Closed Fregf closed 1 week ago
kimheino
commented
1 week ago Did you reload/restart Foomuuri after adding fail2ban list to config? Above error means that there is no such list in currently active ruleset.
It looks like it first tries to add the already existing element before deleting it?
Yes, nft needs funny things sometimes. It's a workaround to delete non-existing entry without an error.
Fregf
commented
1 week ago As foomuuri list iplist fail2ban works, it should exist, no?
I can add an element without problem, but removing it fails:
# foomuuri iplist add fail2ban 231.231.231.231
# foomuuri iplist del fail2ban 231.231.231.231
Error: Could not process rule: No such file or directory
add element inet foomuuri fail2ban_4 { 231.231.231.231 }; delete element inet foomuuri fail2ban_4 { 231.231.231.231 };
^^^^^^^^^^^^^^^I can remove it by manually running he nft delete command.
This is Debian 12 with nftables 1.0.6-2+deb12u2
kimheino
commented
1 week ago Please give me the output of nft list set inet foomuuri fail2ban_4?
kimheino
commented
1 week ago Ok, I can duplicate the problem and I'll debug it tomorrow. No need to send above output.
kimheino
commented
1 week ago Unrelated warning:
This is Debian 12 with nftables 1.0.6-2+deb12u2
While debugging this problem I found changelog for nftables 1.0.7 containing "auto-merge support for partial set element deletion."
https://marc.info/?l=netfilter&m=167873533514569
This is another problem that you might see:
add 10.1.1.1 add 10.1.1.2 => generates range 10.1.1.1-10.1.1.2 del 10.1.1.1 => fails in nftables 1.0.6, success in 1.0.7
kimheino
commented
1 week ago This should be fixed in git head now. This was related to auto-merge option, which is required in iplists.
Please note above warning about nftables 1.0.6. It's probably not fatal problem if used with fail2ban.
The fail2ban iplist is defined like this:
When I try to remove an IP it fails:
It looks like it first tries to add the already existing element before deleting it?