Re: fail2ban with nftables

[JPlews <jw@plews.org.uk>]

On 29/06/17 00:13, Denis Polom wrote:
> On Debian 9 with latest updates, fail2ban not creating rules when used 
> with nftables:
>
> 2017-06-29 01:06:14,217 fail2ban.action         [2593]: ERROR   nft add 
> set inet filter f2b-sshd \{ type ipv4_addr\; \}
> nft insert rule inet filter INPUT tcp dport \{ ssh \} ip saddr @f2b-sshd 
> reject -- stdout: b''
> 2017-06-29 01:06:14,218 fail2ban.action         [2593]: ERROR   nft add 
> set inet filter f2b-sshd \{ type ipv4_addr\; \}
> nft insert rule inet filter INPUT tcp dport \{ ssh \} ip saddr @f2b-sshd 
> reject -- stderr: b'<cmdline>:1:1-74: Error: Could not process rule: No 
> such file or directory\ninsert rule inet filter INPUT tcp dport { ssh } 
> ip saddr @f2b-sshd 
> reject\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n'
> 2017-06-29 01:06:14,218 fail2ban.action         [2593]: ERROR   nft add 
> set inet filter f2b-sshd \{ type ipv4_addr\; \}
> nft insert rule inet filter INPUT tcp dport \{ ssh \} ip saddr @f2b-sshd 
> reject -- returned 1
> 2017-06-29 01:06:14,218 fail2ban.actions        [2593]: ERROR   Failed 
> to start jail 'sshd' action 'nftables-multiport': Error starting action
>
> Let me know what more info you need.
>
> Any idea?


The 0.8 fail2ban package doesn't seem to have nftables config files, but 
0.9 does so maybe you have custom stuff that's causing problems, 
although with Shorewall and long ago it looks like the same kind of thing.

If your ban action isn't nftables-allports or nftables-multiport 
hopefully just changing to use those new packaged files would work.

Regards

JP