Override nftables blocktype in jail.local? #3698

jhgarrison · 2024-03-20T18:59:58Z

jhgarrison
Mar 20, 2024

Is it possible to override an nftables.conf [Init] parameter (blocktype=) in jail.local, or do I need to create action.d/nftables.local?

If so, what is the correct syntax?

sebres · 2024-03-20T19:48:34Z

sebres
Mar 20, 2024
Maintainer

Yes, all parameters can be supplied from jail.local.
See for instance how it is made with another parameters (like port or protocol):

fail2ban/config/jail.conf

Line 212 in 0c125ec

    
           action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

And you can do it for action or banaction (used in action or action_ internally)... for instance:

[DEFAULT]
banaction = nftables[mode=multiport, blocktype="counter reject"]
banaction_allports = nftables[mode=allports, blocktype="counter reject"]

[some-jail]
action_ = %(known/action_)[blocktype="<known/blocktype> with whatever"]

[other-jail]
# single action (overwrite default):
action = %(known/action_)[blocktype="<known/blocktype> with whatever"]
# or single action (all parameters here):
action = nftables[mode=allports, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s", blocktype="reject with whatever"]

However if you'd need it rather conditionally, e. g. depending on IP-family (like below), you'd need to do it in the local action:

[Init]
blocktype = reject with icmp type host-unreachable

[Init?family=inet6]
blocktype = reject with icmpv6 type no-route

You can also use fail2ban-client -d | grep "$jail" to check whether they are really overwritten.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Override nftables blocktype in jail.local? #3698

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Override nftables blocktype in jail.local? #3698

jhgarrison Mar 20, 2024

Replies: 1 comment

sebres Mar 20, 2024 Maintainer

jhgarrison
Mar 20, 2024

sebres
Mar 20, 2024
Maintainer