From 00558c7deab081611fd9047286d0bfe478055932 Mon Sep 17 00:00:00 2001 From: Alan Orth Date: Tue, 8 Jul 2025 10:39:17 +0300 Subject: [PATCH] roles/common: re-work fail2ban and nftables Re-work the fail2ban and nftables interaction. Use systemd's PartOf to indicate that fail2ban is part of the nftables service, which tells systemd to propogate stop/start signals to it. Then we tell the firehol update script to restart nftables instead of reload. The different between restart and reload is meaningless for nftables but we want systemd to propagate the stop/start signals to fail2ban. --- .../etc/systemd/system/fail2ban.service.d/override.conf.j2 | 4 ++++ roles/common/templates/update-firehol-nftables.sh.j2 | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2 b/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2 index 7e9fd50..66e4cde 100644 --- a/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2 +++ b/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2 @@ -1,3 +1,7 @@ +[Unit] +# If nftables is stopped or restarted, propagate to fail2ban as well +PartOf=nftables.service + [Service] PrivateDevices=yes PrivateTmp=yes diff --git a/roles/common/templates/update-firehol-nftables.sh.j2 b/roles/common/templates/update-firehol-nftables.sh.j2 index bb59dd2..23f70e4 100755 --- a/roles/common/templates/update-firehol-nftables.sh.j2 +++ b/roles/common/templates/update-firehol-nftables.sh.j2 @@ -58,8 +58,8 @@ NFT_HEAD rm -f "$firehol_level1_ipv4_list_temp" "$firehol_level1_ipv4_set_temp" fi -echo "Reloading nftables" +echo "Restarting nftables" -/usr/bin/systemctl reload nftables.service +/usr/bin/systemctl restart nftables.service rm -v firehol_level1.netset