From 28330e60d83a7d1cbb5c65251505573dc07adf80 Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Mon, 1 Jun 2026 17:17:49 +0200
Subject: [PATCH] fix(docker): grant NET_ADMIN/NET_RAW so fail2ban IP-limit
 bans apply

The image bundles fail2ban (enabled by default) to enforce per-client IP
limits via iptables, but docker-compose.yml granted no capabilities. The
job logs the ban and fail2ban reports it as banned, yet the iptables
action fails with "Permission denied (you must be root)" and no rule is
inserted, so the client is never actually blocked. Add cap_add
NET_ADMIN/NET_RAW to the service and document the docker run flags.
---
 README.md          | 6 ++++++
 docker-compose.yml | 7 +++++++
 2 files changed, 13 insertions(+)

diff --git a/README.md b/README.md
index 310a9b72..7bca7983 100644
--- a/README.md
+++ b/README.md
@@ -62,6 +62,12 @@ The default `docker compose up -d` keeps using SQLite. To run with the bundled P
 docker compose --profile postgres up -d
 ```
 
+The image bundles Fail2ban (enabled by default) to enforce per-client **IP limits**. Fail2ban bans offenders with `iptables`, which requires the `NET_ADMIN` capability. `docker-compose.yml` already grants it via `cap_add`; if you start the container with `docker run` instead, add the capabilities yourself, otherwise bans are logged but never applied:
+
+```bash
+docker run -d --cap-add=NET_ADMIN --cap-add=NET_RAW ... ghcr.io/mhsanaei/3x-ui
+```
+
 ## A Special Thanks to
 
 - [alireza0](https://github.com/alireza0/)
diff --git a/docker-compose.yml b/docker-compose.yml
index ddb9493a..5593dfec 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -5,6 +5,13 @@ services:
       dockerfile: ./Dockerfile
     container_name: 3xui_app
     # hostname: yourhostname <- optional
+    # The bundled Fail2ban (XUI_ENABLE_FAIL2BAN below) enforces the IP limit
+    # with iptables, which needs NET_ADMIN. Without these caps a ban is logged
+    # and shown in fail2ban status but never actually applied. NET_RAW covers
+    # ip6tables. If you disable Fail2ban, you can drop cap_add.
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
     volumes:
       - $PWD/db/:/etc/x-ui/
       - $PWD/cert/:/root/cert/