ENH: Add <chain> to iptables-ipsets.

ChangeLog

@@ -38,6 +38,7 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
    * Fail2ban-regex - add print-all-matched option. Closes gh-652
    * Suppress fail2ban-client warnings for non-critical config options
    * Match non "Bye Bye" disconnect messages for sshd locked account regex
+   * Add <chain> tag to iptables-ipsets.
 
 ver. 0.9.0 (2014/03/14) - beta
 ----------

THANKS

@@ -85,6 +85,7 @@ Robert Edeker
 Rolf Fokkens
 Roman Gelfand
 Russell Odom
+SATO Kentaro
 Sebastian Arcus
 Sireyessire
 silviogarbes

config/action.d/iptables-ipset-proto4.conf

@@ -28,13 +28,13 @@ before = iptables-blocktype.conf
 # Values:  CMD
 #
 actionstart = ipset --create f2b-<name> iphash
-              iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+              iptables -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
              ipset --flush f2b-<name>
              ipset --destroy f2b-<name>
 
@@ -60,6 +60,12 @@ actionunban = ipset --test f2b-<name> <ip> && ipset --del f2b-<name> <ip>
 #
 name = default
 
+# Option:  chain
+# Notes    specifies the iptables chain to which the Fail2Ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
+
 # Option:  port
 # Notes.:  specifies port to monitor
 # Values:  [ NUM | STRING ]  Default: ssh

config/action.d/iptables-ipset-proto6-allports.conf

@@ -25,13 +25,13 @@ before = iptables-blocktype.conf
 # Values:  CMD
 #
 actionstart = ipset create f2b-<name> hash:ip timeout <bantime>
-              iptables -I INPUT -m set --match-set f2b-<name> src -j <blocktype>
+              iptables -I <chain> -m set --match-set f2b-<name> src -j <blocktype>
 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D INPUT -m set --match-set f2b-<name> src -j <blocktype>
+actionstop = iptables -D <chain> -m set --match-set f2b-<name> src -j <blocktype>
              ipset flush f2b-<name>
              ipset destroy f2b-<name>
 
@@ -57,6 +57,12 @@ actionunban = ipset del f2b-<name> <ip> -exist
 #
 name = default
 
+# Option:  chain
+# Notes    specifies the iptables chain to which the Fail2Ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
+
 # Option: bantime
 # Notes:  specifies the bantime in seconds (handled internally rather than by fail2ban)
 # Values:  [ NUM ]  Default: 600

config/action.d/iptables-ipset-proto6.conf

@@ -25,13 +25,13 @@ before = iptables-blocktype.conf
 # Values:  CMD
 #
 actionstart = ipset create f2b-<name> hash:ip timeout <bantime>
-              iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+              iptables -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
              ipset flush f2b-<name>
              ipset destroy f2b-<name>
 
@@ -57,6 +57,12 @@ actionunban = ipset del f2b-<name> <ip> -exist
 #
 name = default
 
+# Option:  chain
+# Notes    specifies the iptables chain to which the Fail2Ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
+
 # Option:  port
 # Notes.:  specifies port to monitor
 # Values:  [ NUM | STRING ]  Default: ssh