Seeds the IP filter from a threat feed: a file path or http(s) URL of newline-delimited IPv4/IPv6 addresses or CIDR ranges. Blank lines and # comments are ignored. Repeatable, so several files or URLs combine into one set.

The blocklist sits beneath the explicit rules. A --allow-ip-range still overrides a blocklisted address, and --block-ip-range adds to it. Sources load once at startup; if any source cannot be read or parsed, the process exits and names the failing source.

To refresh the feed on a running server without a restart, use --server-update-blocklist-interval.