-
Notifications
You must be signed in to change notification settings - Fork 0
Project Statistics
Antonios Voulvoulis edited this page Apr 14, 2026
·
29 revisions
Type: Reference Scope: Codebase metrics, architecture scale, and project evolution Current as of: v1.83.0 (2026-04-14)
| Size Category | Lines of Code | NFTBan |
|---|---|---|
| Small | < 10,000 | |
| Medium | 10,000 - 50,000 | |
| Large | 50,000 - 250,000 | ~190,000 (code lines) |
| Very Large | > 250,000 |
| Category | Lines (non-blank, non-comment) |
|---|---|
| Shell (Bash) | ~99,400 |
| Go | ~90,300 |
| Total code | ~189,700 |
| Category | Count |
|---|---|
| Shell files (.sh) | 251 |
| Go files (.go) | 411 |
| Go test files (*_test.go) | 82 |
| Go packages (internal/) | 81 |
| CI/CD workflows | 24 |
| Systemd services | 28 |
| Systemd timers | 19 |
| Total tracked files | 874 |
Shell (Bash) ████████████████████████░░░░░░░░░░░░░░ 52%
Go ████████████████████████████████████░░ 48%
The project is a Go + Shell hybrid:
- Go daemon (
nftband) handles ban/unban execution, loginmon pipeline, BotGuard scoring, IPC, and the kernel truth validator - Shell CLI handles schema generation, configuration management, and the operator interface
The v1.90.x migration direction moves shell logic into Go. The target binary
for install/repair operations is nftban-installer.
| Object type | Count | Source |
|---|---|---|
| Named counters | 31 (IPv4), 32 (IPv6) | nftables schema |
| Named sets | ~19 (base required) | schema_generated.go |
| Pipeline anchors | 7 | HYGIENE → TRUSTED → BAN → ESTABLISHED → DETECT → SERVICE → FINAL |
| Helper chains | up to 6 (module-dependent) | ddos (4), portscan (1), botguard (1) |
| Base chains | 3 per family (input, forward, output) | nftables schema |
| Metric | Count |
|---|---|
| CLI command handlers | 119 |
| CLI subcommands (total entry points) | 91+ |
| Top-level commands | 35 |
| Module | Layer | Evidence type | Daemon required |
|---|---|---|---|
| DDoS | L1 (L3/L4) | Dedicated counters (5) | NO |
| Portscan | L1 (L3/L4) | Structure only | NO |
| BotGuard | L2 (L7) | Dedicated sets (6) | YES |
| LoginMon | L2 | Journal + shared sets | YES |
| Blacklist (manual) | L1 | Dedicated set + shared counter | NO |
| Blacklist (feeds) | L1 | Shared set + shared counter | YES (sync) |
| GeoBan | L1 | Shared set + GeoIP DB | YES (sync) |
| Suricata IDS | L3 (L7 DPI) | EVE JSON events | YES |
| DNS Tunnel | Advisory | DNS query analysis | YES |
| Type | Count |
|---|---|
| Systemd services | 28 |
| Systemd timers | 19 |
| Total systemd units | 47 |
| Category | Count | Tools |
|---|---|---|
| CI workflows | 24 | GitHub Actions |
| Security scanning | 9 | CodeQL, Gitleaks, OSV-Scanner, Scorecard, OSSRA, dependency-review, fuzz, secure-go |
| Build pipelines | 2 | DEB + RPM package build |
| Test suites | 82 Go test files + shell test suite |
| Metric | Value |
|---|---|
| First commit | 2025-09-01 |
| Current version | v1.83.0 |
| Total commits | 3,120 |
| Contributors | 4 |
| License | MPL-2.0 |
| Version | Date | Milestone |
|---|---|---|
| v1.0.0 | 2025-09 | Initial release |
| v1.36.0 | 2025-12 | Go loginmon pipeline |
| v1.70.0 | 2026-03 | Rebuild failure = FATAL (no fallback) |
| v1.73.0 | 2026-03 | Go RPM installer |
| v1.78.0 | 2026-04 | Go kernel truth validator |
| v1.80.0 | 2026-04 | Structural truth-surface hardening |
| v1.81.0 | 2026-04 | Vocabulary freeze + metrics catalog |
| v1.82.0 | 2026-04 | Truth-path consolidation + 4-axis health model |
| v1.83.0 | 2026-04 | CLI performance + truth authority enforcement |
All counts are non-blank, non-comment lines (verified from git tags).
| Version | Date | Bash LOC | Go LOC | Total | Go files | Go tests | Milestone |
|---|---|---|---|---|---|---|---|
| v1.32.0 | 2025-12 | 100,869 | 82,932 | 183,801 | 322 | 55 | Large set management |
| v1.36.0 | 2025-12 | 101,131 | 83,652 | 184,783 | 325 | 55 | Go loginmon pipeline |
| v1.56.0 | 2026-02 | 106,670 | 84,818 | 191,488 | 330 | 55 | Current version baseline |
| v1.60.0 | 2026-03 | 105,469 | 77,640 | 183,109 | 313 | 54 | Go package consolidation (pkg/ → internal/) |
| v1.68.1 | 2026-03 | 107,387 | 77,640 | 185,027 | 313 | 54 | Pre-truth-model baseline |
| v1.73.0 | 2026-03 | 106,789 | 81,899 | 188,688 | 361 | 67 | Go RPM installer |
| v1.78.0 | 2026-04 | 107,775 | 83,938 | 191,713 | 371 | 69 | Go kernel truth validator |
| v1.80.0 | 2026-04 | 108,892 | 88,782 | 197,674 | 405 | 81 | Structural truth-surface hardening |
| v1.83.0 | 2026-04 | 109,017 | 90,233 | 199,250 | 412 | 84 | Truth authority consolidation |
- Go growth: 82,932 → 90,233 (+8.8% from v1.32 to v1.83)
- Go test growth: 55 → 84 files (+53%)
- Go file growth: 322 → 412 (+28%)
- Shell stable: 100,869 → 109,017 (+8.1% — growth from new CLI commands)
-
v1.60 dip: Go LOC dropped from 84,818 to 77,640 due to
pkg/→internal/package consolidation (48 packages moved, dead code removed) - v1.73+ acceleration: Go LOC grew 77,640 → 90,233 (+16%) as installer, validator, and module health code was added in Go
# Current version
cat /VERSION
# Code line counts (non-blank, non-comment)
find cli/ install/ helpers/ scripts/ -name '*.sh' | xargs cat | grep -cv '^\s*$\|^\s*#'
find cmd/ internal/ pkg/ -name '*.go' | xargs cat | grep -cv '^\s*$\|^\s*//'
# File counts
find . -name '*.sh' | grep -v .git | wc -l
find . -name '*.go' | grep -v .git | wc -l
# Commit count
git log --oneline | wc -lNFTBan Wiki
Getting Started
Architecture
Modules
- BotGuard (HTTP L7)
- DDoS Protection (L3/L4)
- Portscan Detection
- Login Monitoring
- Blacklist & Threat Intelligence
- Suricata IDS Integration
- DNS Tunnel Suspicion
Operator Reference
- CLI Commands Reference
- Configuration Reference
- Systemd Units & Timers
- Optimization & Tuning
- Security Operations Guide
- GeoIP Database Guide
- FHS Compliance
- Troubleshooting: Smoke & Selftest
Verification & Trust
- Glossary & Vocabulary
- Known Limitations
- Metrics & Evidence Model
- Binary Verification (SLSA)
- Security Architecture
Reference
Legal