From 1e1c4ac62a2bb4cc693c963c2ba794c6666cd730 Mon Sep 17 00:00:00 2001
From: SATO Kentaro <kentaro@ranvis.com>
Date: Mon, 16 Jun 2014 21:15:03 +0900
Subject: [PATCH] ENH: Add <chain> to iptables-ipsets.

---
 ChangeLog                                           |  1 +
 THANKS                                              |  1 +
 config/action.d/iptables-ipset-proto4.conf          | 10 ++++++++--
 config/action.d/iptables-ipset-proto6-allports.conf | 10 ++++++++--
 config/action.d/iptables-ipset-proto6.conf          | 10 ++++++++--
 5 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index d4ea774a7..2aeb2fb08 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -38,6 +38,7 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
    * Fail2ban-regex - add print-all-matched option. Closes gh-652
    * Suppress fail2ban-client warnings for non-critical config options
    * Match non "Bye Bye" disconnect messages for sshd locked account regex
+   * Add <chain> tag to iptables-ipsets.
 
 ver. 0.9.0 (2014/03/14) - beta
 ----------
diff --git a/THANKS b/THANKS
index 27165492b..080794905 100644
--- a/THANKS
+++ b/THANKS
@@ -85,6 +85,7 @@ Robert Edeker
 Rolf Fokkens
 Roman Gelfand
 Russell Odom
+SATO Kentaro
 Sebastian Arcus
 Sireyessire
 silviogarbes
diff --git a/config/action.d/iptables-ipset-proto4.conf b/config/action.d/iptables-ipset-proto4.conf
index fc03c68c0..4714f0df9 100644
--- a/config/action.d/iptables-ipset-proto4.conf
+++ b/config/action.d/iptables-ipset-proto4.conf
@@ -28,13 +28,13 @@ before = iptables-blocktype.conf
 # Values:  CMD
 #
 actionstart = ipset --create f2b-<name> iphash
-              iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+              iptables -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
              ipset --flush f2b-<name>
              ipset --destroy f2b-<name>
 
@@ -60,6 +60,12 @@ actionunban = ipset --test f2b-<name> <ip> && ipset --del f2b-<name> <ip>
 #
 name = default
 
+# Option:  chain
+# Notes    specifies the iptables chain to which the Fail2Ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
+
 # Option:  port
 # Notes.:  specifies port to monitor
 # Values:  [ NUM | STRING ]  Default: ssh
diff --git a/config/action.d/iptables-ipset-proto6-allports.conf b/config/action.d/iptables-ipset-proto6-allports.conf
index 72fba9cde..a3726873f 100644
--- a/config/action.d/iptables-ipset-proto6-allports.conf
+++ b/config/action.d/iptables-ipset-proto6-allports.conf
@@ -25,13 +25,13 @@ before = iptables-blocktype.conf
 # Values:  CMD
 #
 actionstart = ipset create f2b-<name> hash:ip timeout <bantime>
-              iptables -I INPUT -m set --match-set f2b-<name> src -j <blocktype>
+              iptables -I <chain> -m set --match-set f2b-<name> src -j <blocktype>
 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D INPUT -m set --match-set f2b-<name> src -j <blocktype>
+actionstop = iptables -D <chain> -m set --match-set f2b-<name> src -j <blocktype>
              ipset flush f2b-<name>
              ipset destroy f2b-<name>
 
@@ -57,6 +57,12 @@ actionunban = ipset del f2b-<name> <ip> -exist
 #
 name = default
 
+# Option:  chain
+# Notes    specifies the iptables chain to which the Fail2Ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
+
 # Option: bantime
 # Notes:  specifies the bantime in seconds (handled internally rather than by fail2ban)
 # Values:  [ NUM ]  Default: 600
diff --git a/config/action.d/iptables-ipset-proto6.conf b/config/action.d/iptables-ipset-proto6.conf
index 5d8481103..a3081ea07 100644
--- a/config/action.d/iptables-ipset-proto6.conf
+++ b/config/action.d/iptables-ipset-proto6.conf
@@ -25,13 +25,13 @@ before = iptables-blocktype.conf
 # Values:  CMD
 #
 actionstart = ipset create f2b-<name> hash:ip timeout <bantime>
-              iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+              iptables -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
              ipset flush f2b-<name>
              ipset destroy f2b-<name>
 
@@ -57,6 +57,12 @@ actionunban = ipset del f2b-<name> <ip> -exist
 #
 name = default
 
+# Option:  chain
+# Notes    specifies the iptables chain to which the Fail2Ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
+
 # Option:  port
 # Notes.:  specifies port to monitor
 # Values:  [ NUM | STRING ]  Default: ssh