fail2ban-rs 1.2.1

A pure-Rust fail2ban replacement. Single static binary, fast two-phase matching, nftables/iptables firewall backends.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158

//! Nftables firewall backend.

use std::net::IpAddr;
use std::path::PathBuf;

use crate::enforce::FirewallBackend;
use crate::error::{Error, Result};

/// Nftables backend — uses `nft` command resolved at startup.
pub struct NftablesBackend {
    nft_path: PathBuf,
}

impl NftablesBackend {
    pub fn new(nft_path: PathBuf) -> Self {
        Self { nft_path }
    }

    async fn run_nft(&self, args: &[&str]) -> Result<()> {
        let output = tokio::process::Command::new(&self.nft_path)
            .args(args)
            .output()
            .await
            .map_err(|e| Error::firewall(format!("nft command failed: {e}")))?;

        if !output.status.success() {
            let stderr = String::from_utf8_lossy(&output.stderr);
            return Err(Error::firewall(format!(
                "nft exit {}: {stderr}",
                output.status
            )));
        }
        Ok(())
    }
}

#[async_trait::async_trait]
impl FirewallBackend for NftablesBackend {
    async fn init(&self, jail: &str, ports: &[String], protocol: &str) -> Result<()> {
        // Create table if it doesn't exist.
        self.run_nft(&["add", "table", "inet", "fail2ban-rs"])
            .await?;
        // Create base chain for filtering input.
        self.run_nft(&[
            "add",
            "chain",
            "inet",
            "fail2ban-rs",
            "f2b-chain",
            "{ type filter hook input priority -1; policy accept; }",
        ])
        .await
        .ok(); // ignore if already exists
        // Create IPv4 set.
        let set_name = format!("f2b-{jail}");
        self.run_nft(&[
            "add",
            "set",
            "inet",
            "fail2ban-rs",
            &set_name,
            "{ type ipv4_addr; flags interval; }",
        ])
        .await?;
        // Create IPv6 set.
        let set_v6 = format!("f2b-{jail}-v6");
        self.run_nft(&[
            "add",
            "set",
            "inet",
            "fail2ban-rs",
            &set_v6,
            "{ type ipv6_addr; flags interval; }",
        ])
        .await?;
        // Add rules matching ports + set -> reject.
        if ports.is_empty() {
            // No ports specified: match all traffic from banned IPs.
            let rule_v4 = format!("ip saddr @{set_name} reject");
            self.run_nft(&["add", "rule", "inet", "fail2ban-rs", "f2b-chain", &rule_v4])
                .await?;
            let rule_v6 = format!("ip6 saddr @{set_v6} reject");
            self.run_nft(&["add", "rule", "inet", "fail2ban-rs", "f2b-chain", &rule_v6])
                .await?;
        } else {
            let port_list = ports.join(",");
            let rule_v4 = format!("{protocol} dport {{ {port_list} }} ip saddr @{set_name} reject");
            self.run_nft(&["add", "rule", "inet", "fail2ban-rs", "f2b-chain", &rule_v4])
                .await?;
            let rule_v6 = format!("{protocol} dport {{ {port_list} }} ip6 saddr @{set_v6} reject");
            self.run_nft(&["add", "rule", "inet", "fail2ban-rs", "f2b-chain", &rule_v6])
                .await?;
        }
        Ok(())
    }

    async fn teardown(&self, jail: &str) -> Result<()> {
        let set_name = format!("f2b-{jail}");
        let set_v6 = format!("f2b-{jail}-v6");
        // Flush and delete sets (rules referencing them are removed by nft).
        self.run_nft(&["flush", "set", "inet", "fail2ban-rs", &set_name])
            .await
            .ok();
        self.run_nft(&["delete", "set", "inet", "fail2ban-rs", &set_name])
            .await
            .ok();
        self.run_nft(&["flush", "set", "inet", "fail2ban-rs", &set_v6])
            .await
            .ok();
        self.run_nft(&["delete", "set", "inet", "fail2ban-rs", &set_v6])
            .await
            .ok();
        Ok(())
    }

    async fn ban(&self, ip: &IpAddr, jail: &str) -> Result<()> {
        let set_name = format!("f2b-{jail}");
        self.run_nft(&[
            "add",
            "element",
            "inet",
            "fail2ban-rs",
            &set_name,
            &format!("{{{ip}}}"),
        ])
        .await
    }

    async fn unban(&self, ip: &IpAddr, jail: &str) -> Result<()> {
        let set_name = format!("f2b-{jail}");
        self.run_nft(&[
            "delete",
            "element",
            "inet",
            "fail2ban-rs",
            &set_name,
            &format!("{{{ip}}}"),
        ])
        .await
    }

    async fn is_banned(&self, ip: &IpAddr, jail: &str) -> Result<bool> {
        let set_name = format!("f2b-{jail}");
        let output = tokio::process::Command::new(&self.nft_path)
            .args(["list", "set", "inet", "fail2ban-rs", &set_name])
            .output()
            .await
            .map_err(|e| Error::firewall(format!("nft command failed: {e}")))?;

        let stdout = String::from_utf8_lossy(&output.stdout);
        let ip_str = ip.to_string();
        Ok(stdout.split_whitespace().any(|token| token == ip_str))
    }

    fn name(&self) -> &'static str {
        "nftables"
    }
}