Package: fail2ban Version: 0.10.2-2.1 Severity: normal
Dear Maintainer, after switching from stretch to buster recently I also switched packet filtering from iptables to nftables, removing iptables completely. To utilize the flexibility of nftables I tried to configure fail2ban in such a way that it uses a separate, custom table and some chain inside this new table. Thus my /etc/fail2ban/jail.local contains: [DEFAULT] banaction = nftables-multiport banaction_allports = nftables-allports and I put the following lines into /etc/fail2ban/nftables-common.local: [Init] nftables_family = inet nftables_table = fail2ban chain = banning I understand that fail2ban currently does not itself create tables and chains, thus I added these lines to /etc/nftables.conf: table inet fail2ban { chain banning { type filter hook input priority 100; policy accept; } } But this does not work. According to the logfile /var/log/fail2ban it seems my configuration of the new names is completely ignored. If I remove /etc/fail2ban/nftables-common.local and change the names inside /etc/nftables.conf to filter and input, everything seems to work fine. It woulde be nice if configuring table and chain for fail2ban would be possible. BTW: The renaming of port imap2 into imap does not work with nft, because nft does not use /etc/services but has its own internal names (with plain imap missing in this internal list). -- Until the next mail..., Stefan.