[Definition]

# Three rules per ban:
# 1. DOCKER-USER source: blocks direct connections from the banned IP to any container
# 2. DOCKER-USER xt_string: blocks CDN-proxied requests where real IP is in X-Forwarded-For
#    (requires xt_string kernel module on the host: modprobe xt_string)
# 3. INPUT: blocks direct connections to host services

actionban = iptables-nft -I DOCKER-USER -s <ip> -j DROP
            iptables-nft -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP 2>/dev/null || true
            iptables-nft -A INPUT -s <ip> -j DROP

actionunban = iptables-nft -D DOCKER-USER -s <ip> -j DROP || true
              iptables-nft -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP 2>/dev/null || true
              iptables-nft -D INPUT -s <ip> -j DROP || true