Support new nftables configuration design

[g00g1]

As proposed at issue 153, I have implemented the following configuration design:

nftables:
    enabled: true
    targets:
    - blacklist: crowdsec-blacklist4
      set-only: false
      table: crowdsec-inet
      chain: crowdsec-input
      family: inet
      protocol: ip
      hook: input
    - blacklist: crowdsec-blacklist6
      set-only: false
      table: crowdsec-inet
      chain: crowdsec-input
      family: inet
      protocol: ip6
      hook: input

I have already tested it on my crowdsec station, however if there still any issues please let me know!

[mmetc]

Hi!

Thanks for the contribution, we released a long overdue stable version yesterday, so will review this for the next one, which shouldn't take as much

[ne20002]

How do I define that I want input and forward hook?

[g00g1]

@ne20002, something like this

nftables:
    enabled: true
    targets:
    - blacklist: crowdsec-blacklist
      set-only: false
      table: crowdsec-inet
      chain: crowdsec-input
      family: inet
      protocol: ip
      hook: input
    - blacklist: crowdsec-blacklist
      set-only: false
      table: crowdsec-inet
      chain: crowdsec-input
      family: inet
      protocol: ip
      hook: forward

[ne20002]

How is that working with set-only true? In that case only one entry is required?

[g00g1]

How is that working with set-only true? In that case only one entry is required?

@ne20002, you may have as much entries as required for your use case. For example, you may have duplicated sets in different tables or both in inet and ip4/ip6 tables for whatever reason. The new configuration design is extremely flexible.