From ad1159072c1b092e3304b785111eecbc18613cca Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Thu, 9 May 2024 16:18:46 +0200
Subject: [PATCH] fallback to iptables-legacy if host doesn't support nft

---
 .github/workflows/test.yml |  8 ++++++++
 README.md                  | 34 +---------------------------------
 entrypoint.sh              | 21 +++++++++++++++++++++
 test/compose.yml           |  2 ++
 4 files changed, 32 insertions(+), 33 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index f66eb51..f27c6d7 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -20,6 +20,13 @@ env:
 jobs:
   test:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        iptables:
+          - auto
+          - nft
+          - legacy
     steps:
       -
         name: Checkout
@@ -45,6 +52,7 @@ jobs:
         env:
           FAIL2BAN_IMAGE: ${{ env.BUILD_TAG }}
           FAIL2BAN_CONTAINER: ${{ env.CONTAINER_NAME }}
+          IPTABLES_MODE: ${{ matrix.iptables }}
       -
         name: Check container logs
         uses: crazy-max/.github/.github/actions/container-logs-check@main
diff --git a/README.md b/README.md
index 69d12a6..69d821b 100644
--- a/README.md
+++ b/README.md
@@ -32,7 +32,6 @@ ___
   * [`DOCKER-USER` chain](#docker-user-chain)
   * [`DOCKER-USER` and `INPUT` chains](#docker-user-and-input-chains)
   * [Jails examples](#jails-examples)
-  * [Use iptables tooling without nftables backend](#use-iptables-tooling-without-nftables-backend)
   * [Use fail2ban-client](#use-fail2ban-client)
   * [Global jail configuration](#global-jail-configuration)
   * [Custom jails, actions and filters](#custom-jails-actions-and-filters)
@@ -81,6 +80,7 @@ Image: crazymax/fail2ban:latest
 * `F2B_LOG_TARGET`: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT (default `STDOUT`)
 * `F2B_LOG_LEVEL`: Log level output (default `INFO`)
 * `F2B_DB_PURGE_AGE`: Age at which bans should be purged from the database (default `1d`)
+* `IPTABLES_MODE`: Choose between iptables `nft` or `legacy` mode. (default `auto`)
 * `SSMTP_HOST`: SMTP server host
 * `SSMTP_PORT`: SMTP server port (default `25`)
 * `SSMTP_HOSTNAME`: Full hostname (default `$(hostname -f)`)
@@ -173,38 +173,6 @@ And others using the `INPUT` chain:
 * [proxmox](examples/jails/proxmox)
 * [sshd](examples/jails/sshd)
 
-### Use iptables tooling without nftables backend
-
-As you may know, [nftables](https://wiki.nftables.org) is available as a modern
-replacement for the kernel's iptables subsystem on Linux. 
-
-This image still uses `iptables` to preserve backwards compatibility but [an issue is opened](https://github.com/crazy-max/docker-fail2ban/issues/29)
-about its implementation.
-
-If your system's `iptables` tooling uses the nftables backend, this will throw
-the error `stderr: 'iptables: No chain/target/match by that name.'`. You need
-to switch the `iptables` tooling to 'legacy' mode to avoid these problems. This
-is the case on at least Debian 10 (Buster), Ubuntu 19.04, Fedora 29 and newer
-releases of these distributions by default. RHEL 8 does not support switching
-to legacy mode, and is therefore currently incompatible with this image.
-
-On Ubuntu or Debian:
-
-```console
-$ update-alternatives --set iptables /usr/sbin/iptables-legacy
-$ update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
-$ update-alternatives --set arptables /usr/sbin/arptables-legacy
-$ update-alternatives --set ebtables /usr/sbin/ebtables-legacy
-```
-
-On Fedora:
-
-```console
-$ update-alternatives --set iptables /usr/sbin/iptables-legacy
-```
-
-Then reboot to apply changes.
-
 ### Use fail2ban-client
 
 [Fail2ban commands](http://www.fail2ban.org/wiki/index.php/Commands) can be used
diff --git a/entrypoint.sh b/entrypoint.sh
index d0d28d1..abb21cc 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -5,6 +5,7 @@ TZ=${TZ:-UTC}
 F2B_LOG_TARGET=${F2B_LOG_TARGET:-STDOUT}
 F2B_LOG_LEVEL=${F2B_LOG_LEVEL:-INFO}
 F2B_DB_PURGE_AGE=${F2B_DB_PURGE_AGE:-1d}
+IPTABLES_MODE=${IPTABLES_MODE:-auto}
 
 SSMTP_PORT=${SSMTP_PORT:-25}
 SSMTP_HOSTNAME=${SSMTP_HOSTNAME:-$(hostname -f)}
@@ -101,4 +102,24 @@ for filter in ${filters}; do
   ln -sf "/data/filter.d/${filter}" "/etc/fail2ban/filter.d/"
 done
 
+iptablesLegacy=0
+if [ "$IPTABLES_MODE" = "auto" ] && ! iptables -L &> /dev/null; then
+  echo "WARNING: iptables-nft is not supported by the host, falling back to iptables-legacy"
+  iptablesLegacy=1
+elif [ "$IPTABLES_MODE" = "legacy" ]; then
+  echo "WARNING: iptables-legacy enforced"
+  iptablesLegacy=1
+fi
+if [ "$iptablesLegacy" -eq 1 ]; then
+  ln -sf /sbin/xtables-legacy-multi /sbin/iptables
+  ln -sf /sbin/xtables-legacy-multi /sbin/iptables-save
+  ln -sf /sbin/xtables-legacy-multi /sbin/iptables-restore
+  ln -sf /sbin/xtables-legacy-multi /sbin/ip6tables
+  ln -sf /sbin/xtables-legacy-multi /sbin/ip6tables-save
+  ln -sf /sbin/xtables-legacy-multi /sbin/ip6tables-restore
+fi
+
+iptables -V
+nft -v
+
 exec "$@"
diff --git a/test/compose.yml b/test/compose.yml
index 54fe9e6..dfab061 100644
--- a/test/compose.yml
+++ b/test/compose.yml
@@ -13,4 +13,6 @@ services:
       - "/var/log:/var/log:ro"
     env_file:
       - "./fail2ban.env"
+    environment:
+      - "IPTABLES_MODE=${IPTABLES_MODE:-auto}"
     restart: always