From c753ffb11d8ad81c03a89398892b0e1870e8707f Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Tue, 24 Sep 2019 15:01:58 +0200
Subject: [PATCH] combine nftables actions to single action: - nftables-common
 is removed - nftables-allports  is obsolete, replaced by
 nftables[type=allports] - nftables-multiport is obsolete, replaced by
 nftables[type=multiport]

---
 config/action.d/nftables-allports.conf        | 11 +++-------
 config/action.d/nftables-multiport.conf       | 11 +++-------
 .../{nftables-common.conf => nftables.conf}   | 22 ++++++++++++++-----
 3 files changed, 22 insertions(+), 22 deletions(-)
 rename config/action.d/{nftables-common.conf => nftables.conf} (89%)

diff --git a/config/action.d/nftables-allports.conf b/config/action.d/nftables-allports.conf
index fad5273a..908abe40 100644
--- a/config/action.d/nftables-allports.conf
+++ b/config/action.d/nftables-allports.conf
@@ -6,17 +6,12 @@
 # Modified: Alexander Belykh <albel727@ngs.ru>
 #                       adapted for nftables
 #
+# Obsolete: superseded by nftables[type=allports]
 
 [INCLUDES]
 
-before = nftables-common.conf
+before = nftables.conf
 
 [Definition]
 
-# Option:  match
-# Notes.:  additional matches for nftables filter rule
-# Values:  nftables matches
-#
-match = meta l4proto \{ <protocol> \}
-
-[Init]
+type = allports
diff --git a/config/action.d/nftables-multiport.conf b/config/action.d/nftables-multiport.conf
index 6e3775ae..ba3ec92c 100644
--- a/config/action.d/nftables-multiport.conf
+++ b/config/action.d/nftables-multiport.conf
@@ -6,17 +6,12 @@
 # Modified: Alexander Belykh <albel727@ngs.ru>
 #                       adapted for nftables
 #
+# Obsolete: superseded by nftables[type=multiport]
 
 [INCLUDES]
 
-before = nftables-common.conf
+before = nftables.conf
 
 [Definition]
 
-# Option:  match
-# Notes.:  additional matches for nftables filter rule
-# Values:  nftables matches
-#
-match = <protocol> dport \{ <port> \}
-
-[Init]
+type = multiport
\ No newline at end of file
diff --git a/config/action.d/nftables-common.conf b/config/action.d/nftables.conf
similarity index 89%
rename from config/action.d/nftables-common.conf
rename to config/action.d/nftables.conf
index 6765fbb3..79efbde2 100644
--- a/config/action.d/nftables-common.conf
+++ b/config/action.d/nftables.conf
@@ -26,12 +26,22 @@ after = nftables-common.local
 
 [Definition]
 
-# Option:  match
-# Notes.:  additional matches for nftables filter rule.
-#          leaving it empty will block all. (include udp and icmp)
-# Values:  nftables matches
+# Option:  type
+# Notes.:  type of the action.
+# Values:  [ multiport | allports ]  Default: multiport
 #
-match = <protocol> dport \{ <port> \}
+type = multiport
+
+rule_match-allports = meta l4proto \{ <protocol> \}
+rule_match-multiport = <protocol> dport \{ <port> \}
+match = <rule_match-<type>>
+
+# Option:  rule_stat
+# Notes.:  statement for nftables filter rule.
+#          leaving it empty will block all (include udp and icmp)
+# Values:  nftables statement
+#
+rule_stat = %(match)s <addr_family> saddr @<addr_set> <blocktype>
 
 # Option:  actionstart
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
@@ -40,7 +50,7 @@ match = <protocol> dport \{ <port> \}
 actionstart = <nftables> add table <table_family> f2b-table
               <nftables> -- add chain <table_family> f2b-table f2b-chain \{ type <chain_type> hook <chain_hook> priority <chain_priority> \; \}
               <nftables> add set <table_family> f2b-table <addr_set> \{ type <addr_type>\; \}
-              <nftables> add rule <table_family> f2b-table f2b-chain %(match)s <addr_family> saddr @<addr_set> <blocktype>
+              <nftables> add rule <table_family> f2b-table f2b-chain %(rule_stat)s
 
 _nft_list = <nftables> -a list chain <table_family> f2b-table f2b-chain
 _nft_get_handle_id = grep -m1 '@<addr_set> ' | grep -oe ' handle [0-9]*'