safety

func SeedManualWhitelist ¶

func SeedManualWhitelist(exec executor.Executor, log *logging.Logger) error

SeedManualWhitelist ensures /etc/nftban/whitelist.d/99-manual.conf exists and contains the minimum entries needed to prevent accidental SSH lockout on a fresh source install.

Contract:

• If the file exists and contains any non-comment / non-blank line, the function is a no-op: the operator's content is preserved.
• If the file does not exist OR contains only header/blank lines, the function writes a new file with the canonical header + detected system IPs (interface IPs + SSH-client IP from $SSH_CLIENT if set).
• File mode and ownership match the shipped template: root:nftban 0640 (the payload package will set this; this package only writes content — ownership enforcement is payload's job).

Non-fatal: errors detecting individual IPs are logged at Debug level and the seed proceeds with whatever was detected. If NO IPs are detected at all, the file is still created with the header only — the operator retains control and switchop.InjectEmergencySSH provides port-level protection independently.