Package: fail2ban
Version: 0.10.2-2.1
Severity: normal
Dear Maintainer,
after switching from stretch to buster recently I also switched
packet filtering from iptables to nftables, removing iptables
completely.
To utilize the flexibility of nftables I tried to configure fail2ban
in such a way that it uses a separate, custom table and some chain
inside this new table. Thus my /etc/fail2ban/jail.local contains:
[DEFAULT]
banaction = nftables-multiport
banaction_allports = nftables-allports
and I put the following lines into
/etc/fail2ban/nftables-common.local:
[Init]
nftables_family = inet
nftables_table = fail2ban
chain = banning
I understand that fail2ban currently does not itself create tables and
chains, thus I added these lines to /etc/nftables.conf:
table inet fail2ban {
chain banning {
type filter hook input priority 100; policy accept;
}
}
But this does not work. According to the logfile /var/log/fail2ban
it seems my configuration of the new names is completely ignored.
If I remove /etc/fail2ban/nftables-common.local and change the names
inside /etc/nftables.conf to filter and input, everything seems to
work fine.
It woulde be nice if configuring table and chain for fail2ban would
be possible.
BTW: The renaming of port imap2 into imap does not work with
nft, because nft does not use /etc/services but has its own internal
names (with plain imap missing in this internal list).
--
Until the next mail...,
Stefan.
