action.d/nftables.conf: implemented `actionflush` (allows flushing nftables sets resp. fast unban of all jail tickets at all)

config/action.d/nftables.conf

@@ -52,27 +52,40 @@ _nft_for_proto-allports-done =
 _nft_for_proto-multiport-iter = for proto in $(echo '<protocol>' | sed 's/,/ /g'); do
 _nft_for_proto-multiport-done = done
 
+_nft_list = <nftables> -a list chain <table_family> f2b-table f2b-chain
+_nft_get_handle_id = grep -oP '@<addr_set> .* \Khandle (\d+)$'
+
+_nft_add_set = <nftables> add set <table_family> f2b-table <addr_set> \{ type <addr_type>\; \}
+              <_nft_for_proto-<type>-iter>
+              <nftables> add rule <table_family> f2b-table f2b-chain %(rule_stat)s
+              <_nft_for_proto-<type>-done>
+_nft_del_set = $(%(_nft_list)s | %(_nft_get_handle_id)s) | while read -r hdl ; do
+               <nftables> delete rule <table_family> f2b-table f2b-chain $hdl; done
+              <nftables> delete set <table_family> f2b-table <addr_set>
+
 # Option:  actionstart
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
 # Values:  CMD
 #
 actionstart = <nftables> add table <table_family> f2b-table
               <nftables> -- add chain <table_family> f2b-table f2b-chain \{ type <chain_type> hook <chain_hook> priority <chain_priority> \; \}
-              <nftables> add set <table_family> f2b-table <addr_set> \{ type <addr_type>\; \}
-              <_nft_for_proto-<type>-iter>
-              <nftables> add rule <table_family> f2b-table f2b-chain %(rule_stat)s
-              <_nft_for_proto-<type>-done>
+              %(_nft_add_set)s
 
-_nft_list = <nftables> -a list chain <table_family> f2b-table f2b-chain
-_nft_get_handle_id = grep -oP '@<addr_set> .* \Khandle (\d+)$'
+# Option:  actionflush
+# Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action);
+#          uses `nft flush set ...` and as fallback (e. g. unsupported) recreates the set (with references)
+# Values:  CMD
+#
+actionflush = <nftables> flush set <table_family> f2b-table <addr_set> || (
+              %(_nft_del_set)s
+              %(_nft_add_set)s
+              )
 
 # Option:  actionstop
 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
 # Values:  CMD
 #
-actionstop = $(%(_nft_list)s | %(_nft_get_handle_id)s) | while read -r hdl ; do
-               <nftables> delete rule <table_family> f2b-table f2b-chain $hdl; done
-             <nftables> delete set <table_family> f2b-table <addr_set>
+actionstop = %(_nft_del_set)s
 
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command

fail2ban/tests/servertestcase.py

@@ -1275,7 +1275,8 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					r"`nft add rule inet f2b-table f2b-chain $proto dport \{ http,https \} ip6 saddr @addr6-set-j-w-nft-mp reject`",
 				),
 				'flush': (
-					# todo
+					"`nft flush set inet f2b-table addr-set-j-w-nft-mp || ",
+					"`nft flush set inet f2b-table addr6-set-j-w-nft-mp || ",
 				),
 				'stop': (
 					"`$(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-mp .* \Khandle (\d+)$') | while read -r hdl`",
@@ -1320,7 +1321,8 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					r"`nft add rule inet f2b-table f2b-chain meta l4proto \{ tcp,udp \} ip6 saddr @addr6-set-j-w-nft-ap reject`",
 				),
 				'flush': (
-					# todo
+					"`nft flush set inet f2b-table addr-set-j-w-nft-ap || ",
+					"`nft flush set inet f2b-table addr6-set-j-w-nft-ap || ",
 				),
 				'stop': (
 					"`$(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-ap .* \Khandle (\d+)$') | while read -r hdl`",