We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
fix: correct GeoIP database path in wiki — /var/cache/nftban/geoban/ → /var/lib/nftban/geoip/ BLOCKER from GeoIP lifecycle audit (FIND-GEO-1): Wiki claimed DB path was /var/cache/nftban/geoban/dbip-country-lite.mmdb Actual path (code + validator + live hosts): /var/lib/nftban/geoip/dbip-country-lite.mmdb Fixed in: - Blacklist-and-Threat-Intelligence.md (2 occurrences) - Configuration-Reference.md (1 occurrence) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
wiki: add System Contract + Metrics Evidence Classes to Architecture System Contract (Canonical Invariants): - 5 numbered invariants that must hold when system is healthy - Kernel schema, anchor pipeline, validator agreement, CLI truth, config intent - Violation = DEGRADED or DOWN Metrics & Evidence Classes: - 3 classes: Structural (validator), Enforcement (counters), Operational (timers) - Unified explanation of what each proves - Links to Metrics page and Glossary Closes the two remaining cohesion gaps from alignment audit. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
wiki: system cohesion — connect install→schema→systemd→operations lifecycle Systemd page: - Added 'Role in System Architecture' section - Systemd = execution layer, NOT authority - Failure propagation: timer stops → feeds stale → enforcement degrades - Operators must rely on validator, not service status Schema page: - Added 'Lifecycle Connection' section - Connects install→validator→timers→operations chain - Links findings to Security Operations Guide - Cross-links to Installation and Operations Installation Guide: - Added 'What the Installer Creates' section - Links to Schema page for full structural contract - Connects Phase 5 (VALIDATE) to schema expectations All pages now express one coherent system, not 4 separate docs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
wiki: contract-vs-implementation separation (schema + install + architecture) Schema page: - Schema is now a logical contract, not tied to shell implementation - Implementation detail (nft_schema.sh) clearly separated from contract - Future Go migration stated without breaking contract invariants - 'Schema authority resides in nft_schema.sh' → contract-first wording Installation Guide: - Installer framed as 'enforces system contract on kernel' - Design Principle section: config→installer→validator→CLI invariant model - Implementation-agnostic: contract survives shell→Go migration Architecture: - Schema described as logical contract, not shell artifact - Migration direction stated as implementation detail, not contract change Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
wiki: rewrite Metrics + Systemd Units + Security Operations (v1.85 aligned) Metrics & Evidence Model: - Full counter catalog (31 IPv4, 32 IPv6) with evidence classes - 6 interpretation rules from v1.81 vocabulary - Per-module evidence mapping table - Exporter architecture (Prometheus textfile + JSON) - Shared counter attribution rules Systemd Units & Timers: - All 28 services + 19 timers documented - Correct schedule: maintenance=15min (was wrong), watchdog=120s - Correct user: maintenance=root (was wrong) - Timer liveness validator check (VAL-TIMER-001/002) - Dependency chain documented - Corrects 3 wrong facts from Track B audit (B-13, B-14) Security Operations Guide: - 8 real operator scenarios with kernel-first diagnosis - Decision tree for DEGRADED state - Evidence-based procedures (no fabricated examples) - Shared counter attribution warnings - Emergency SSH lockout recovery - Corrects fabricated logrotate example from Track B (B-16) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
wiki: rewrite Installation Guide + NFT Schema & Validator Model (v1.85 aligned) Installation Guide: - 5-phase Go installer pipeline (correct phase count) - Authority model (FRESH/UPDATE/TAKEOVER/ABORT) - SSH port safety (4-source detection) - Conflict detection with panel auto-approval - Post-install verification commands - CSF restoration warning - Source install limitations documented NFT Schema & Validator Model: - Schema design (separate ip/ip6 tables) - Schema generator → codegen → validator flow - All required kernel objects (chains, sets, counters, anchors) - Full finding code registry (14 codes) - Counter naming convention + inventory (31 IPv4, 32 IPv6) - Atomic rebuild safety - Validator scope and limitations Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
stats: add full version history with verified LOC from git tags
wiki: v1.83 canonical rewrite — system contract + modules + structure Complete wiki alignment to v1.83 canonical design baseline. Added (8 new pages): - Glossary-and-Vocabulary (v1.81 vocabulary contract) - Health-Model (4-axis + consistency derivation) - DDoS-Protection (kernel-only, counter evidence) - Portscan-Detection (structure-only, no counter) - BotGuard (daemon-dependent, set evidence) - Login-Monitoring (journal + shared sets) - Blacklist-and-Threat-Intelligence (composite: manual/feeds/geoban) - Known-Limitations-and-Validation-Scope (validator scope per module) Replaced (6 pages): - Home → system contract (truth authority + evidence model + invariants) - Architecture-Overview → kernel-first with invariants - CLI-Commands-Reference → trust levels + v1.83 behavior - Configuration-Reference → per-key with axis effects - Project-Statistics → v1.83 metrics with history - _Sidebar → canonical navigation structure Fixed (2 pages): - Suricata-IDS-Integration: "rules loaded" → "rules present" - Optimization-Tools-and-Tweaks: "ok" → "protected" Archived (11 pages → archive/): - CLI-Command-Tree, Timer-Schedule, Large-Set-Management (merged) - API-Handlers-Map, Registry-Architecture, Queue-and-Mail-Contract (internal) - Security-CI-Pipeline, Coding-Standards, Performance-Benchmarks (internal) - Health-Check-Architecture, HTTP-Bot-Guard (replaced by new pages) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
docs: update Home.md version to 1.68.1 + add Legal section to index - Version: 1.56.0 → 1.68.1 - Documentation Index: added Legal section with License & Commercial Use and Trademark & Branding pages Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
docs: add License & Commercial Use and Trademark & Branding pages New wiki pages: - License-and-Commercial-Use.md — MPL-2.0 explanation, commercial use rules, fork policy, architecture boundary diagram - Trademark-and-Branding.md — allowed/prohibited use tables, fork naming requirements, SaaS restriction, enforcement clause Sidebar: added Legal section with both pages + Firewall Anchor Architecture Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
docs: add Firewall Anchor Architecture wiki page Documents the 7-phase anchor skeleton as a contract: - Phase model (HYGIENE → TRUSTED → BAN → ESTABLISHED → DETECT → SERVICE → FINAL) - Anchor markers and module insertion points - Ordering, structural, and safety invariants - Verification commands Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
wiki: update for v1.56.0 — CI workflow count, Go 1.25, smoke test - Home.md: version 1.53.0 → 1.56.0 - Security-CI-Pipeline.md: 18 → 20 workflows, add smoke test to trigger table - Project-Statistics.md: 19 → 20 CI workflows, Go 1.24 → 1.25, fix architecture diagram
wiki: bump version to 1.53.0
wiki: align with v1.52.1 release
docs: update wiki for v1.52.0 — config doctor, lockout prevention, login monitor, port 9580
docs(wiki): restore Statistics Per Version table to Project-Statistics Re-add the historical version tracking table with entries from v1.0.0 through v1.39.0 showing codebase growth over time. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
docs: align wiki with v1.39.0 release - Update version references across 8 pages (v1.18-v1.34 → v1.39.0) - Add dual-set architecture (blacklist_manual_* hash sets from v1.33.0) - Update nft schema with blacklist_manual_ipv4/ipv6 sets and input chain rules - Fix CLI path /usr/sbin/nftban → /usr/bin/nftban - Update Go package paths pkg/ → internal/ (v1.36.0 boundary hardening) - Update project statistics: 269K LOC, 311 Go files, 261 shell scripts, 71 packages - Remove stale audit status table and version history from Home.md - Mark v1.33.0 set separation as delivered in Performance-Benchmarks - Add Bot Guard and Commit-Confirm to key features list - Clean up version-specific annotations (v1.21.4+, v1.31.0, etc.) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
docs: add ddos reload command, SYNPROXY SSH lockout fix (v1.34.0) - Added 'nftban ddos reload' subcommand documentation with full subcommand table (enable, disable, reload, status, stats, test, mode) - Documented SYNPROXY SSH lockout prevention mechanism - Updated 'nftban firewall reload' to note DDoS re-application (v1.34.0) - Added DDoS configuration file references - Updated CLI Command Tree version to v1.34.0 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
docs: add Debian 12 benchmarks, honest verdict, Known Limitations detail, rc=7 explanation
docs: update Performance Benchmarks with real measured stress test data Replace estimated values with actual measured data from 21 March 2026 stress tests across 5 lab servers. Update lab1 kernel version, add Debian 13 dual-kernel note, fix lab ban avg to show range (73-113s) instead of single average. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add CPU details to benchmark environments Intel Xeon Skylake on lab (200 MHz slower) vs AMD EPYC-Rome on lab1-4. Note about fair cross-distro comparison requiring same hardware. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Update Performance Benchmarks for v1.32.0 cache-first architecture - Add v1.32.0 cache-first counting results (300x speedup) - Add interactive ban latency at different set sizes - Add concurrent stress test results across 5 lab servers - Add scalability guidance (500K bulk target, not interactive) - Add maintenance script impact measurements - Preserve v1.18.0 transport benchmarks as separate section - Update test environment table for March 2026 labs - Add architecture validation for IntervalEnd fix - Add interpreting results section (3 independent domains) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
docs: add Large Set Management wiki page (v1.32.0 architecture) Documents the new adaptive counting architecture: daemon-owned counters, cache file, scale levels, global nft operation lock, and reconciliation. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
docs: update NFT Schema Validation for v1.31.0 (auto-merge, counters, Bot Guard sets)
docs: add DNS Tunnel Suspicion wiki page, update CLI reference, sidebar, and Home
docs: add Optimization Tools and Tweaks wiki page New wiki page documenting optional CIDR aggregation tools (aggregate6, netmask, bash fallback), setup procedures, distro compatibility, health reporting, and troubleshooting. Added to sidebar under Operations and to Home page index. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add QUIC.cloud (LiteSpeed CDN) to trust providers Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
docs: Add HTTP Bot Guard wiki page, update statistics for v1.20.0 - New: HTTP-Bot-Guard.md — CLI, config, architecture, FHS, nft sets - Updated: _Sidebar.md — added HTTP Bot Guard link under Integration - Updated: Project-Statistics.md — updated LOC, modules (8), packages (65), protection modules table, architecture diagram, statistics history Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
docs: Add Ban-First Architecture section to Security-Architecture.md Documents the actual ban path architecture: - Ban execution is immediate (no feed lookup) - Feeds are precomputed via timer-based sync - GeoIP is post-ban informational only Evidence from code audit of handleBanRequest(), backend.Ban(), and feed sync. Related: closes #48 as already implemented Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
docs: Add IPC Security Architecture section (v1.19.27) Document defense-in-depth input validation for nft commands: - Validation layers diagram (CLI → IPC → Go daemon) - Character whitelists for IPv4/IPv6/CIDR - Files with nft command security table - Testing validation examples - False positive prevention notes Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>