From f72ea0da322d849ceb9837632a8404ce7129dc23 Mon Sep 17 00:00:00 2001
From: CyberMind-FR <gandalf@Gk2.net>
Date: Fri, 16 Jan 2026 08:27:46 +0100
Subject: [PATCH] fix(cs-firewall-bouncer): Add missing DROP rules for
 blacklisted IPs

The init script created nftables sets and chains but never added the
actual DROP rules to block traffic from blacklisted IPs. This caused
the bouncer to populate sets correctly but traffic was never blocked.

Added DROP rules for:
- IPv4 input chain (crowdsec-blacklists)
- IPv4 forward chain (crowdsec-blacklists)
- IPv6 input chain (crowdsec6-blacklists)
- IPv6 forward chain (crowdsec6-blacklists)

Each rule respects the deny_log and deny_action configuration options.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .../secubox-app-cs-firewall-bouncer/Makefile  |  2 +-
 .../files/crowdsec-firewall-bouncer.initd     | 24 +++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/package/secubox/secubox-app-cs-firewall-bouncer/Makefile b/package/secubox/secubox-app-cs-firewall-bouncer/Makefile
index 6b961fd7..e9f06633 100644
--- a/package/secubox/secubox-app-cs-firewall-bouncer/Makefile
+++ b/package/secubox/secubox-app-cs-firewall-bouncer/Makefile
@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=secubox-app-cs-firewall-bouncer
 PKG_VERSION:=0.0.31
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 # Source from upstream CrowdSec
 # Note: v0.0.31 is the last version compatible with Go 1.23 (OpenWrt 24.10 SDK)
diff --git a/package/secubox/secubox-app-cs-firewall-bouncer/files/crowdsec-firewall-bouncer.initd b/package/secubox/secubox-app-cs-firewall-bouncer/files/crowdsec-firewall-bouncer.initd
index d1007bd1..d93a017b 100644
--- a/package/secubox/secubox-app-cs-firewall-bouncer/files/crowdsec-firewall-bouncer.initd
+++ b/package/secubox/secubox-app-cs-firewall-bouncer/files/crowdsec-firewall-bouncer.initd
@@ -194,12 +194,24 @@ init_nftables() {
 			nft add chain ip "$TABLE" $chain_name-input "{ type filter hook input priority $hook_priority; policy accept; }"
 			nft add rule ip "$TABLE" $chain_name-input ct state established,related accept
 			nft add rule ip "$TABLE" $chain_name-input iifname != \{ $interface \} accept
+			# Drop traffic from blacklisted IPs
+			if [ "$deny_log" -eq "1" ]; then
+				nft add rule ip "$TABLE" $chain_name-input ip saddr @crowdsec-blacklists $log_term $deny_action
+			else
+				nft add rule ip "$TABLE" $chain_name-input ip saddr @crowdsec-blacklists $deny_action
+			fi
 		fi
 
 		if [ "$filter_forward" -eq "1" ]; then
 			nft add chain ip "$TABLE" $chain_name-forward "{ type filter hook forward priority $hook_priority; policy accept; }"
 			nft add rule ip "$TABLE" $chain_name-forward ct state established,related accept
 			nft add rule ip "$TABLE" $chain_name-forward iifname != \{ $interface \} accept
+			# Drop traffic from blacklisted IPs
+			if [ "$deny_log" -eq "1" ]; then
+				nft add rule ip "$TABLE" $chain_name-forward ip saddr @crowdsec-blacklists $log_term $deny_action
+			else
+				nft add rule ip "$TABLE" $chain_name-forward ip saddr @crowdsec-blacklists $deny_action
+			fi
 		fi
 	fi
 
@@ -212,12 +224,24 @@ init_nftables() {
 			nft add chain ip6 "$TABLE6" $chain6_name-input "{ type filter hook input priority $hook_priority; policy accept; }"
 			nft add rule ip6 "$TABLE6" $chain6_name-input ct state established,related accept
 			nft add rule ip6 "$TABLE6" $chain6_name-input iifname != \{ $interface \} accept
+			# Drop traffic from blacklisted IPs
+			if [ "$deny_log" -eq "1" ]; then
+				nft add rule ip6 "$TABLE6" $chain6_name-input ip6 saddr @crowdsec6-blacklists $log_term $deny_action
+			else
+				nft add rule ip6 "$TABLE6" $chain6_name-input ip6 saddr @crowdsec6-blacklists $deny_action
+			fi
 		fi
 
 		if [ "$filter_forward" -eq "1" ]; then
 			nft add chain ip6 "$TABLE6" $chain6_name-forward "{ type filter hook forward priority $hook_priority; policy accept; }"
 			nft add rule ip6 "$TABLE6" $chain6_name-forward ct state established,related accept
 			nft add rule ip6 "$TABLE6" $chain6_name-forward iifname != \{ $interface \} accept
+			# Drop traffic from blacklisted IPs
+			if [ "$deny_log" -eq "1" ]; then
+				nft add rule ip6 "$TABLE6" $chain6_name-forward ip6 saddr @crowdsec6-blacklists $log_term $deny_action
+			else
+				nft add rule ip6 "$TABLE6" $chain6_name-forward ip6 saddr @crowdsec6-blacklists $deny_action
+			fi
 		fi
 	fi
 }