From 05575de1f1eb23f9f4c2c07c6b16ae383d12e3e1 Mon Sep 17 00:00:00 2001
From: Csillag Tamas <cstamas@digitus.itk.ppke.hu>
Date: Mon, 30 May 2022 14:05:18 +0200
Subject: [PATCH 1/3] nftables.conf - add support for cidr notation

Currently when trying to add an address like: 141.98.11.0/24 it fails with:

fail2ban.utils          [720]: ERROR   7fe8c36f6630 -- exec: nft add element inet f2b-table addr-set-custom \{ 141.98.11.0/24 \}
fail2ban.utils          [720]: ERROR   7fe8c36f6630 -- stderr: "Error: You must add 'flags interval' to your set declaration if you want to add prefix elements"

After adding 'flags interval' one can ban ranges now as expected.
---
 config/action.d/nftables.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/action.d/nftables.conf b/config/action.d/nftables.conf
index 77cf3661..b2bb9ec1 100644
--- a/config/action.d/nftables.conf
+++ b/config/action.d/nftables.conf
@@ -55,7 +55,7 @@ _nft_for_proto-multiport-done = done
 _nft_list = <nftables> -a list chain <table_family> <table> <chain>
 _nft_get_handle_id = grep -oP '@<addr_set>\s+.*\s+\Khandle\s+(\d+)$'
 
-_nft_add_set = <nftables> add set <table_family> <table> <addr_set> \{ type <addr_type>\; \}
+_nft_add_set = <nftables> add set <table_family> <table> <addr_set> \{ type <addr_type>\; flags interval\; \}
               <_nft_for_proto-<type>-iter>
               <nftables> add rule <table_family> <table> <chain> %(rule_stat)s
               <_nft_for_proto-<type>-done>

From eb80b895d1e17baf3eaf2f4440ee61d1bbdf0870 Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <github@sebres.de>
Date: Fri, 8 Aug 2025 10:10:40 +0200
Subject: [PATCH 2/3] provides flags interval as `addr_options` now

---
 config/action.d/nftables.conf | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/config/action.d/nftables.conf b/config/action.d/nftables.conf
index b2bb9ec1..eeb98a5d 100644
--- a/config/action.d/nftables.conf
+++ b/config/action.d/nftables.conf
@@ -55,7 +55,7 @@ _nft_for_proto-multiport-done = done
 _nft_list = <nftables> -a list chain <table_family> <table> <chain>
 _nft_get_handle_id = grep -oP '@<addr_set>\s+.*\s+\Khandle\s+(\d+)$'
 
-_nft_add_set = <nftables> add set <table_family> <table> <addr_set> \{ type <addr_type>\; flags interval\; \}
+_nft_add_set = <nftables> add set <table_family> <table> <addr_set> \{ type <addr_type>\;<addr_options> \}
               <_nft_for_proto-<type>-iter>
               <nftables> add rule <table_family> <table> <chain> %(rule_stat)s
               <_nft_for_proto-<type>-done>
@@ -197,6 +197,11 @@ addr_set = addr-set-<name>
 # Values: [ ip | ip6 ]
 addr_family = ip
 
+# Option: addr_options
+# Notes: Additional options for the addr-set, by default allows to store CIDR or address ranges.
+#        Can be set to empty value to create simple addresses set.
+addr_options = <sp>flags interval\;
+
 [Init?family=inet6]
 addr_family = ip6
 addr_type = ipv6_addr

From dc3268ce5dd41e3dd896ce376cf9f21df01d4bcb Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <github@sebres.de>
Date: Fri, 8 Aug 2025 10:16:01 +0200
Subject: [PATCH 3/3] servertestcase.py: adjust test coverage

---
 fail2ban/tests/servertestcase.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py
index 62ae81fd..fca0818a 100644
--- a/fail2ban/tests/servertestcase.py
+++ b/fail2ban/tests/servertestcase.py
@@ -1360,11 +1360,11 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					r"`done`",
 				),
 				'ip4-start': (
-					r"`nft add set inet f2b-table addr-set-j-w-nft-mp \{ type ipv4_addr\; \}`",
+					r"`nft add set inet f2b-table addr-set-j-w-nft-mp \{ type ipv4_addr\; flags interval\; \}`",
 					r"`nft add rule inet f2b-table f2b-chain $proto dport \{ $(echo 'http,https' | sed s/:/-/g) \} ip saddr @addr-set-j-w-nft-mp reject`",
 				), 
 				'ip6-start': (
-					r"`nft add set inet f2b-table addr6-set-j-w-nft-mp \{ type ipv6_addr\; \}`",
+					r"`nft add set inet f2b-table addr6-set-j-w-nft-mp \{ type ipv6_addr\; flags interval\; \}`",
 					r"`nft add rule inet f2b-table f2b-chain $proto dport \{ $(echo 'http,https' | sed s/:/-/g) \} ip6 saddr @addr6-set-j-w-nft-mp reject`",
 				),
 				'flush': (
@@ -1406,11 +1406,11 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					r"`nft -- add chain inet f2b-table f2b-chain \{ type filter hook input priority -1 \; \}`",
 				),
 				'ip4-start': (
-					r"`nft add set inet f2b-table addr-set-j-w-nft-ap \{ type ipv4_addr\; \}`",
+					r"`nft add set inet f2b-table addr-set-j-w-nft-ap \{ type ipv4_addr\; flags interval\; \}`",
 					r"`nft add rule inet f2b-table f2b-chain meta l4proto \{ tcp,udp \} ip saddr @addr-set-j-w-nft-ap reject`",
 				), 
 				'ip6-start': (
-					r"`nft add set inet f2b-table addr6-set-j-w-nft-ap \{ type ipv6_addr\; \}`",
+					r"`nft add set inet f2b-table addr6-set-j-w-nft-ap \{ type ipv6_addr\; flags interval\; \}`",
 					r"`nft add rule inet f2b-table f2b-chain meta l4proto \{ tcp,udp \} ip6 saddr @addr6-set-j-w-nft-ap reject`",
 				),
 				'flush': (