From 8ea00c1d5db34366ef55ca9e6441b55e48d157c5 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Wed, 25 Sep 2019 13:47:29 +0200
Subject: [PATCH] fixed mistake in config (semicolon after space as comment in
 configs?) and coverage, suppress errors by unsupported flush, better space
 handling in helper _nft_get_handle_id, etc

---
 config/action.d/nftables.conf    |  6 +++---
 fail2ban/tests/servertestcase.py | 16 ++++++++--------
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/config/action.d/nftables.conf b/config/action.d/nftables.conf
index 9099f959..e7186c47 100644
--- a/config/action.d/nftables.conf
+++ b/config/action.d/nftables.conf
@@ -53,13 +53,13 @@ _nft_for_proto-multiport-iter = for proto in $(echo '<protocol>' | sed 's/,/ /g'
 _nft_for_proto-multiport-done = done
 
 _nft_list = <nftables> -a list chain <table_family> f2b-table f2b-chain
-_nft_get_handle_id = grep -oP '@<addr_set> .* \Khandle (\d+)$'
+_nft_get_handle_id = grep -oP '@<addr_set>\s+.*\s+\Khandle\s+(\d+)$'
 
 _nft_add_set = <nftables> add set <table_family> f2b-table <addr_set> \{ type <addr_type>\; \}
               <_nft_for_proto-<type>-iter>
               <nftables> add rule <table_family> f2b-table f2b-chain %(rule_stat)s
               <_nft_for_proto-<type>-done>
-_nft_del_set = $(%(_nft_list)s | %(_nft_get_handle_id)s) | while read -r hdl ; do
+_nft_del_set = (%(_nft_list)s | %(_nft_get_handle_id)s) | while read -r hdl; do
                <nftables> delete rule <table_family> f2b-table f2b-chain $hdl; done
               <nftables> delete set <table_family> f2b-table <addr_set>
 
@@ -76,7 +76,7 @@ actionstart = <nftables> add table <table_family> f2b-table
 #          uses `nft flush set ...` and as fallback (e. g. unsupported) recreates the set (with references)
 # Values:  CMD
 #
-actionflush = <nftables> flush set <table_family> f2b-table <addr_set> || (
+actionflush = (<nftables> flush set <table_family> f2b-table <addr_set> 2> /dev/null) || (
               %(_nft_del_set)s
               %(_nft_add_set)s
               )
diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py
index 55ec75ad..901b7399 100644
--- a/fail2ban/tests/servertestcase.py
+++ b/fail2ban/tests/servertestcase.py
@@ -1275,14 +1275,14 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					r"`nft add rule inet f2b-table f2b-chain $proto dport \{ http,https \} ip6 saddr @addr6-set-j-w-nft-mp reject`",
 				),
 				'flush': (
-					"`nft flush set inet f2b-table addr-set-j-w-nft-mp || ",
-					"`nft flush set inet f2b-table addr6-set-j-w-nft-mp || ",
+					"`(nft flush set inet f2b-table addr-set-j-w-nft-mp 2> /dev/null) || ",
+					"`(nft flush set inet f2b-table addr6-set-j-w-nft-mp 2> /dev/null) || ",
 				),
 				'stop': (
-					"`$(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-mp .* \Khandle (\d+)$') | while read -r hdl`",
+					"`(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$') | while read -r hdl; do`",
 					"`nft delete rule inet f2b-table f2b-chain $hdl; done`",
 					"`nft delete set inet f2b-table addr-set-j-w-nft-mp`",
-					"`$(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-mp .* \Khandle (\d+)$') | while read -r hdl`",
+					"`(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$') | while read -r hdl; do`",
 					"`nft delete rule inet f2b-table f2b-chain $hdl; done`",
 					"`nft delete set inet f2b-table addr6-set-j-w-nft-mp`",
 				),
@@ -1321,14 +1321,14 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					r"`nft add rule inet f2b-table f2b-chain meta l4proto \{ tcp,udp \} ip6 saddr @addr6-set-j-w-nft-ap reject`",
 				),
 				'flush': (
-					"`nft flush set inet f2b-table addr-set-j-w-nft-ap || ",
-					"`nft flush set inet f2b-table addr6-set-j-w-nft-ap || ",
+					"`(nft flush set inet f2b-table addr-set-j-w-nft-ap 2> /dev/null) || ",
+					"`(nft flush set inet f2b-table addr6-set-j-w-nft-ap 2> /dev/null) || ",
 				),
 				'stop': (
-					"`$(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-ap .* \Khandle (\d+)$') | while read -r hdl`",
+					"`(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$') | while read -r hdl; do`",
 					"`nft delete rule inet f2b-table f2b-chain $hdl; done`",
 					"`nft delete set inet f2b-table addr-set-j-w-nft-ap`",
-					"`$(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-ap .* \Khandle (\d+)$') | while read -r hdl`",
+					"`(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$') | while read -r hdl; do`",
 					"`nft delete rule inet f2b-table f2b-chain $hdl; done`",
 					"`nft delete set inet f2b-table addr6-set-j-w-nft-ap`",
 				),