From f7f91a8bd45d83fa106c2c827e91d53d1e9b75dc Mon Sep 17 00:00:00 2001 From: Alexander Belykh Date: Tue, 5 Jan 2016 19:03:47 +0600 Subject: [PATCH] Refactor common code out of nftables-multiport/allports.conf --- config/action.d/nftables-allports.conf | 38 +++----------------- config/action.d/nftables-common.conf | 46 +++++++++++++++++++++++++ config/action.d/nftables-multiport.conf | 41 ++++------------------ 3 files changed, 56 insertions(+), 69 deletions(-) diff --git a/config/action.d/nftables-allports.conf b/config/action.d/nftables-allports.conf index 34622f65..afd0ca84 100644 --- a/config/action.d/nftables-allports.conf +++ b/config/action.d/nftables-allports.conf @@ -13,40 +13,10 @@ before = nftables-common.conf [Definition] -# Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. -# Values: CMD +# Option: nftables_mode +# Notes.: additional expressions for nftables filter rule +# Values: nftables expressions # -actionstart = add set filter f2b- { type ipv4_addr\; } - insert rule filter ip protocol ip saddr @f2b- - -# Option: actionstop -# Notes.: command executed once at the end of Fail2Ban -# Values: CMD -# -actionstop = HANDLE_ID=$( --handle --numeric list chain filter | grep -m1 'ip saddr @f2b- # handle' | grep -oe ' handle [0-9]*'); delete rule filter $HANDLE_ID - delete set filter f2b- -# Option: actioncheck -# Notes.: command executed once before each actionban command -# Values: CMD -# -actioncheck = list chain filter | grep -q '@f2b-[ \t]' - -# Option: actionban -# Notes.: command executed when banning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: See jail.conf(5) man page -# Values: CMD -# -actionban = add element filter f2b- { } - -# Option: actionunban -# Notes.: command executed when unbanning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: See jail.conf(5) man page -# Values: CMD -# -actionunban = delete element filter f2b- { } +nftables_mode = ip protocol [Init] - diff --git a/config/action.d/nftables-common.conf b/config/action.d/nftables-common.conf index a0534d35..e65618ef 100644 --- a/config/action.d/nftables-common.conf +++ b/config/action.d/nftables-common.conf @@ -1,6 +1,9 @@ # Fail2Ban configuration file # # Author: Daniel Black +# Author: Cyril Jaquier +# Modified: Yaroslav O. Halchenko +# made active on all ports from original iptables.conf # Modified: Alexander Belykh # adapted for nftables # @@ -13,6 +16,49 @@ after = nftables-common.local +[Definition] + +# Option: nftables_mode +# Notes.: additional expressions for nftables filter rule +# Values: nftables expressions +# +nftables_mode = dport { } + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = add set filter f2b- { type ipv4_addr\; } + insert rule filter %(nftables_mode)s ip saddr @f2b- + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = HANDLE_ID=$( --handle --numeric list chain filter | grep -m1 'ip saddr @f2b- # handle' | grep -oe ' handle [0-9]*'); delete rule filter $HANDLE_ID + delete set filter f2b- +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = list chain filter | grep -q '@f2b-[ \t]' + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = add element filter f2b- { } + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = delete element filter f2b- { } + [Init] # Option: chain diff --git a/config/action.d/nftables-multiport.conf b/config/action.d/nftables-multiport.conf index ad61bf63..3c6455e2 100644 --- a/config/action.d/nftables-multiport.conf +++ b/config/action.d/nftables-multiport.conf @@ -1,7 +1,8 @@ # Fail2Ban configuration file # # Author: Cyril Jaquier -# Modified by Yaroslav Halchenko for multiport banning +# Modified: Yaroslav O. Halchenko +# made active on all ports from original iptables.conf # Modified: Alexander Belykh # adapted for nftables # @@ -12,40 +13,10 @@ before = nftables-common.conf [Definition] -# Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. -# Values: CMD +# Option: nftables_mode +# Notes.: additional expressions for nftables filter rule +# Values: nftables expressions # -actionstart = add set filter f2b- { type ipv4_addr\; } - insert rule filter dport { } ip saddr @f2b- - -# Option: actionstop -# Notes.: command executed once at the end of Fail2Ban -# Values: CMD -# -actionstop = HANDLE_ID=$( --handle --numeric list chain filter | grep -m1 'ip saddr @f2b- # handle' | grep -oe ' handle [0-9]*'); delete rule filter $HANDLE_ID - delete set filter f2b- -# Option: actioncheck -# Notes.: command executed once before each actionban command -# Values: CMD -# -actioncheck = list chain filter | grep -q '@f2b-[ \t]' - -# Option: actionban -# Notes.: command executed when banning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: See jail.conf(5) man page -# Values: CMD -# -actionban = add element filter f2b- { } - -# Option: actionunban -# Notes.: command executed when unbanning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: See jail.conf(5) man page -# Values: CMD -# -actionunban = delete element filter f2b- { } +nftables_mode = dport { } [Init] -