-
Notifications
You must be signed in to change notification settings - Fork 0
Deprecations v190
Type: Reference Scope: Components excluded from 1.x core contract, transitional items, removal schedule Since: v1.88.0 (formal deprecation tracking) Terminology: Glossary & Vocabulary
This page tracks components that are deprecated, transitional, or excluded from the 1.x core contract. Items listed here still exist in code but are not part of the canonical metrics or architecture surface.
| Category | Meaning |
|---|---|
| DEPRECATED | Actively being removed. Do not build on these. |
| TRANSITIONAL | Still needed by downstream consumers. Will be removed when migration completes. |
| OUT OF SCOPE (1.x) | Not part of 1.x contract. May appear in 2.x or later. |
| LEGACY | Superseded by newer implementation. Safe to remove. |
| Property | Value |
|---|---|
| Status | RETIRED — removal complete |
| Components |
nftban-ui binary, nftban-ui-auth binary, nftban-ui.service, nftban-ui-auth.service, nftban-ui-auth.socket, PAM config, Go source trees, GOTH-era handlers/middleware/auth/session/authproto packages |
| Reason | Lifecycle simplification before v2.0; PAM build-dependency reduction; SLSA coverage scoped to nftban-core |
| Replacement | None — operators use the nftban CLI directly |
| Removal stages | v1.100.1b.A (stop shipping) → v1.100.1b.B (delete source trees) → v1.100.1b.C1 (orphan-package delete) → v1.100.1b.C2 (cross-cutting prune) → v1.100.1b.D (docs/registry cleanup) |
| Transitional handling | Package upgrade hooks (DEB prerm, RPM %pre) stop, disable, mask, and remove orphaned units + binaries on existing installs |
| CLI surface |
nftban gui and nftban health gui subcommands removed in v1.100.1b.C2 |
See archive/Web-GUI-and-nftban-ui-retired for the full historical record.
| Property | Value |
|---|---|
| Status | DEPRECATED — orphan after Web GUI retirement |
| Metrics | 16 gauges on custom prometheus.NewRegistry()
|
| Original consumer |
nftban-ui (retired in v1.100.1b.A) |
| Reason | Creates parallel truth system. The daemon /metrics endpoint is the authoritative source. |
| Removal | Pending — no remaining consumer; safe to delete in a later cleanup pass. |
The sampler maintains its own health gauge, network stats, and ring buffer of samples. This duplicates the daemon's authoritative metrics and creates a second health interpretation that may diverge from the watchdog and validator. With the Web GUI retired, it has no consumer.
| Property | Value |
|---|---|
| Status | DEPRECATED |
| Metrics | 3 (bans_total, persistent_offenders_total, unique_ips_by_country) |
| Reason |
RegisterPrometheus() is never called from daemon. Metrics are defined but invisible. |
| Removal | Wire to daemon if needed, or delete registration code |
| File | Status | Reason |
|---|---|---|
nftban_firewall_exporter.sh |
LEGACY — remove | Fully superseded by unified exporter |
nftban_geoban_exporter.sh |
LEGACY — remove | Fully superseded by unified exporter |
nftban_portscan_exporter.sh |
LEGACY — remove | Fully superseded by unified exporter |
These write to separate .prom files or append to nftban.prom. The unified
exporter covers all their metrics. They can be removed without downstream impact.
| Property | Value |
|---|---|
| Status | PENDING REMOVAL — orphan after Web GUI retirement |
| Output |
traffic_history.json, dropped_by_country.json, dropped_by_port.json
|
| Original consumer |
nftban-ui (retired in v1.100.1b.A) |
| Removal | Tracked under v1.100.1b.D — verify no remaining sourcing in nftban_unified_exporter*.sh, then delete. |
| Property | Value |
|---|---|
| Status | TRANSITIONAL |
| Output |
dynamic.json, inventory.json, combined.json
|
| Consumers | Portal (pro.nftban.com), external tools reading legacy JSON |
| Blocker | Portal must migrate to daemon API or new JSON schema |
| Removal | After portal migration completes |
Both are sourced by the unified exporter during its collection cycle. They are not independent — removing them requires verifying no downstream consumer depends on the JSON files they produce.
| Property | Value |
|---|---|
| Status | OUT OF SCOPE (1.x) |
| File | internal/suricata/stats/metrics.go |
| Metrics | 17 (promauto, but only initialized from nftban-core CLI) |
| Reason | Not on daemon /metrics. Only available during CLI suricata sid-stats invocations. |
| Future | May be moved to daemon in 2.x if Suricata integration remains |
| Property | Value |
|---|---|
| Status | RETIRED — not part of the 1.x core contract |
| Outcome | The GOTH-stack Web GUI (nftban-ui + nftban-ui-auth) was retired in v1.100.1b.A and fully removed by v1.100.1b.D. NFTBan 1.x has no shipped Web GUI. |
| Future | Any future GUI surface (2.x or later) is undecided and is not part of the 1.x contract. |
| Property | Value |
|---|---|
| Status | OUT OF SCOPE (1.x) |
| Reason | No demand signal. Prometheus-compatible surface covers known use cases. |
| Property | Value |
|---|---|
| Status | OUT OF SCOPE (1.x) |
| Reason | No demand signal. Scrape + textfile covers all deployment scenarios. |
These metric names have known issues per Prometheus conventions. Corrections are planned for the v1.90 metrics contract freeze.
| Current Name | Issue | Planned Name |
|---|---|---|
nftban_go_goroutines |
Collides with go_goroutines
|
nftban_runtime_goroutines |
nftban_go_gc_cpu_fraction |
Collides with go_gc_*
|
nftban_runtime_gc_cpu_fraction |
nftban_go_gc_pause_seconds |
Collides with go_gc_*
|
nftban_runtime_gc_pause_seconds |
nftban_go_heap_alloc_bytes |
Collides with go_heap_*
|
nftban_runtime_heap_alloc_bytes |
nftban_go_heap_inuse_bytes |
Collides with go_heap_*
|
nftban_runtime_heap_inuse_bytes |
nftban_go_heap_released_bytes |
Collides with go_heap_*
|
nftban_runtime_heap_released_bytes |
nftban_softnet_drops_total |
_total on gauge |
nftban_softnet_drops |
nftban_softnet_time_squeeze_total |
_total on gauge |
nftban_softnet_time_squeeze |
nftban_nic_rx_dropped_total |
_total on gauge |
nftban_nic_rx_dropped |
The evidence layer (internal/metrics/evidence_*.go) currently makes 19
redundant nft CLI calls per snapshot, querying kernel data that the validator
already has from its nft -j list ruleset call. This is an architectural debt
item — evidence should consume validator output, not re-query the kernel.
Planned for v1.89. See METRICS_COLLECTOR_EXPORTER_COMBINE.md section 8 for
the full duplicate query map.
NFTBan Wiki
Getting Started
Architecture
Modules
- BotGuard (HTTP L7)
- DDoS Protection (L3/L4)
- Portscan Detection
- Login Monitoring
- Blacklist & Threat Intelligence
- Suricata IDS Integration
- DNS Tunnel Suspicion
Operator Reference
- CLI Commands Reference
- Configuration Reference
- Systemd Units & Timers
- Optimization & Tuning
- Security Operations Guide
- GeoIP Database Guide
- FHS Compliance
- Troubleshooting: Smoke & Selftest
Verification & Trust
- Glossary & Vocabulary
- Known Limitations
- Metrics & Evidence Model
- Binary Verification (SLSA)
- Security Architecture
Reference
Legal