[Fail2ban-users] nftables & protocol = all

Arnaud Mon, 20 Apr 2020 05:30:26 -0700

Hi,

I wasn't able to run with nftables and "protocol = all". Sorry in
advance if it has been discussed several time.
I basically want f2b ban on all port and all protocol.


iptables & ipset equivalent looks like this:
banaction = iptables-ipset-proto6-allports[actionstart_on_demand=false]
port = all
protocol = all

As you probably know, protocol = all don't feet with nftables.
The only way I find to make it work until now is :

action = %(banaction_allports)s[name=%(__name__)s-input-tcp,
protocol=tcp, chain="input", actname=%(banaction_allports)s-input-tcp]
         %(banaction_allports)s[name=%(__name__)s-input-udp,
protocol=udp, chain="input", actname=%(banaction_allports)s-input-udp]
         %(banaction_allports)s[name=%(__name__)s-input-icmp,
protocol=icmp, chain="input", actname=%(banaction_allports)s-input-icmp]

which is clearly not optimised since 3 rules are created each time.

Do you have any suggestion ?
Thanks in advance.

-- 
Arnaud

signature.asc
Description: OpenPGP digital signature

_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

[Fail2ban-users] nftables & protocol = all

Reply via email to