From 152c9d27d598414ad5a3a5d0932e0310c5ecdc57 Mon Sep 17 00:00:00 2001 From: Louis Sautier Date: Mon, 11 Sep 2017 23:22:01 +0200 Subject: [PATCH] Fix nftables actions for IPv6 addresses, fixes #1893 * add [Init?family=inet6] to nftables-common.conf and make nftable expressions more modular * change "ip protocol" to "meta l4proto" in nftables-allports.conf since the former only works for IPv4 --- ChangeLog | 1 + config/action.d/nftables-allports.conf | 2 +- config/action.d/nftables-common.conf | 30 ++++++++++++++++++++------ 3 files changed, 25 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 27be6498..e3c10de2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,6 +35,7 @@ ver. 0.10.1-dev-1 (2016/??/??) - development edition ----------- ### Fixes +* fix nftables actions for IPv6 addresses (gh-1893) * fix Gentoo init script's shebang to use openrc-run instead of runscript (gh-1891) * jail "pass2allow-ftp" supply blocktype and returntype parameters to the action (gh-1884) * avoid using "ANSI_X3.4-1968" as preferred encoding (if missing environment variables diff --git a/config/action.d/nftables-allports.conf b/config/action.d/nftables-allports.conf index afd0ca84..6c69da39 100644 --- a/config/action.d/nftables-allports.conf +++ b/config/action.d/nftables-allports.conf @@ -17,6 +17,6 @@ before = nftables-common.conf # Notes.: additional expressions for nftables filter rule # Values: nftables expressions # -nftables_mode = ip protocol +nftables_mode = meta l4proto [Init] diff --git a/config/action.d/nftables-common.conf b/config/action.d/nftables-common.conf index 80657c5c..83311087 100644 --- a/config/action.d/nftables-common.conf +++ b/config/action.d/nftables-common.conf @@ -28,11 +28,11 @@ nftables_mode = dport \{ \} # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # -actionstart = add set f2b- \{ type \; \} - insert rule %(nftables_mode)s ip saddr @f2b- +actionstart = add set \{ type \; \} + insert rule %(nftables_mode)s saddr @ _nft_list = --handle --numeric list chain -_nft_get_handle_id = grep -m1 'ip saddr @f2b- # handle' | grep -oe ' handle [0-9]*' +_nft_get_handle_id = grep -m1 ' saddr @ # handle' | grep -oe ' handle [0-9]*' # Option: actionstop # Notes.: command executed once at the end of Fail2Ban @@ -40,13 +40,13 @@ _nft_get_handle_id = grep -m1 'ip saddr @f2b- # handle' | grep # actionstop = HANDLE_ID=$(%(_nft_list)s | %(_nft_get_handle_id)s) delete rule $HANDLE_ID - delete set f2b- + delete set # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = list chain | grep -q '@f2b-[ \t]' +actioncheck = list chain | grep -q '@[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -54,7 +54,7 @@ actioncheck = list chain | # Tags: See jail.conf(5) man page # Values: CMD # -actionban = add element f2b- \{ \} +actionban = add element \{ \} # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -62,7 +62,7 @@ actionban = add element f2b- # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = delete element f2b- \{ \} +actionunban = delete element \{ \} [Init] @@ -117,3 +117,19 @@ blocktype = reject # Notes.: Actual command to be executed, including common to all calls options # Values: STRING nftables = nft + +# Option: set_name +# Notes.: The name of the nft set used to store banned addresses +# Values: STRING +set_name = f2b- + +# Option: address_family +# Notes.: The family of the banned addresses +# Values: [ ip | ip6 ] +address_family = ip + +[Init?family=inet6] + +nftables_type = ipv6_addr +set_name = f2b-6 +address_family = ip6