I'm using *nftables* and *fail2ban* on Debian 13 (trixie) and fail2ban
is doing a great job.
However, when comparing some counters I realized that the *number of
packages* returning from the *f2b-sshd* chain is always a little smaller
rather than the number of packages counted by the subsequent *tcp dport
22* *continue* rule within the input chain (see red numbers below).
I would like to understand where this difference comes from.
Suggestions and explanations are welcome.
My nftables look like this:
table inet mangel {
set BOTNET {
type ipv4_addr
flags interval
counter
elements = { ... }
}
chain INGRESS {
type filter hook ingress device <device> priority -500; policy
accept;
ip saddr @BOTNET counter packets x bytes y drop
}
chain PREROUTING {
type filter hook prerouting priority mangle; policy accept;
ct state invalid counter packets x bytes y drop
...
}
}
table ip filter {
chain FORWARD {
type filter hook forward priority filter; policy drop;
}
chain OUTPUT {
type filter hook output priority filter; policy drop;
...
}
chain INPUT {
type filter *hook input* priority filter; policy drop;
meta l4proto tcp tcp dport 22 counter packets 187 bytes 11849
*jump* *f2b-sshd*
*tcp dport 22* counter packets *120* bytes 7813 continue
iifname "lo" counter packets x bytes y accept
...
}
chain *f2b-sshd* {
ip saddr u.v.w.z counter packets x bytes y drop
...
counter packets *118* bytes 7709 *return*
}
}
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
