Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fallback to iptables-legacy if host doesn't support nft #167

Merged
merged 1 commit into from
May 9, 2024
Merged

fallback to iptables-legacy if host doesn't support nft #167

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,13 @@ env:
jobs:
test:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
iptables:
- auto
- nft
- legacy
steps:
-
name: Checkout
Expand All @@ -45,6 +52,7 @@ jobs:
env:
FAIL2BAN_IMAGE: ${{ env.BUILD_TAG }}
FAIL2BAN_CONTAINER: ${{ env.CONTAINER_NAME }}
IPTABLES_MODE: ${{ matrix.iptables }}
-
name: Check container logs
uses: crazy-max/.github/.github/actions/container-logs-check@main
Expand Down
34 changes: 1 addition & 33 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,6 @@ ___
* [`DOCKER-USER` chain](#docker-user-chain)
* [`DOCKER-USER` and `INPUT` chains](#docker-user-and-input-chains)
* [Jails examples](#jails-examples)
* [Use iptables tooling without nftables backend](#use-iptables-tooling-without-nftables-backend)
* [Use fail2ban-client](#use-fail2ban-client)
* [Global jail configuration](#global-jail-configuration)
* [Custom jails, actions and filters](#custom-jails-actions-and-filters)
Expand Down Expand Up @@ -81,6 +80,7 @@ Image: crazymax/fail2ban:latest
* `F2B_LOG_TARGET`: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT (default `STDOUT`)
* `F2B_LOG_LEVEL`: Log level output (default `INFO`)
* `F2B_DB_PURGE_AGE`: Age at which bans should be purged from the database (default `1d`)
* `IPTABLES_MODE`: Choose between iptables `nft` or `legacy` mode. (default `auto`)
* `SSMTP_HOST`: SMTP server host
* `SSMTP_PORT`: SMTP server port (default `25`)
* `SSMTP_HOSTNAME`: Full hostname (default `$(hostname -f)`)
Expand Down Expand Up @@ -173,38 +173,6 @@ And others using the `INPUT` chain:
* [proxmox](examples/jails/proxmox)
* [sshd](examples/jails/sshd)

### Use iptables tooling without nftables backend

As you may know, [nftables](https://wiki.nftables.org) is available as a modern
replacement for the kernel's iptables subsystem on Linux.

This image still uses `iptables` to preserve backwards compatibility but [an issue is opened](https://github.com/crazy-max/docker-fail2ban/issues/29)
about its implementation.

If your system's `iptables` tooling uses the nftables backend, this will throw
the error `stderr: 'iptables: No chain/target/match by that name.'`. You need
to switch the `iptables` tooling to 'legacy' mode to avoid these problems. This
is the case on at least Debian 10 (Buster), Ubuntu 19.04, Fedora 29 and newer
releases of these distributions by default. RHEL 8 does not support switching
to legacy mode, and is therefore currently incompatible with this image.

On Ubuntu or Debian:

```console
$ update-alternatives --set iptables /usr/sbin/iptables-legacy
$ update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
$ update-alternatives --set arptables /usr/sbin/arptables-legacy
$ update-alternatives --set ebtables /usr/sbin/ebtables-legacy
```

On Fedora:

```console
$ update-alternatives --set iptables /usr/sbin/iptables-legacy
```

Then reboot to apply changes.

### Use fail2ban-client

[Fail2ban commands](http://www.fail2ban.org/wiki/index.php/Commands) can be used
Expand Down
21 changes: 21 additions & 0 deletions entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ TZ=${TZ:-UTC}
F2B_LOG_TARGET=${F2B_LOG_TARGET:-STDOUT}
F2B_LOG_LEVEL=${F2B_LOG_LEVEL:-INFO}
F2B_DB_PURGE_AGE=${F2B_DB_PURGE_AGE:-1d}
IPTABLES_MODE=${IPTABLES_MODE:-auto}

SSMTP_PORT=${SSMTP_PORT:-25}
SSMTP_HOSTNAME=${SSMTP_HOSTNAME:-$(hostname -f)}
Expand Down Expand Up @@ -101,4 +102,24 @@ for filter in ${filters}; do
ln -sf "/data/filter.d/${filter}" "/etc/fail2ban/filter.d/"
done

iptablesLegacy=0
if [ "$IPTABLES_MODE" = "auto" ] && ! iptables -L &> /dev/null; then
echo "WARNING: iptables-nft is not supported by the host, falling back to iptables-legacy"
iptablesLegacy=1
elif [ "$IPTABLES_MODE" = "legacy" ]; then
echo "WARNING: iptables-legacy enforced"
iptablesLegacy=1
fi
if [ "$iptablesLegacy" -eq 1 ]; then
ln -sf /sbin/xtables-legacy-multi /sbin/iptables
ln -sf /sbin/xtables-legacy-multi /sbin/iptables-save
ln -sf /sbin/xtables-legacy-multi /sbin/iptables-restore
ln -sf /sbin/xtables-legacy-multi /sbin/ip6tables
ln -sf /sbin/xtables-legacy-multi /sbin/ip6tables-save
ln -sf /sbin/xtables-legacy-multi /sbin/ip6tables-restore
fi

iptables -V
nft -v

exec "$@"
2 changes: 2 additions & 0 deletions test/compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,4 +13,6 @@ services:
- "/var/log:/var/log:ro"
env_file:
- "./fail2ban.env"
environment:
- "IPTABLES_MODE=${IPTABLES_MODE:-auto}"
restart: always