Working f2b now fails after upgrade to 1.1.0

[fvultee]

Hey all, my f2b has been working great for awhile. It's running in Docker (Portainer) protecting a self hosted Bitwarden server. Just upgraded to f2b 1.1.0 and now I get the following error when I test a ban:

2024-05-02 09:46:21,526 fail2ban.filter         [1]: INFO    [bitwarden] Found 192.168.5.135 - 2024-05-02 09:46:21
2024-05-02 09:46:21,935 fail2ban.actions        [1]: NOTICE  [bitwarden] Ban 192.168.5.135
2024-05-02 09:46:22,061 fail2ban.utils          [1]: ERROR   7facbaaed3b0 -- exec: { iptables -w -C f2b-bitwarden -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-bitwarden || true; iptables -w -A f2b-bitwarden -j RETURN; }
for proto in $(echo 'tcp' | sed 's/,/ /g'); do
{ iptables -w -C INPUT -p $proto -j f2b-bitwarden >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -j f2b-bitwarden; }
done
2024-05-02 09:46:22,061 fail2ban.utils          [1]: ERROR   7facbaaed3b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-05-02 09:46:22,061 fail2ban.utils          [1]: ERROR   7facbaaed3b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-05-02 09:46:22,061 fail2ban.utils          [1]: ERROR   7facbaaed3b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-05-02 09:46:22,062 fail2ban.utils          [1]: ERROR   7facbaaed3b0 -- returned 4
2024-05-02 09:46:22,062 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'bitwarden' action 'iptables-allports' info 'ActionInfo({'ip': '192.168.5.135', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7facbb12db20>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7facbb12e2a0>})': Error starting action Jail('bitwarden')/iptables-allports: 'Script error'

Any help is appreciated, regards.

[Marsupoil76]

Hi all, Same history in Version: 7.2.1-69057 Update 5 on my Synology ( f2b dockerised ) iptables v1.8.10
2024/05/05 00:06:25 stdout 2024-05-05 00:06:25,320 fail2ban.filter [1]: INFO [vaultwarden-admin] Found XX.XX.XX.XX - 2024-05-05 00:06:25 2024/05/05 00:06:23 stdout 2024-05-05 00:06:23,678 fail2ban.actions [1]: ERROR Failed to execute ban jail 'vaultwarden-admin' action 'iptables-allports' info 'ActionInfo({'ip': 'XX.XX.XX.XX', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f130e351d00>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f130e352480>})': Error starting action Jail('vaultwarden-admin')/iptables-allports: 'Script error' 2024/05/05 00:06:23 stdout 2024-05-05 00:06:23,678 fail2ban.utils [1]: ERROR 7f130e973770 -- returned 4 2024/05/05 00:06:23 stdout 2024-05-05 00:06:23,678 fail2ban.utils [1]: ERROR 7f130e973770 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'

[sebres]

Related to this https://askubuntu.com/a/1428222 - iptables-legacy could fix that, however I don't think it is good idea.

No idea what is wrong with iptables here, but neither it is fail2ban issue, nor newer version of fail2ban changed something by iptables-actions.

And because it looks anyway like a iptables-nft layer (allowing iptables syntax with the nf_tables kernel subsystem), better would be to switch to nftables native actions instead, like fail2ban does it now by default for debians now...

fail2ban/config/paths-debian.conf

Lines 12 to 13 in c04e12d

	banaction = nftables
	banaction_allports = nftables[type=allports]

So either remove your own banaction or action definitions (in jail.local or in whatever own config), or rewrite them to nftables.