Support deny_action: TARPIT

[gloomytrousers]

With xtables-addons installed, there is a TARPIT target available in iptables. However, setting deny_action: TARPIT in crowdsec-firewall-bouncer.yaml is ignored - it defaults to DENY.

Please allow TARPIT as an accepted value for deny_action. Looks like iptables.go is the right place for this.

I'd also suggest it's better to fail with an error if the config contains an unsupported value, rather than silently picking a default - this will likely prevent a lot of head scratching.

[LaurenceJJones]

So we could have a slice of supported actions we check if value is in slice if not error on startup

cs-firewall-bouncer/pkg/iptables/iptables.go

Lines 55 to 60 in 9f27212

	var target string
	if strings.EqualFold(config.DenyAction, "REJECT") {
	target = "REJECT"
	} else {
	target = "DROP"
	}

[LaurenceJJones]

Will be released in next version

[gloomytrousers]

Just in case anyone stumbles upon this in future... despite the fix in this ticket, TARPIT doesn't work. The bouncer tries to set up an iptables rule for all protocols with TARPIT as the target, which results in "x_tables: ip_tables: TARPIT target: only valid for protocol 6" (i.e. TCP).