Bug#1121856: fail2ban: Fail2ban does not depend on nftables but it should

[Fabio Muzzi]

Package: fail2ban
Version: 1.1.0-8
Severity: normal

Dear Maintainer,

I have installed fail2ban on a newly deployed Debian 13 (from french vps
provider OVH). Fail2ban tried to ban ip addresses but logged an error
like this:

ERROR   Failed to execute ban jail 'sshd' action 'nftables' info 'ActionInfo({'ip': '165.232.82.131', 
'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f7843370c20>, 
'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f78433713a0>})': Error starting 
action Jail('sshd')/nftables: 'Script error'

The issue is simple: the "nft" command was missing.

apt install nftables resolved this issue.

I see that fail2ban recommends nft but does not require nft, so it did
not get installed, probably because iptables was already installed.


Now, since I knew fail2ban in Debian 13 uses nftables, I checked for it
and found it was not installed, but if I did not know this, I'd get a
non-working fail2ban that apparently works just fine (no errors, banned
hosts show up properly when doing "fail2ban client status") and the only way
of finding the issue is by checking the logs or actually checking if nft rules 
were actually added or not.




-- System Information:
Debian Release: 13.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.57+deb13-cloud-amd64 (SMP w/6 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages fail2ban depends on:
ii  python3          3.13.5-1
ii  python3-systemd  235-1+b6

Versions of packages fail2ban recommends:
ii  iptables            1.8.11-2
ii  nftables            1.1.3-1
ii  python3-pyinotify   0.9.6-5
ii  python3-setuptools  78.1.1-0.1
ii  whois               5.6.3

Versions of packages fail2ban suggests:
ii  bsd-mailx [mailx]            8.1.2-0.20220412cvs-1.1
pn  monit                        <none>
ii  rsyslog [system-log-daemon]  8.2504.0-1
pn  sqlite3                      <none>

-- no debconf information

--
Fabio "Kurgan" Muzzi

- IZ4UFQ -

"Il massimo danno con il minimo sforzo"