Closed (won't fix)
Project:
Ban
Version:
1.0.x-dev
Component:
Miscellaneous
Priority:
Normal
Category:
Plan
Assigned:
Unassigned
Reporter:
Created:
4 Dec 2025 at 13:09 UTC
Updated:
15 Mar 2026 at 18:39 UTC
Jump to comment: Most recent
Problem/Motivation
After reading through several related issues and feature requests I'm quite sure it would make a lot of sense to end the parallel existence of the ban module (now contrib) and advban module as more powerful alternative.
When ban was in core, https://www.drupal.org/project/advban was an alternative (sadly not on top of ban) to provide useful related features like
IP range ban (IPv4 only)
IP ban reason
Blocked IPs expire (unblock by cron)
Unblock all IPs
Search IP
Format ban text
Protected IPs list
In a perfect world, advban would have extended ban, but I guess for technical reasons, especially additional columns and API additions, it was made as alternative.
In this issue, I'd like to advocate for merging them into one powerful ban module that can be used in contrib
Issues like this: #3557089: Add an allowed IP list to the Ban module would then be solved already, and we wouldn't need to reinvent the wheel twice. Issues like this: #3552577: Integrate with CrowdSec module show that it's also bad for contrib to care for two alternative "dependencies" because Drupals dependency system isn't made for that.
As ban was part of core, it would IMHO make sense to keep its name and maybe better merge advban implementations in, but let's discuss the best and most simple way!
I already created a similar vice-versa issue in the advban module some time ago: #3544165: Clarify "Ban" module replacement - support for contrib modules that require "Ban"?
I don't see much sense in these two alternatives maintained in parallel any more. What do the maintainers say and if you both agree, how should we merge them?
Steps to reproduce
Proposed resolution
Remaining tasks
- Discuss
- Plan
- Implement
- Test
- Release
Comments
Comment #2
mstrelan commented@anybody are you interested in co-maintaining ban? I volunteered to help get it out of core, but I'm looking for others to progress it in a 2.x branch.
Comment #3
anybody@mstrelan Yes, I'm not against it. My time is also limited and I'm already maintaining hundreds? of other contrib modules, but hopefully when werged with advban this won't need that much time any more?
PS: Could you also add my team-mate @grevil then, please?
And please give us your oppinion on this :)
Comment #4
goodboy commentedAs an advban developer, I am against merging modules.
Comment #5
anybody@goodboy thanks for the feedback. Do you have any reasons to share?
I mean we didn't even talk about what this might mean. My point is just, that the UX for users isn't cool having ban vs. advban, while advban has very helpful functionality but isn't based on ban, which also has negative effects on all related modules that need to support them and for example can't use regular dependencies for that reasons.
So i'd see very good reasons to talk to each other as maintainers and joining teams...
Comment #6
mstrelan commented@anybody I've opened #3575345: Seeking co-maintainers for next generation of Ban module, let's continue the co-maintainership discussion there.
Will leave this open for a while for a response to #4.
Comment #7
anybodyWould be great if @goodboy could overthink his position again and get in contact with us to combine both modules (in my opinion). What's your position @mstrelan?
Comment #8
mstrelan commentedMy maintainership of this module is primarily to help remove it from core, I'm afraid I don't have much meaningful input in to the future of this module beyond that. From what I understand, advban does not extend from ban, instead it seeks to replace it. It could make sense to simply recommend users switch to advban and stop supporting this module after a while. It would certainly be better to collaborate in one place (here or there) if possible. It would be good to understand from a site builder perspective, when should one choose one module over the other.
Comment #9
berdirI think on a technical level, there isn't really such a thing as merging two modules. There's really only deprecating one in favor of the other.
So per #8, we either say that we mark this as unsupported in favor of advban and accept the name advanced ban as a historic thing and it's really just "the" ban module going forward.
Or we create a 2.x branch of ban and merge in all the features from advban either wholesale or on a case-by-case basis. We don't *need* support from the advban maintainer to do so as long as proper credit is given, but it's a bit awkward if there's no plan/commitment from the advban maintainer to recommend using the ban project/join as a maintainer, we'd then essentially maintain two more or less identical projects going forward.
We use the "Ban stack" of perimeter + ban + auto_unban. I clearly prefer that over the alternative autoban project that's built on advban, as it's real-time and stops scanners immediately as opposed to delayed on cron when they might have already sent hundreds of expensive requests. I also like how auto_unban treats repeat offenders by giving them increasingly long but temporary bans. As opposed to one-off expirying bans like advban implements it. We've had a handful of cases where real users managed to get blocked by perimeter and auto_unban typically resulted in them getting unblocked quicker than they managed to reach out to us. I also see that advban currently has the same performance issue that I patched in auto_unban: #3551605: Injecting ConfigFactory into BanIpManager is expensive, use a closure.
Looking at the advban code, the ability to block IP ranges comes at the price of executing at least one additional query to get that information as well. It doesn't seem optional right now. Not sure that's worth it for me. We rarely block IP ranges manually and mostly rely on perimeter. Our hosting provider (upsun) and CDN's we use (Fastly/Cloudflare/...) also offer IP range blocking that once active, is much more efficient.
So personally, I'm not sure I'd want to go in the direction of deprecating this project in favor of advban. If there are specific features that would be useful to support in ban, we could add them, either based on advban implementations or alternatives such as auto_unban. And keep them as different projects handling different use cases.
Comment #10
anybodyThanks for the valuable feedback @mstrelan and @berdir!
I agree with the points here and based on the negative feedback by @goodboy and the points made by you, I agree it might be (sad but and a bit confusing for the community) better to keep ban like it is and improve it like you described.
Some important things have already been fixed in the last days or pushed forward, the remaining important features are, from my perspective, foremost UI / UX aspects, like flushing banned IPs, bulk-deletion, filtering and adding a pager. These shouldn't be too hard. For some of them we already have issues, others should be created (I did so)
Updating the module page with helpful related modules and a comparison with advban is another important task imho. (I created an issue for that now)
FYI @berdir we're using this in combination with Crowdsec, because we had crawlers blocked with perimeter in the past. That also works great! For me the biggest pain-point with Ban was the missing whitelist and the written UI / UX aspects.
Which other features or bugs are on your radar for ban?
So based on this discussion and if @goodboy won't change his position, I'd be fine closing this issue won't fix.
Comment #11
anybodyI've added issues and a meta issue for the UX aspects: #3575766: [META] 1.1.x UX-Improvements
And I think this one might help contrib modules to do their job? #3086645: Add timestamp to ban_ip table
I think maybe that's it?
Comment #12
goodboy commented@berdir,
I mostly agree with your words.
You're absolutely right that one scenario is for one module to win and the other to die. But why should I shut down my module and throw away years of my efforts? This might be all I have.
My opinion is that users and module developers who use provider bans must make a choice. Like choosing between Mercedes and BMW.
Now I see that I am losing by a landslide, but the colors of my flag are different and therefore there are no options for me.
I haven't made any inventions or patented any of my improvements. Since the module is open source, you are free to analyze the code and use any useful ideas for your own projects. I can't stop you from doing so, even if I wanted to.
I have grand plans to create advban 2.0. But I'm not sure if I should make these ideas and solutions publicly available.
Now I regret creating those two modules of my own. And even registering on drupal.org.
Gentlemen, I apologize for not responding to you all. You are right in your own way, and I wish you continued growth and success in your projects.
Comment #13
mstrelan commented@goodboy I don't think anyone is suggesting you abandon your work or your vision for 2.x, the invitation is here for you to collaborate and bring it to ban 2.x. It's up to you though, feel free to carry on.
Comment #14
anybody@goodboy nobody wants to hurt you or take your work, we're all investing our time in open source here. We're not being paid for this, doing it for the community and our projects to get the best out of it. So I don't know the exact story behind, but it sounds sad. We definitely wish you all the best.
To sum up from my position: The question was just, if you'd like to join efforts for a win for the whole community and merge things. I have to admit I don't really understand the frustration.
Everything has been said, as it seems, so let's close this won't fix and keep on with both modules in parallel, users should decide which one fits. Would still make sense to provide a comparison of the features, pro's and con's to make the right choice.