From 30e7e28e76a31e4250046a26bd55af6e3e56eb39 Mon Sep 17 00:00:00 2001
From: k0ka <koka@idwrx.com>
Date: Sat, 2 Jan 2021 21:55:24 +0100
Subject: [PATCH] new parameter `table` for firewallcmd-*

---
 config/action.d/firewallcmd-allports.conf  | 18 +++++++++---------
 config/action.d/firewallcmd-common.conf    |  6 ++++++
 config/action.d/firewallcmd-ipset.conf     |  4 ++--
 config/action.d/firewallcmd-multiport.conf | 18 +++++++++---------
 config/action.d/firewallcmd-new.conf       | 18 +++++++++---------
 5 files changed, 35 insertions(+), 29 deletions(-)

diff --git a/config/action.d/firewallcmd-allports.conf b/config/action.d/firewallcmd-allports.conf
index de0e7f91..00570c85 100644
--- a/config/action.d/firewallcmd-allports.conf
+++ b/config/action.d/firewallcmd-allports.conf
@@ -10,22 +10,22 @@ before = firewallcmd-common.conf
 
 [Definition]
 
-actionstart = firewall-cmd --direct --add-chain <family> filter f2b-<name>
-              firewall-cmd --direct --add-rule <family> filter f2b-<name> 1000 -j RETURN
-              firewall-cmd --direct --add-rule <family> filter <chain> 0 -j f2b-<name>
+actionstart = firewall-cmd --direct --add-chain <family> <table> f2b-<name>
+              firewall-cmd --direct --add-rule <family> <table> f2b-<name> 1000 -j RETURN
+              firewall-cmd --direct --add-rule <family> <table> <chain> 0 -j f2b-<name>
 
-actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -j f2b-<name>
-             firewall-cmd --direct --remove-rules <family> filter f2b-<name>
-             firewall-cmd --direct --remove-chain <family> filter f2b-<name>
+actionstop = firewall-cmd --direct --remove-rule <family> <table> <chain> 0 -j f2b-<name>
+             firewall-cmd --direct --remove-rules <family> <table> f2b-<name>
+             firewall-cmd --direct --remove-chain <family> <table> f2b-<name>
 
 
 # Example actioncheck: firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-recidive$'
 
-actioncheck = firewall-cmd --direct --get-chains <family> filter | sed -e 's, ,\n,g' | grep -q '^f2b-<name>$'
+actioncheck = firewall-cmd --direct --get-chains <family> <table> | sed -e 's, ,\n,g' | grep -q '^f2b-<name>$'
 
-actionban = firewall-cmd --direct --add-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
+actionban = firewall-cmd --direct --add-rule <family> <table> f2b-<name> 0 -s <ip> -j <blocktype>
 
-actionunban = firewall-cmd --direct --remove-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
+actionunban = firewall-cmd --direct --remove-rule <family> <table> f2b-<name> 0 -s <ip> -j <blocktype>
 
 # DEV NOTES:
 #
diff --git a/config/action.d/firewallcmd-common.conf b/config/action.d/firewallcmd-common.conf
index 4abe5318..4cf76c6f 100644
--- a/config/action.d/firewallcmd-common.conf
+++ b/config/action.d/firewallcmd-common.conf
@@ -25,6 +25,12 @@ protocol = tcp
 # Values:  STRING  
 family = ipv4
 
+# Option:  table
+# Notes    specifies the firewalld table to which the Fail2Ban rules should be
+#          added
+# Values:  [filter | nat | mangle | raw]  Default: filter
+table = filter
+
 # Option:  chain
 # Notes    specifies the firewalld chain to which the Fail2Ban rules should be
 #          added
diff --git a/config/action.d/firewallcmd-ipset.conf b/config/action.d/firewallcmd-ipset.conf
index c89a0243..75e79704 100644
--- a/config/action.d/firewallcmd-ipset.conf
+++ b/config/action.d/firewallcmd-ipset.conf
@@ -19,11 +19,11 @@ before = firewallcmd-common.conf
 [Definition]
 
 actionstart = ipset create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
-              firewall-cmd --direct --add-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
+              firewall-cmd --direct --add-rule <family> <table> <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
 
 actionflush = ipset flush <ipmset>
 
-actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
+actionstop = firewall-cmd --direct --remove-rule <family> <table> <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
              <actionflush>
              ipset destroy <ipmset>
 
diff --git a/config/action.d/firewallcmd-multiport.conf b/config/action.d/firewallcmd-multiport.conf
index 0c401f1b..6dc22614 100644
--- a/config/action.d/firewallcmd-multiport.conf
+++ b/config/action.d/firewallcmd-multiport.conf
@@ -9,18 +9,18 @@ before = firewallcmd-common.conf
 
 [Definition]
 
-actionstart = firewall-cmd --direct --add-chain <family> filter f2b-<name>
-              firewall-cmd --direct --add-rule <family> filter f2b-<name> 1000 -j RETURN
-              firewall-cmd --direct --add-rule <family> filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)" -j f2b-<name>
+actionstart = firewall-cmd --direct --add-chain <family> <table> f2b-<name>
+              firewall-cmd --direct --add-rule <family> <table> f2b-<name> 1000 -j RETURN
+              firewall-cmd --direct --add-rule <family> <table> <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)" -j f2b-<name>
 
-actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)" -j f2b-<name>
-             firewall-cmd --direct --remove-rules <family> filter f2b-<name>
-             firewall-cmd --direct --remove-chain <family> filter f2b-<name>
+actionstop = firewall-cmd --direct --remove-rule <family> <table> <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)" -j f2b-<name>
+             firewall-cmd --direct --remove-rules <family> <table> f2b-<name>
+             firewall-cmd --direct --remove-chain <family> <table> f2b-<name>
 
 # Example actioncheck: firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-apache-modsecurity$'
 
-actioncheck = firewall-cmd --direct --get-chains <family> filter | sed -e 's, ,\n,g' | grep -q '^f2b-<name>$'
+actioncheck = firewall-cmd --direct --get-chains <family> <table> | sed -e 's, ,\n,g' | grep -q '^f2b-<name>$'
 
-actionban = firewall-cmd --direct --add-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
+actionban = firewall-cmd --direct --add-rule <family> <table> f2b-<name> 0 -s <ip> -j <blocktype>
 
-actionunban = firewall-cmd --direct --remove-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
+actionunban = firewall-cmd --direct --remove-rule <family> <table> f2b-<name> 0 -s <ip> -j <blocktype>
diff --git a/config/action.d/firewallcmd-new.conf b/config/action.d/firewallcmd-new.conf
index 7b08603c..260d2f10 100644
--- a/config/action.d/firewallcmd-new.conf
+++ b/config/action.d/firewallcmd-new.conf
@@ -8,19 +8,19 @@ before = firewallcmd-common.conf
 
 [Definition]
 
-actionstart = firewall-cmd --direct --add-chain <family> filter f2b-<name>
-              firewall-cmd --direct --add-rule <family> filter f2b-<name> 1000 -j RETURN
-              firewall-cmd --direct --add-rule <family> filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)" -j f2b-<name>
+actionstart = firewall-cmd --direct --add-chain <family> <table> f2b-<name>
+              firewall-cmd --direct --add-rule <family> <table> f2b-<name> 1000 -j RETURN
+              firewall-cmd --direct --add-rule <family> <table> <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)" -j f2b-<name>
 
-actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)" -j f2b-<name>
-             firewall-cmd --direct --remove-rules <family> filter f2b-<name>
-             firewall-cmd --direct --remove-chain <family> filter f2b-<name>
+actionstop = firewall-cmd --direct --remove-rule <family> <table> <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)" -j f2b-<name>
+             firewall-cmd --direct --remove-rules <family> <table> f2b-<name>
+             firewall-cmd --direct --remove-chain <family> <table> f2b-<name>
 
-actioncheck = firewall-cmd --direct --get-chains <family> filter | sed -e 's, ,\n,g' | grep -q 'f2b-<name>$'
+actioncheck = firewall-cmd --direct --get-chains <family> <table> | sed -e 's, ,\n,g' | grep -q 'f2b-<name>$'
 
-actionban = firewall-cmd --direct --add-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
+actionban = firewall-cmd --direct --add-rule <family> <table> f2b-<name> 0 -s <ip> -j <blocktype>
 
-actionunban = firewall-cmd --direct --remove-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
+actionunban = firewall-cmd --direct --remove-rule <family> <table> f2b-<name> 0 -s <ip> -j <blocktype>
 
 # DEV NOTES:
 #