# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
# Modified: Alexander Belykh <albel727@ngs.ru>
#                       adapted for nftables
#

[INCLUDES]

before = nftables-common.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = <nftables> add set filter f2b-<name> { type ipv4_addr\; }
              <nftables> insert rule filter <chain> <protocol> dport { <port> } ip saddr @f2b-<name> <blocktype>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = HANDLE_ID=$(<nftables> --handle --numeric list chain filter <chain> | grep -m1 'ip saddr @f2b-<name> <blocktype> # handle' | grep -oe ' handle [0-9]*'); <nftables> delete rule filter <chain> $HANDLE_ID
             <nftables> delete set filter f2b-<name>
# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = <nftables> list chain filter <chain> | grep -q '@f2b-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = <nftables> add element filter f2b-<name> { <ip> }

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = <nftables> delete element filter f2b-<name> { <ip> }

[Init]