fixed mistake in config (semicolon after space as comment in configs?) and coverage, suppress errors by unsupported flush, better space handling in helper _nft_get_handle_id, etc

config/action.d/nftables.conf

@@ -53,13 +53,13 @@ _nft_for_proto-multiport-iter = for proto in $(echo '<protocol>' | sed 's/,/ /g'
 _nft_for_proto-multiport-done = done
 
 _nft_list = <nftables> -a list chain <table_family> f2b-table f2b-chain
-_nft_get_handle_id = grep -oP '@<addr_set> .* \Khandle (\d+)$'
+_nft_get_handle_id = grep -oP '@<addr_set>\s+.*\s+\Khandle\s+(\d+)$'
 
 _nft_add_set = <nftables> add set <table_family> f2b-table <addr_set> \{ type <addr_type>\; \}
               <_nft_for_proto-<type>-iter>
               <nftables> add rule <table_family> f2b-table f2b-chain %(rule_stat)s
               <_nft_for_proto-<type>-done>
-_nft_del_set = $(%(_nft_list)s | %(_nft_get_handle_id)s) | while read -r hdl ; do
+_nft_del_set = (%(_nft_list)s | %(_nft_get_handle_id)s) | while read -r hdl; do
                <nftables> delete rule <table_family> f2b-table f2b-chain $hdl; done
               <nftables> delete set <table_family> f2b-table <addr_set>
 
@@ -76,7 +76,7 @@ actionstart = <nftables> add table <table_family> f2b-table
 #          uses `nft flush set ...` and as fallback (e. g. unsupported) recreates the set (with references)
 # Values:  CMD
 #
-actionflush = <nftables> flush set <table_family> f2b-table <addr_set> || (
+actionflush = (<nftables> flush set <table_family> f2b-table <addr_set> 2> /dev/null) || (
               %(_nft_del_set)s
               %(_nft_add_set)s
               )

fail2ban/tests/servertestcase.py

@@ -1275,14 +1275,14 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					r"`nft add rule inet f2b-table f2b-chain $proto dport \{ http,https \} ip6 saddr @addr6-set-j-w-nft-mp reject`",
 				),
 				'flush': (
-					"`nft flush set inet f2b-table addr-set-j-w-nft-mp || ",
-					"`nft flush set inet f2b-table addr6-set-j-w-nft-mp || ",
+					"`(nft flush set inet f2b-table addr-set-j-w-nft-mp 2> /dev/null) || ",
+					"`(nft flush set inet f2b-table addr6-set-j-w-nft-mp 2> /dev/null) || ",
 				),
 				'stop': (
-					"`$(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-mp .* \Khandle (\d+)$') | while read -r hdl`",
+					"`(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$') | while read -r hdl; do`",
 					"`nft delete rule inet f2b-table f2b-chain $hdl; done`",
 					"`nft delete set inet f2b-table addr-set-j-w-nft-mp`",
-					"`$(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-mp .* \Khandle (\d+)$') | while read -r hdl`",
+					"`(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$') | while read -r hdl; do`",
 					"`nft delete rule inet f2b-table f2b-chain $hdl; done`",
 					"`nft delete set inet f2b-table addr6-set-j-w-nft-mp`",
 				),
@@ -1321,14 +1321,14 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					r"`nft add rule inet f2b-table f2b-chain meta l4proto \{ tcp,udp \} ip6 saddr @addr6-set-j-w-nft-ap reject`",
 				),
 				'flush': (
-					"`nft flush set inet f2b-table addr-set-j-w-nft-ap || ",
-					"`nft flush set inet f2b-table addr6-set-j-w-nft-ap || ",
+					"`(nft flush set inet f2b-table addr-set-j-w-nft-ap 2> /dev/null) || ",
+					"`(nft flush set inet f2b-table addr6-set-j-w-nft-ap 2> /dev/null) || ",
 				),
 				'stop': (
-					"`$(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-ap .* \Khandle (\d+)$') | while read -r hdl`",
+					"`(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$') | while read -r hdl; do`",
 					"`nft delete rule inet f2b-table f2b-chain $hdl; done`",
 					"`nft delete set inet f2b-table addr-set-j-w-nft-ap`",
-					"`$(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-ap .* \Khandle (\d+)$') | while read -r hdl`",
+					"`(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$') | while read -r hdl; do`",
 					"`nft delete rule inet f2b-table f2b-chain $hdl; done`",
 					"`nft delete set inet f2b-table addr6-set-j-w-nft-ap`",
 				),