diff options
| author | sebres <serg.brester@sebres.de> | 2019-09-24 19:43:56 +0200 |
|---|---|---|
| committer | sebres <serg.brester@sebres.de> | 2019-09-24 19:44:59 +0200 |
| commit | abc4d9fe3713035d31a1a0a169a708d36febb15e (patch) | |
| tree | 2f92803ed2e9ade0829a797e9f244f916e4bf51f /config/action.d | |
| parent | c753ffb11d8ad81c03a89398892b0e1870e8707f (diff) | |
| download | fail2ban-abc4d9fe3713035d31a1a0a169a708d36febb15e.tar.gz | |
allow to use multiple protocols in multiport (single set with multiple rules in chain):
`banaction = nftables[type=multiport]` with `protocol="tcp,udp,sctp"` in jail replace 3 separate actions.
more robust if deleting multiple references to set (rules in chain)
Diffstat (limited to 'config/action.d')
| -rw-r--r-- | config/action.d/nftables.conf | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/config/action.d/nftables.conf b/config/action.d/nftables.conf index 79efbde2..49e2e917 100644 --- a/config/action.d/nftables.conf +++ b/config/action.d/nftables.conf @@ -32,8 +32,9 @@ after = nftables-common.local # type = multiport +rule_match-custom = rule_match-allports = meta l4proto \{ <protocol> \} -rule_match-multiport = <protocol> dport \{ <port> \} +rule_match-multiport = $proto dport \{ <port> \} match = <rule_match-<type>> # Option: rule_stat @@ -43,6 +44,14 @@ match = <rule_match-<type>> # rule_stat = %(match)s <addr_family> saddr @<addr_set> <blocktype> +# optional interator over protocol's: +_nft_for_proto-custom-iter = +_nft_for_proto-custom-done = +_nft_for_proto-allports-iter = +_nft_for_proto-allports-done = +_nft_for_proto-multiport-iter = for proto in $(echo '<protocol>' | sed 's/,/ /g'); do +_nft_for_proto-multiport-done = done + # Option: actionstart # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD @@ -50,17 +59,19 @@ rule_stat = %(match)s <addr_family> saddr @<addr_set> <blocktype> actionstart = <nftables> add table <table_family> f2b-table <nftables> -- add chain <table_family> f2b-table f2b-chain \{ type <chain_type> hook <chain_hook> priority <chain_priority> \; \} <nftables> add set <table_family> f2b-table <addr_set> \{ type <addr_type>\; \} + <_nft_for_proto-<type>-iter> <nftables> add rule <table_family> f2b-table f2b-chain %(rule_stat)s + <_nft_for_proto-<type>-done> _nft_list = <nftables> -a list chain <table_family> f2b-table f2b-chain -_nft_get_handle_id = grep -m1 '@<addr_set> ' | grep -oe ' handle [0-9]*' +_nft_get_handle_id = grep -oP '@<addr_set> .* \Khandle (\d+)$' # Option: actionstop # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # -actionstop = HANDLE_ID=$(%(_nft_list)s | %(_nft_get_handle_id)s) - <nftables> delete rule <table_family> f2b-table f2b-chain $HANDLE_ID +actionstop = $(%(_nft_list)s | %(_nft_get_handle_id)s) | while read -r hdl ; do + <nftables> delete rule <table_family> f2b-table f2b-chain $hdl; done <nftables> delete set <table_family> f2b-table <addr_set> # Option: actioncheck |