From 1cda50ce05cc150af8d565301266e910b855959e Mon Sep 17 00:00:00 2001
From: Monson Shao <holymonson@gmail.com>
Date: Fri, 3 Nov 2017 20:52:56 +0800
Subject: [PATCH] Rewrite nftables variables based on nftables' logic. Add an
 example for redirecting.

---
 config/action.d/nftables-allports.conf  |  8 +--
 config/action.d/nftables-common.conf    | 95 ++++++++++++++-----------
 config/action.d/nftables-multiport.conf |  8 +--
 3 files changed, 63 insertions(+), 48 deletions(-)

diff --git a/config/action.d/nftables-allports.conf b/config/action.d/nftables-allports.conf
index 6c69da39..eb17287a 100644
--- a/config/action.d/nftables-allports.conf
+++ b/config/action.d/nftables-allports.conf
@@ -13,10 +13,10 @@ before = nftables-common.conf
 
 [Definition]
 
-# Option:  nftables_mode
-# Notes.:  additional expressions for nftables filter rule
-# Values:  nftables expressions
+# Option:  match
+# Notes.:  additional matches for nftables filter rule
+# Values:  nftables matches
 #
-nftables_mode = meta l4proto <protocol>
+match = meta l4proto <protocol>
 
 [Init]
diff --git a/config/action.d/nftables-common.conf b/config/action.d/nftables-common.conf
index 37045712..4ed78f2f 100644
--- a/config/action.d/nftables-common.conf
+++ b/config/action.d/nftables-common.conf
@@ -11,6 +11,14 @@
 # used in all nftables based actions by default.
 #
 # The user can override the defaults in nftables-common.local
+# Example: redirect flow to honeypot
+#
+# [Init]
+# table_family = ip
+# chain_type = nat
+# chain_hook = prerouting
+# chain_priority = -50
+# blocktype = counter redirect to 2222
 
 [INCLUDES]
 
@@ -18,35 +26,38 @@ after = nftables-common.local
 
 [Definition]
 
-# Option:  nftables_mode
-# Notes.:  additional expressions for nftables filter rule
-# Values:  nftables expressions
+# Option:  match
+# Notes.:  additional matches for nftables filter rule.
+#          leaving it empty will block all. (include udp and icmp)
+# Values:  nftables matches
 #
-nftables_mode = <protocol> dport \{ <port> \}
+match = <protocol> dport \{ <port> \}
 
 # Option:  actionstart
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
 # Values:  CMD
 #
-actionstart = <nftables> add set <nftables_family> <nftables_table> <set_name> \{ type <nftables_type>\; \}
-              <nftables> insert rule <nftables_family> <nftables_table> <chain> %(nftables_mode)s <address_family> saddr @<set_name> <blocktype>
+actionstart = <nftables> add table <table_family> f2b-table
+              <nftables> -- add chain <table_family> f2b-table f2b-chain \{ type <chain_type> hook <chain_hook> priority <chain_priority> \; \}
+              <nftables> add set <table_family> f2b-table <addr_set> \{ type <addr_type>\; \}
+              <nftables> add rule <table_family> f2b-table f2b-chain %(match)s <addr_family> saddr @<addr_set> <blocktype>
 
-_nft_list = <nftables> --handle --numeric list chain <nftables_family> <nftables_table> <chain>
-_nft_get_handle_id = grep -m1 '<address_family> saddr @<set_name> <blocktype> # handle' | grep -oe ' handle [0-9]*'
+_nft_list = <nftables> -a list chain <table_family> f2b-table f2b-chain
+_nft_get_handle_id = grep -m1 '@<addr_set> ' | grep -oe ' handle [0-9]*'
 
 # Option:  actionstop
 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
 # Values:  CMD
 #
 actionstop = HANDLE_ID=$(%(_nft_list)s | %(_nft_get_handle_id)s)
-             <nftables> delete rule <nftables_family> <nftables_table> <chain> $HANDLE_ID
-             <nftables> delete set <nftables_family> <nftables_table> <set_name>
+             <nftables> delete rule <table_family> f2b-table f2b-chain $HANDLE_ID
+             <nftables> delete set <table_family> f2b-table <addr_set>
 
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = <nftables> list chain <nftables_family> <nftables_table> <chain> | grep -q '@<set_name>[ \t]'
+actioncheck = <nftables> list chain <table_family> f2b-table f2b-chain | grep -q '@<addr_set>[ \t]'
 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@@ -54,7 +65,7 @@ actioncheck = <nftables> list chain <nftables_family> <nftables_table> <chain> |
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = <nftables> add element <nftables_family> <nftables_table> <set_name> \{ <ip> \}
+actionban = <nftables> add element <table_family> f2b-table <addr_set> <ip>
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@@ -62,33 +73,38 @@ actionban = <nftables> add element <nftables_family> <nftables_table> <set_name>
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban = <nftables> delete element <nftables_family> <nftables_table> <set_name> \{ <ip> \}
+actionunban = <nftables> delete element <table_family> f2b-table <addr_set> <ip>
 
 [Init]
 
-# Option:  nftables_type
-# Notes.:  address type to work with
-# Values:  [ipv4_addr | ipv6_addr]  Default: ipv4_addr
-#
-nftables_type = ipv4_addr
-
-# Option:  nftables_family
+# Option:  table_family
 # Notes.:  address family to work in
 # Values:  [ip | ip6 | inet]  Default: inet
+table_family = inet
+
+# Option:  chain_type
+# Notes.:  refers to the kind of chain to be created
+# Values:  [filter | route | nat]  Default: filter
 #
-nftables_family = inet
+chain_type = filter
 
-# Option:  nftables_table
-# Notes.:  table in the address family to work in
-# Values:  STRING  Default: filter
+# Option:  chain_hook
+# Notes.:  refers to the kind of chain to be created
+# Values:  [ prerouting | input | forward | output | postrouting ]  Default: input
 #
-nftables_table = filter
+chain_hook = input
 
-# Option:  chain
-# Notes    specifies the nftables chain to which the Fail2Ban rules should be
-#          added
-# Values:  STRING  Default: input
-chain = input
+# Option:  chain_priority
+# Notes.:  priority in the chain.
+# Values:  NUMBER  Default: -1
+#
+chain_priority = -1
+
+# Option:  addr_type
+# Notes.:  address type to work with
+# Values:  [ipv4_addr | ipv6_addr]  Default: ipv4_addr
+#
+addr_type = ipv4_addr
 
 # Default name of the filtering set
 #
@@ -108,8 +124,8 @@ protocol = tcp
 
 # Option:  blocktype
 # Note:    This is what the action does with rules. This can be any jump target
-#          as per the nftables man page (section 8). Common values are drop
-#          reject, reject with icmp type host-unreachable
+#          as per the nftables man page (section 8). Common values are drop,
+#          reject, reject with icmpx type host-unreachable, redirect to 2222
 # Values:  STRING
 blocktype = reject
 
@@ -118,18 +134,17 @@ blocktype = reject
 # Values:  STRING
 nftables = nft
 
-# Option: set_name
+# Option: addr_set
 # Notes.: The name of the nft set used to store banned addresses
 # Values: STRING
-set_name = f2b-<name>
+addr_set = addr-set-<name>
 
-# Option: address_family
+# Option: addr_family
 # Notes.: The family of the banned addresses
 # Values: [ ip | ip6 ]
-address_family = ip
+addr_family = ip
 
 [Init?family=inet6]
-
-nftables_type = ipv6_addr
-set_name = f2b-<name>6
-address_family = ip6
+addr_family = ip6
+addr_type = ipv6_addr
+addr_set = addr6-set-<name>
diff --git a/config/action.d/nftables-multiport.conf b/config/action.d/nftables-multiport.conf
index d1afafb3..6e3775ae 100644
--- a/config/action.d/nftables-multiport.conf
+++ b/config/action.d/nftables-multiport.conf
@@ -13,10 +13,10 @@ before = nftables-common.conf
 
 [Definition]
 
-# Option:  nftables_mode
-# Notes.:  additional expressions for nftables filter rule
-# Values:  nftables expressions
+# Option:  match
+# Notes.:  additional matches for nftables filter rule
+# Values:  nftables matches
 #
-nftables_mode = <protocol> dport \{ <port> \}
+match = <protocol> dport \{ <port> \}
 
 [Init]