nftables: amend to gh-2254 - implemented shutdown of action (proper clean-up) - at stop it checks now the last set was deleted and removes table completely (if table does not contain any set);

this is avoided if some sets were added manually or can be avoided via overwriting of parameter `_nft_shutdown_table`, for example: banaction = nftables[_nft_shutdown_table=''][...]
2019-10-18 18:55:55 +02:00 · 2019-10-18 18:55:55 +02:00 · 85ec605358
parent 51af193402
commit 85ec605358
1 changed files with 9 additions and 0 deletions
--- a/config/action.d/nftables.conf
+++ b/config/action.d/nftables.conf
@ -63,6 +63,14 @@ _nft_del_set = { %(_nft_list)s | %(_nft_get_handle_id)s; } | while read -r hdl;
               <nftables> delete rule <table_family> <table> <chain> $hdl; done
              <nftables> delete set <table_family> <table> <addr_set>

+# Option:  _nft_shutdown_table
+# Notes.:  command executed after the stop in order to delete table (it checks that no sets are available):
+# Values:  CMD
+#
+_nft_shutdown_table = { <nftables> list table <table_family> <table> | grep -qP '^\s+set\s+'; } || {
+                        <nftables> delete table <table_family> <table>
+                      }
+
 # Option:  actionstart
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
 # Values:  CMD
@ -86,6 +94,7 @@ actionflush = { <nftables> flush set <table_family> <table> <addr_set> 2> /dev/n
 # Values:  CMD
 #
 actionstop = %(_nft_del_set)s
+             <_nft_shutdown_table>

 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command