Control: severity -1 grave
Hey.
I'd say this one is also at least grave (it breaks the sensible use of
fail2ban itself) or rather even critical (as fail2ban is used for
security purposes).
The package recommends either iptables/nftalbes (which I guess is in
principle good, because people should have the choice... and it's even
thinkable to use fail2ban without either of those, though I guess only
few would do so in practise).
Nevertheless, there was at some point a silent change from using:
banaction = iptables-multiport
banaction_allports = iptables-allports
(which is still set as such in the "main" jail.conf)
to that being overridden in jail.d/defaults-debian.conf:
banaction = nftables
banaction_allports = nftables[type=allports]
AFAICs, there is no NEWS.Debian entry or anything where people could
have realistically learned about that change (which may however easily
break their setup):
a) if ntfables is not installed at all
b) if they still use iptables for configuring their netfilter and
want/need the f2b rules to be added at some special place in
theĀ order of rules
This is worsened by fail2ban.service apparently not failing if the
nftables is missing, so people have no real chance (except by manually
looking) that fail2ban is actually in a broken state.
Cheers,
Chris.
