Support timeout for ipsets
crowdsec-firewall-bouncer has a mode to add entries to ipsets. By using ipsets, the iptables chains don't need to be touched by crowdsec-firewall-bouncer, but the ipsets created by awall miss a timeout setting. The documentation says to create the ipsets with the following commands:
ipset create crowdsec-blacklists hash:ip timeout 0 maxelem 150000
ipset create crowdsec6-blacklists hash:ip timeout 0 family inet6 maxelem 150000
Without timeout 0
, it complains it cannot set a timeout on entries because the ipset itself has no timeout.
Example policy
{
"description": "Integration with cs-firewall-bouncer in ipset mode",
"ipset": {
"crowdsec-blacklists": { "type": "hash:ip", "family": "inet" },
"crowdsec6-blacklists": { "type": "hash:ip", "family": "inet6" }
},
"filter": [
{
"in": "adp-wan",
"ipset": [
{ "name": "crowdsec-blacklists", "args": ["in"] },
{ "name": "crowdsec6-blacklists", "args": ["in"] }
],
"action": "drop"
}
]
}