nftables supports a family called 'table' for dual stack abstraction;
use that instead of creating two separate tables. two sets are still
needed since nftables can only store either v4 or v6 addresses in a
single set, but having just one table is still a simplification.
also fix a bug where reinitializing the backend would always append a
new drop rule at the end of the chain.
---
CHANGELOG.rst | 4 ++++
doc/sshguard-setup.7.rst | 7 +++----
src/fw/sshg-fw-nft-sets.sh | 35 +++++++++++------------------------
3 files changed, 18 insertions(+), 28 deletions(-)
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index a673b51..38f1894 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -16,6 +16,10 @@ Next
- Recognize rejections from Postfix's postscreen daemon
+**Changed**
+
+- Switch nftables backend to use a single ``inet`` family table
+
2.4.1
=====
**Added**
diff --git a/doc/sshguard-setup.7.rst b/doc/sshguard-setup.7.rst
index f8306c4..761f309 100644
--- a/doc/sshguard-setup.7.rst
+++ b/doc/sshguard-setup.7.rst
@@ -193,13 +193,12 @@ automatically.
You can inspect the contents of the sets using::
- # nft list set ip sshguard attackers
- # nft list set ip6 sshguard attackers
+ # nft list set inet sshguard attackers4
+ # nft list set inet sshguard attackers6
Moreover, you can display sshguard's tables with::
- # nft list table ip sshguard
- # nft list table ip6 sshguard
+ # nft list table inet sshguard
TROUBLESHOOTING
diff --git a/src/fw/sshg-fw-nft-sets.sh b/src/fw/sshg-fw-nft-sets.sh
index ea9e202..d2eec2d 100644
--- a/src/fw/sshg-fw-nft-sets.sh
+++ b/src/fw/sshg-fw-nft-sets.sh
@@ -8,40 +8,29 @@ NFT_TABLE=sshguard
NFT_CHAIN=blacklist
NFT_SET=attackers
-proto() {
- if [ "6" = "$1" ]; then
- echo ip6
- else
- echo ip
- fi
-}
-
run_nft() {
- ${CMD_NFT} $1 $(proto $3) "${NFT_TABLE}" "$2" > /dev/null 2>&1
+ ${CMD_NFT} $1 inet "${NFT_TABLE}" "$2" > /dev/null 2>&1
}
fw_init() {
- run_nft "add table" "" 4
- run_nft "add table" "" 6
+ run_nft "add table" ""
- run_nft "add chain" "${NFT_CHAIN}"' { type filter hook input priority -10 ; }' 4
- run_nft "add chain" "${NFT_CHAIN}"' { type filter hook input priority -10 ; }' 6
+ run_nft "add set" "${NFT_SET}4 { type ipv4_addr; flags interval; }"
+ run_nft "add set" "${NFT_SET}6 { type ipv6_addr; flags interval; }"
- # Create sets
- run_nft "add set" "${NFT_SET} { type ipv4_addr; flags interval; }" 4
- run_nft "add set" "${NFT_SET} { type ipv6_addr; flags interval; }" 6
+ run_nft "add chain" "${NFT_CHAIN}"' { type filter hook input priority -10 ; }'
+ run_nft "flush chain" "${NFT_CHAIN}"
- # Rule to drop sets' IP
- run_nft "add rule" "${NFT_CHAIN} ip saddr @${NFT_SET} drop" 4
- run_nft "add rule" "${NFT_CHAIN} ip6 saddr @${NFT_SET} drop" 6
+ run_nft "add rule" "${NFT_CHAIN} ip saddr @${NFT_SET}4 drop"
+ run_nft "add rule" "${NFT_CHAIN} ip6 saddr @${NFT_SET}6 drop"
}
fw_block() {
- run_nft "add element" "${NFT_SET} { $1/$3 }" $2
+ run_nft "add element" "${NFT_SET}$2 { $1/$3 }"
}
fw_release() {
- run_nft "delete element" "${NFT_SET} { $1/$3 }" $2
+ run_nft "delete element" "${NFT_SET}$2 { $1/$3 }"
}
fw_flush() {
@@ -50,7 +39,5 @@ fw_flush() {
}
fw_fin() {
- # Remove tables
- run_nft "delete table" "" 4
- run_nft "delete table" "" 6
+ run_nft "delete table" ""
}
--
2.30.1
--
Lauri Tirkkonen | lotheac @ IRCnet
|
