Fail2ban action.d for Cloudflare meant to replace the version that ships with fail2ban currently. This updated version of the action uses Cloudflare's 2023 v4 API (free tier WAF + free tier WAF lists) to ban hostile IPs.

cloudflare.conf

# This version works with CF WAF (using zone rulesets) and obsoletes previous
# versions. This works will all CF account types. This action depends on curl
# and jp and will add/remove IPs from the $known_hostile_ips list. Creating the
# WAF rules need only be done once per zone. Creating the list need only be done
# once per account.
#
# Author: Bernard Dickens III (Xunnamius)
#
# Inspired by work from: Mike Rushton
# https://github.com/fail2ban/fail2ban/blob/master/config/action.d/cloudflare.conf
#
# 1. REQUIRES jp TO BE INSTALLED IN THE USER PATH! Install it here:
#    https://github.com/jmespath/jp
#
# 2. ! IMPORTANT ! Set jail.local's permission to 640 because it contains one of
#    your CF API tokens. Grab your account id, your api token, and your "hostile
#    ip" list id before continuing (see end of file for details).
#
# 3. Create a new custom list. Name it known_hostile_ips.
#    https://developers.cloudflare.com/waf/tools/lists
#
# 4. Ensure every zone you want fail2ban to protect has an enabled WAF ban rule
#    referencing $known_hostile_ips.
#    https://developers.cloudflare.com/waf/custom-rules
#
# 5. Use the fail2ban CLI and the Cloudflare dashboard/Traces to test and make
#    sure everything is working properly. You may need to add a permission to
#    your api token to ensure proper function. See the end of this file for
#    details.
#
# To get your CloudFlare API Key:
# https://www.cloudflare.com/a/account/my-account
#
# CloudFlare API error codes: https://www.cloudflare.com/docs/host-api.html#s4.2
#
# Note that if you're using Nginx, Apache, Litespeed, etc, you need to modify
# your logs and/or your filters such that the real client IP is being captured
# and not Cloudflare's IPs.

[Definition]

# Option:  actionstart
# Notes.:  command executed on demand at the first ban (or at the start of
#          Fail2Ban if actionstart_on_demand is set to false).
# Values:  CMD
#
actionstart =

# Option:  actionstop
# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
# Values:  CMD
#
actionstop =

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
# API v4 WAF
actionban = curl -s -o /dev/null -X POST <_cf_api_prms> \
                 -d '[{"ip":"<ip>","comment":"Created by fail2ban <name>"}]' \
                 <_cf_api_url>

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
# API v4 WAF
actionunban = id=$(curl -s -X GET <_cf_api_prms> \
                   "<_cf_api_url>?search=<ip>&per_page=1" \
                   | { jp --unquoted 'result[0].id | not_null(@, `""`)' 2>/dev/null; })
              if [ -z "$id" ]; then echo "<name>: id for <ip> cannot be found"; exit 0; fi;
              curl -s -o /dev/null -X DELETE <_cf_api_prms> \
                   -d '{"items":[{"id":"'"$id"'"}]}' \
                   <_cf_api_url>

_cf_api_url = https://api.cloudflare.com/client/v4/accounts/<cfaccountid>/rules/lists/<cfbanlistid>/items
_cf_api_prms = -H 'Authorization: bearer <cfapitoken>' -H 'Content-Type: application/json'

[Init]

# If you like to use this action with mailing whois lines, you could use the
# composite action action_cf_mwl predefined in jail.conf, just define in your
# jail:
#
# action = %(action_cf_mwl)
# # Your CF API Key
# cfapitoken =
# cfaccountid =
# cfbanlistid =

# Your Cloudflare User API Token. It will need "EDIT" level on the "Account
# Filter Lists" permission.
# https://dash.cloudflare.com/profile/api-tokens
cfapitoken = 

# The identifier of the Cloudflare account used to update the hostile IP list.
cfaccountid = 

# Your Cloudflare WAF "hostile ip" List id. You can find it using the API or or
# following the instructions here:
# https://community.cloudflare.com/t/what-token-permissions-for-ip-list-edits/525222/6
# https://api.cloudflare.com/client/v4/accounts/:cfaccountid/rules/lists
#
# Note that even free CF accounts get 1 free list with 10,000 slots, yay!
# https://dash.cloudflare.com/:cfaccountid/configurations/lists
cfbanlistid = 

@sebres having changed nothing, it's working now! Thanks so much for all of your help!

Following this thread. Is there a copy of the final draft solution for IPv6 that can be posted? I tried following the steps as written above and I'm still getting errors. My guess is I missed a step somewhere but I can't figure out where.

Here you go:

# This version works with CF WAF (using zone rulesets) and obsoletes previous
# versions. This works will all CF account types. This action depends on curl
# and jp and will add/remove IPs from the $known_hostile_ips list. Creating the
# WAF rules need only be done once per zone. Creating the list need only be done
# once per account.
#
# Author: Bernard Dickens III (Xunnamius)
#
# Inspired by work from: Mike Rushton
# https://github.com/fail2ban/fail2ban/blob/master/config/action.d/cloudflare.conf
#
# 1. REQUIRES jp TO BE INSTALLED IN THE USER PATH! Install it here:
#    https://github.com/jmespath/jp
#
# 2. ! IMPORTANT ! Set jail.local's permission to 640 because it contains one of
#    your CF API tokens. Grab your account id, your api token, and your "hostile
#    ip" list id before continuing (see end of file for details).
#
# 3. Create a new custom list. Name it known_hostile_ips.
#    https://developers.cloudflare.com/waf/tools/lists
#
# 4. Ensure every zone you want fail2ban to protect has an enabled WAF ban rule
#    referencing $known_hostile_ips.
#    https://developers.cloudflare.com/waf/custom-rules
#
# 5. Use the fail2ban CLI and the Cloudflare dashboard/Traces to test and make
#    sure everything is working properly. You may need to add a permission to
#    your api token to ensure proper function. See the end of this file for
#    details.
#
# To get your CloudFlare API Key:
# https://www.cloudflare.com/a/account/my-account
#
# CloudFlare API error codes: https://www.cloudflare.com/docs/host-api.html#s4.2
#
# Note that if you're using Nginx, Apache, Litespeed, etc, you need to modify
# your logs and/or your filters such that the real client IP is being captured
# and not Cloudflare's IPs.

[Definition]

# Option:  actionstart
# Notes.:  command executed on demand at the first ban (or at the start of
#          Fail2Ban if actionstart_on_demand is set to false).
# Values:  CMD
#
actionstart =

# Option:  actionstop
# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
# Values:  CMD
#
actionstop =

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
# API v4 WAF
actionban = curl -s -o /dev/null -X POST <_cf_api_prms> \
                 -d '[{"ip":"'"<cfip>"'","comment":"Created by fail2ban <name>"}]' \
                 <_cf_api_url>

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
# API v4 WAF
actionunban = id=$(curl -s -X GET <_cf_api_prms> \
                   "<_cf_api_url>?search=<cfip>&per_page=1" \
                   | { jp --unquoted 'result[0].id | not_null(@, `""`)' 2>/dev/null; })
              if [ -z "$id" ]; then echo "<name>: id for <ip> cannot be found"; exit 0; fi;
              curl -s -o /dev/null -X DELETE <_cf_api_prms> \
                   -d '{"items":[{"id":"'"$id"'"}]}' \
                   <_cf_api_url>

_cf_api_url = https://api.cloudflare.com/client/v4/accounts/<cfaccountid>/rules/lists/<cfbanlistid>/items
_cf_api_prms = -H 'Authorization: bearer <cfapitoken>' -H 'Content-Type: application/json'

[Init]

# If you like to use this action with mailing whois lines, you could use the
# composite action action_cf_mwl predefined in jail.conf, just define in your
# jail:
#
# action = %(action_cf_mwl)
# # Your CF API Key
# cfapitoken =
# cfaccountid =
# cfbanlistid =

# Your Cloudflare User API Token. It will need "EDIT" level on the "Account
# Filter Lists" permission.
# https://dash.cloudflare.com/profile/api-tokens
cfapitoken = 

# The identifier of the Cloudflare account used to update the hostile IP list.
cfaccountid = 

# Your Cloudflare WAF "hostile ip" List id. You can find it using the API or or
# following the instructions here:
# https://community.cloudflare.com/t/what-token-permissions-for-ip-list-edits/525222/6
# https://api.cloudflare.com/client/v4/accounts/:cfaccountid/rules/lists
#
# Note that even free CF accounts get 1 free list with 10,000 slots, yay!
# https://dash.cloudflare.com/:cfaccountid/configurations/lists
cfbanlistid = 

cfip = <ip>

[Init?family=inet6]

cfip = $(fail2ban-python -c 'import sys; from fail2ban.server.ipdns import IPAddr; a = IPAddr(sys.argv[1]+"/"+sys.argv[2]); print(str(a))' "<ip>" 64)

(untested... I hope I did not forget something)

@sebres thank you. I've tested this and it's still not working on my end but I will spend more time troubleshooting to see if I can yield the same results as @Staene. I did notice in the full solution that the end of your IPv6 cfip = statement there is an extra ` after the 64 that is not in the original statement above. I made that change on my end but it did not resolve the issue. Can you confirm if that ` should be there or not? Thanks again for all your help.

Fixed (the extra accent char must be removed), I just forgot to remove it by replacement `...` with $(...)

Is anything working? If no, make sure your Cloudflare list is setup correctly and the API token has permission. You can check Manage Account > Audit Log to see if the API submissions are going through or Manage Account > Configuration > Lists to see if the list is populated.

If banning works but not unbanning, make sure jp is installed.

IPv4 works fine. As of now IPv6 is not.

I should add I run fail2ban in docker. I added jp to the crazymax/fail2ban image and after finally getting the IPv4 steps right I had success there. The biggest challenge was as you said, the API permissions - I missed the steps at the bottom of the instructions originally. I also run nginx proxy manager in docker and have specifically called out real_ip_header CF-Connecting-IP in the advanced tab of the proxy host i'm testing. Cloudflare is banning the appropriate IPv4 address as a result.

For IPv6 it shows the ban occur in the logs but the IP is never added to the cloudflare list. I'd love to post a log but I can't find any error.

Try changing [Definition?family=inet6] to [Init?family=inet6]

I do not believe Definition worked for me.

That was it! @sebres if you can update your solution to say Init instead of Definition it works exactly as planned. Thanks to you both @sebres and @Staene, really appreciate you.

Right on! 👍