# Fail2Ban configuration file
#
# Author: Daniel Black
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
# 			made active on all ports from original iptables.conf
# Modified: Alexander Belykh <albel727@ngs.ru>
#                       adapted for nftables
#
# This is a included configuration file and includes the definitions for the nftables
# used in all nftables based actions by default.
#
# The user can override the defaults in nftables-common.local

[INCLUDES]

after = nftables-common.local

[Definition]

# Option:  nftables_mode
# Notes.:  additional expressions for nftables filter rule
# Values:  nftables expressions
#
nftables_mode = <protocol> dport \{ <port> \}

# Option:  actionstart
# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values:  CMD
#
actionstart = <nftables> add set <nftables_family> <nftables_table> <set_name> \{ type <nftables_type>\; \}
              <nftables> insert rule <nftables_family> <nftables_table> <chain> %(nftables_mode)s <address_family> saddr @<set_name> <blocktype>

_nft_list = <nftables> --handle --numeric list chain <nftables_family> <nftables_table> <chain>
_nft_get_handle_id = grep -m1 '<address_family> saddr @<set_name> <blocktype> # handle' | grep -oe ' handle [0-9]*'

# Option:  actionstop
# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
# Values:  CMD
#
actionstop = HANDLE_ID=$(%(_nft_list)s | %(_nft_get_handle_id)s)
             <nftables> delete rule <nftables_family> <nftables_table> <chain> $HANDLE_ID
             <nftables> delete set <nftables_family> <nftables_table> <set_name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = <nftables> list chain <nftables_family> <nftables_table> <chain> | grep -q '@<set_name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = <nftables> add element <nftables_family> <nftables_table> <set_name> \{ <ip> \}

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = <nftables> delete element <nftables_family> <nftables_table> <set_name> \{ <ip> \}

[Init]

# Option:  nftables_type
# Notes.:  address type to work with
# Values:  [ipv4_addr | ipv6_addr]  Default: ipv4_addr
#
nftables_type = ipv4_addr

# Option:  nftables_family
# Notes.:  address family to work in
# Values:  [ip | ip6 | inet]  Default: inet
#
nftables_family = inet

# Option:  nftables_table
# Notes.:  table in the address family to work in
# Values:  STRING  Default: filter
#
nftables_table = filter

# Option:  chain
# Notes    specifies the nftables chain to which the Fail2Ban rules should be
#          added
# Values:  STRING  Default: input
chain = input

# Default name of the filtering set
#
name = default

# Option:  port
# Notes.:  specifies port to monitor
# Values:  [ NUM | STRING ]  Default:
#
port = ssh

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp ] Default: tcp
#
protocol = tcp

# Option:  blocktype
# Note:    This is what the action does with rules. This can be any jump target
#          as per the nftables man page (section 8). Common values are drop
#          reject, reject with icmp type host-unreachable
# Values:  STRING
blocktype = reject

# Option:  nftables
# Notes.:  Actual command to be executed, including common to all calls options
# Values:  STRING
nftables = nft

# Option: set_name
# Notes.: The name of the nft set used to store banned addresses
# Values: STRING
set_name = f2b-<name>

# Option: address_family
# Notes.: The family of the banned addresses
# Values: [ ip | ip6 ]
address_family = ip

[Init?family=inet6]

nftables_type = ipv6_addr
set_name = f2b-<name>6
address_family = ip6