Closed lelutin closed 5 years ago
lelutin
commented
5 years ago I found out that this much configuration is needed to interface with nftables:
https://wiki.meurisse.org/wiki/Fail2Ban#nftables
so.. one needs to define a table for nftables. I don't know if I was doing things wrong at first but nftables was trying to add things to the "filter" table and nft was saying "file not found".
lelutin
commented
5 years ago Since one needs to define a new nft table for this to work, I don't think that we can use this by default within this module. It might be interesting to have some way to define nftables_family and nftables_table so that users can setup nft by themselves. I'll change the title of this issue so that the focus becomes adding configuration for those two nft configs for fail2ban.
lelutin
commented
5 years ago huh! supporting nft is actually easier than I thought it would be. I've added documentation for how to configure nftables support with the module in the README file in 34e866a
Thinking more about it, the upstream default and the debian package default is still to use the iptables rules so I think it wouldn't be too wise to diverge from that. Now at least we have a bit of documentation for how to switch to nftables-* actions.
starting with debian buster, nftables is used by default. iptables commands are still present but are merely wrappers around nftables.
It would be nicer to start using nftables directly to ban IPs instead of the iptables wrappers