Closed lelutin closed 5 years ago
I found out that this much configuration is needed to interface with nftables:
https://wiki.meurisse.org/wiki/Fail2Ban#nftables
so.. one needs to define a table for nftables. I don't know if I was doing things wrong at first but nftables was trying to add things to the "filter" table and nft was saying "file not found".
Since one needs to define a new nft table for this to work, I don't think that we can use this by default within this module. It might be interesting to have some way to define nftables_family
and nftables_table
so that users can setup nft by themselves. I'll change the title of this issue so that the focus becomes adding configuration for those two nft configs for fail2ban.
huh! supporting nft is actually easier than I thought it would be. I've added documentation for how to configure nftables support with the module in the README file in 34e866a
Thinking more about it, the upstream default and the debian package default is still to use the iptables rules so I think it wouldn't be too wise to diverge from that. Now at least we have a bit of documentation for how to switch to nftables-* actions.
starting with debian buster, nftables is used by default. iptables commands are still present but are merely wrappers around nftables.
It would be nicer to start using nftables directly to ban IPs instead of the iptables wrappers