Documentation
¶
Overview ¶
============================================================================= NFTBan v1.73 - Installer Config Persistence ============================================================================= SPDX-License-Identifier: MPL-2.0 meta:name="installer-render-config" meta:type="lib" meta:owner="Antonios Voulvoulis <contact@nftban.com>" meta:created_date="2026-04-04" meta:description="Persist SSH port and config values to conf.local and state" meta:inventory.files="internal/installer/render/config.go" meta:inventory.binaries="" meta:inventory.env_vars="" meta:inventory.config_files="/etc/nftban/nftban.conf.local" meta:inventory.systemd_units="" meta:inventory.network="" meta:inventory.privileges="root" =============================================================================
============================================================================= NFTBan v1.73 - Installer nftables.conf Rendering ============================================================================= SPDX-License-Identifier: MPL-2.0 meta:name="installer-render-nftables" meta:type="lib" meta:owner="Antonios Voulvoulis <contact@nftban.com>" meta:created_date="2026-04-04" meta:description="Template rendering + nft syntax validation for nftables.conf" meta:inventory.files="internal/installer/render/nftables.go" meta:inventory.binaries="" meta:inventory.env_vars="" meta:inventory.config_files="/etc/nftban/nftables.conf" meta:inventory.systemd_units="" meta:inventory.network="" meta:inventory.privileges="root" =============================================================================
============================================================================= NFTBan v1.73 - Installer System nftables.conf Integration ============================================================================= SPDX-License-Identifier: MPL-2.0 meta:name="installer-render-sysconf" meta:type="lib" meta:owner="Antonios Voulvoulis <contact@nftban.com>" meta:created_date="2026-04-04" meta:description="Integrate NFTBan include into system nftables.conf" meta:inventory.files="internal/installer/render/sysconf.go" meta:inventory.binaries="" meta:inventory.env_vars="" meta:inventory.config_files="" meta:inventory.systemd_units="" meta:inventory.network="" meta:inventory.privileges="root" =============================================================================
Index ¶
- func IntegrateSystemConf(exec executor.Executor, nftConfPath string, log *logging.Logger) error
- func PersistSSHPort(exec executor.Executor, sshPort int, log *logging.Logger)
- func RenderNftablesConf(exec executor.Executor, sshPort int, ct detect.CTLimits, log *logging.Logger) error
- func RenderNftablesConfMultiPort(exec executor.Executor, sshPorts []int, ct detect.CTLimits, ...) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func IntegrateSystemConf ¶
IntegrateSystemConf appends the NFTBan include directive to the system nftables.conf if not already present. Idempotent.
func PersistSSHPort ¶
PersistSSHPort writes the detected SSH port to conf.local and state file. Also ensures TCP_PORTS_IN includes the SSH port (lockout prevention).
func RenderNftablesConf ¶
func RenderNftablesConf(exec executor.Executor, sshPort int, ct detect.CTLimits, log *logging.Logger) error
RenderNftablesConf reads the nftables.conf template, substitutes placeholders, validates syntax, and writes back atomically.
Backward-compat single-port entry point. v1.125 R-1 multi-port-aware callers should use RenderNftablesConfMultiPort which renders all detected SSH listener ports into the tcp_ports_in allow-set (closes the dns2-class lockout vector for hosts with sshd on multiple ports).
func RenderNftablesConfMultiPort ¶ added in v1.125.0
func RenderNftablesConfMultiPort(exec executor.Executor, sshPorts []int, ct detect.CTLimits, log *logging.Logger) error
RenderNftablesConfMultiPort renders nftables.conf with multi-port SSH allow-set support (v1.125 R-1 — closes the dns2-class lockout vector where a host listens on multiple SSH ports, e.g. :22 + :55000, but the installer rendered only the first detected port into the firewall).
sshPorts[0] is the PRIMARY port used for the `__SSH_PORT__` template substitution (per-IP rate-limit rule and other single-port references in the template stay byte-identical to the v1.124 behavior for single-port hosts). All ports in sshPorts (primary AND any additional) are injected into the rendered tcp_ports_in allow-set so the firewall admits SSH on every detected port.
When len(sshPorts) == 1 this is semantically identical to the pre-v1.125 single-port render path. The single-port RenderNftablesConf is preserved as a thin wrapper around this function for backward compatibility with existing callers.
Types ¶
This section is empty.
Source Files