[Fail2ban-users] nftables & protocol = all

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

I wasn't able to run with nftables and "protocol = all". Sorry in
advance if it has been discussed several time.
I basically want f2b ban on all port and all protocol.

iptables & ipset equivalent looks like this:
banaction = iptables-ipset-proto6-allports[actionstart_on_demand=false]
port = all
protocol = all

As you probably know, protocol = all don't feet with nftables.
The only way I find to make it work until now is :

action = %(banaction_allports)s[name=%(__name__)s-input-tcp,
protocol=tcp, chain="input", actname=%(banaction_allports)s-input-tcp]
         %(banaction_allports)s[name=%(__name__)s-input-udp,
protocol=udp, chain="input", actname=%(banaction_allports)s-input-udp]
         %(banaction_allports)s[name=%(__name__)s-input-icmp,
protocol=icmp, chain="input", actname=%(banaction_allports)s-input-icmp]

which is clearly not optimised since 3 rules are created each time.

Do you have any suggestion ?
Thanks in advance.

-- 
Arnaud