From 51af1934028b1582f8bbfdad609de75ccf21732a Mon Sep 17 00:00:00 2001 From: sebres Date: Fri, 18 Oct 2019 18:54:02 +0200 Subject: [PATCH] nftables: add options allowing to specify own table (default `f2b-table`) and chain (default `f2b-chain`) --- config/action.d/nftables.conf | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/config/action.d/nftables.conf b/config/action.d/nftables.conf index 251aa419..9ee55e89 100644 --- a/config/action.d/nftables.conf +++ b/config/action.d/nftables.conf @@ -52,23 +52,23 @@ _nft_for_proto-allports-done = _nft_for_proto-multiport-iter = for proto in $(echo '' | sed 's/,/ /g'); do _nft_for_proto-multiport-done = done -_nft_list = -a list chain f2b-table f2b-chain +_nft_list = -a list chain _nft_get_handle_id = grep -oP '@\s+.*\s+\Khandle\s+(\d+)$' -_nft_add_set = add set f2b-table \{ type \; \} +_nft_add_set = add set
\{ type \; \} <_nft_for_proto--iter> - add rule f2b-table f2b-chain %(rule_stat)s + add rule
%(rule_stat)s <_nft_for_proto--done> _nft_del_set = { %(_nft_list)s | %(_nft_get_handle_id)s; } | while read -r hdl; do - delete rule f2b-table f2b-chain $hdl; done - delete set f2b-table + delete rule
$hdl; done + delete set
# Option: actionstart # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # -actionstart = add table f2b-table - -- add chain f2b-table f2b-chain \{ type hook priority \; \} +actionstart = add table
+ -- add chain
\{ type hook priority \; \} %(_nft_add_set)s # Option: actionflush @@ -76,7 +76,7 @@ actionstart = add table f2b-table # uses `nft flush set ...` and as fallback (e. g. unsupported) recreates the set (with references) # Values: CMD # -actionflush = { flush set f2b-table 2> /dev/null; } || { +actionflush = { flush set
2> /dev/null; } || { %(_nft_del_set)s %(_nft_add_set)s } @@ -91,7 +91,7 @@ actionstop = %(_nft_del_set)s # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = list chain f2b-table f2b-chain | grep -q '@[ \t]' +actioncheck = list chain
| grep -q '@[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -99,7 +99,7 @@ actioncheck = list chain f2b-table f2b-chain | grep -q # Tags: See jail.conf(5) man page # Values: CMD # -actionban = add element f2b-table \{ \} +actionban = add element
\{ \} # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -107,15 +107,25 @@ actionban = add element f2b-table \{ \ # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = delete element f2b-table \{ \} +actionunban = delete element
\{ \} [Init] +# Option: table +# Notes.: main table to store chain and sets (automatically created on demand) +# Values: STRING Default: f2b-table +table = f2b-table + # Option: table_family # Notes.: address family to work in # Values: [ip | ip6 | inet] Default: inet table_family = inet +# Option: chain +# Notes.: main chain to store rules +# Values: STRING Default: f2b-chain +chain = f2b-chain + # Option: chain_type # Notes.: refers to the kind of chain to be created # Values: [filter | route | nat] Default: filter