-firewall-bouncer/files/crowdsec-firewall-bouncer.initd
@ -194,12 +194,24 @@ init_nftables() {
 			nft add chain ip "$TABLE" $chain_name-input "{ type filter hook input priority $hook_priority; policy accept; }"
 			nft add rule ip "$TABLE" $chain_name-input ct state established,related accept
 			nft add rule ip "$TABLE" $chain_name-input iifname != \{ $interface \} accept
+			# Drop traffic from blacklisted IPs
+			if [ "$deny_log" -eq "1" ]; then
+				nft add rule ip "$TABLE" $chain_name-input ip saddr @crowdsec-blacklists $log_term $deny_action
+			else
+				nft add rule ip "$TABLE" $chain_name-input ip saddr @crowdsec-blacklists $deny_action
+			fi
 		fi

 		if [ "$filter_forward" -eq "1" ]; then
 			nft add chain ip "$TABLE" $chain_name-forward "{ type filter hook forward priority $hook_priority; policy accept; }"
 			nft add rule ip "$TABLE" $chain_name-forward ct state established,related accept
 			nft add rule ip "$TABLE" $chain_name-forward iifname != \{ $interface \} accept
+			# Drop traffic from blacklisted IPs
+			if [ "$deny_log" -eq "1" ]; then
+				nft add rule ip "$TABLE" $chain_name-forward ip saddr @crowdsec-blacklists $log_term $deny_action
+			else
+				nft add rule ip "$TABLE" $chain_name-forward ip saddr @crowdsec-blacklists $deny_action
+			fi
 		fi
 	fi

@ -212,12 +224,24 @@ init_nftables() {
 			nft add chain ip6 "$TABLE6" $chain6_name-input "{ type filter hook input priority $hook_priority; policy accept; }"
 			nft add rule ip6 "$TABLE6" $chain6_name-input ct state established,related accept
 			nft add rule ip6 "$TABLE6" $chain6_name-input iifname != \{ $interface \} accept
+			# Drop traffic from blacklisted IPs
+			if [ "$deny_log" -eq "1" ]; then
+				nft add rule ip6 "$TABLE6" $chain6_name-input ip6 saddr @crowdsec6-blacklists $log_term $deny_action
+			else
+				nft add rule ip6 "$TABLE6" $chain6_name-input ip6 saddr @crowdsec6-blacklists $deny_action
+			fi
 		fi

 		if [ "$filter_forward" -eq "1" ]; then
 			nft add chain ip6 "$TABLE6" $chain6_name-forward "{ type filter hook forward priority $hook_priority; policy accept; }"
 			nft add rule ip6 "$TABLE6" $chain6_name-forward ct state established,related accept
 			nft add rule ip6 "$TABLE6" $chain6_name-forward iifname != \{ $interface \} accept
+			# Drop traffic from blacklisted IPs
+			if [ "$deny_log" -eq "1" ]; then
+				nft add rule ip6 "$TABLE6" $chain6_name-forward ip6 saddr @crowdsec6-blacklists $log_term $deny_action
+			else
+				nft add rule ip6 "$TABLE6" $chain6_name-forward ip6 saddr @crowdsec6-blacklists $deny_action
+			fi
 		fi
 	fi
 }