Added the unban function for fail2ban to work with nftables through a script

9f086668 · Nicolas Baudoin · bb4865be · 9f086668 · 9f086668 · 9f086668
Commit 9f086668 authored 1 year ago by Nicolas Baudoin
--- a/tasks/config_fail2ban.yml
+++ b/tasks/config_fail2ban.yml
 ---
+# The unban script will allow fail2ban to delete rules from nftables by finding their handles
+- name: Create an unban script for Fail2Ban to work with nftables
+  template:
+    src: nftables_unban.j2
+    dest: /usr/local/bin/nftables_unban
+    mode: '0755'
+
 # The date script will generate the correct path for the log
 - name: Create date script for Fail2Ban logpath
  template:

--- a/templates/nftables-allports.conf.j2
+++ b/templates/nftables-allports.conf.j2
@@ -8,7 +8,7 @@ actionstart =
 actionstop =
 actioncheck =
 actionban = /usr/sbin/nft insert rule inet filter input ip saddr <ip> drop
-actionunban = /usr/sbin/nft delete rule inet filter input ip saddr <ip>
+actionunban = /usr/local/bin/nftables_unban <ip>

 [Init]
 table = filter

--- a/templates/nftables_unban.j2
+++ b/templates/nftables_unban.j2
+#!/bin/bash
+
+IP_TO_UNBAN="$1"
+
+# Fetch the handle for the rule with the given IP
+HANDLE=$(/usr/sbin/nft -a list table inet filter | grep "ip saddr $IP_TO_UNBAN drop" | awk '{print $NF}')
+
+# If a handle was found, delete the rule
+if [ ! -z "$HANDLE" ]; then
+    /usr/sbin/nft delete rule inet filter input handle $HANDLE
+else
+    echo "No handle found for IP $IP_TO_UNBAN"
+fi
\ No newline at end of file