IPset plugin

Permits to manipulate ipsets much faster than with UNIX commands.

reaction's startup on my server is 15 times faster with the ipset plugin than it was when running ipset UNIX commands.

It's also more convenient to use. It easily permits to manage one ipset by Filter and thus avoid IP conflicts between filters.

systemd options

This plugin requires the CAP_NET_ADMIN and the CAP_PERFMON capabilities to be able to talk to linux's iptables and ipset.

{
  plugins: {
    ipset: {
      path: '/usr/bin/reaction-plugin-ipset',
      systemd_options: {
        CapabilityBoundingSet: ['~CAP_NET_ADMIN', '~CAP_PERFMON'],
      }
    },
  },
}

plugins:
  ipset:
    path: /usr/bin/reaction-plugin-ipset
    systemd_options:
      CapabilityBoundingSet: ['~CAP_NET_ADMIN', '~CAP_PERFMON']

Configuration

This plugin exposes only one action of type ipset.

{
  ban: {
    type: 'ipset',
    options: {
      set: 'reaction',
      action: 'add',
    },
  },
  unban: {
    type: 'ipset',
    options: {
      set: 'reaction',
      action: 'del',
    },
  },
}

ban:
  type: ipset
  options:
    set: reaction
    action: add
unban:
  type: ipset
  options:
    set: reaction
    action: del

Action Options

Each action has 3 possible options:

set

Required. The name of the ipset that will be created.

action

Can be add (add the IP to the set) or del (delete the IP from the set).

Defaults to add.

pattern

The name of the Pattern that holds the ip in this Filter. It is most commonly ip, but can be set to any name, depending on your configuration.

{
  patterns: {
    ipv4: {
      type: 'ipv4',
    },
  },
  streams: {
    s1: {
      filters: {
        f1: {
          regex: ['^<ipv4> ...'],
          actions: {
            ban: {
              type: 'ipset',
              options: {
                set: 'reaction',
                pattern: 'ipv4',
              }
            }
          }
        }
      }
    }
  }
}

patterns:
  ipv4:
    type: 'ipv4'

streams:
  s1:
    filters:
      f1:
        regex: ['^<ipv4> ...']
        actions:
          ban:
            type: 'ipset'
            options:
              set: 'reaction'
              pattern: 'ipv4'

Set Options

In addition to the previous options, 4 set-related options can be added.

They'll be merged between all actions of the same set.

Conflicting options for a same set in different actions will throw a configuration error.

version

One of ip, ipv4 or ipv6.

IPsets can only be of type ipv4 or ipv6.

  • Specifying ipv4 will create an set capable of containing IPv4 addresses only.
  • Specifying ipv6 will create an set capable of containing IPv6 addresses only.
  • Specifying ip (the default) will create two sets:
    • One IPv4 set, with name suffixed by v4.
    • One IPv6 set, with name suffixed by v6.

The following example will create 4 sets:

  • An IPv4 set named a.
  • An IPv6 set named b.
  • An IPv4 set named cv4.
  • An IPv6 set named cv6.
{
  a1: {
    ipv4only: true,
    type: 'ipset',
    options: {
      set: 'a',
      version: 'ipv4',
    },
  },
  a2: {
    ipv6only: true,
    type: 'ipset',
    options: {
      set: 'b',
      version: 'ipv6',
    },
  },
  a3: {
    type: 'ipset',
    options: {
      set: 'c',
      version: 'ip',
    },
  },
}

a1:
  ipv4only: true
  type: ipset
  options:
    set: a
    version: ipv4
a2:
  ipv6only: true
  type: ipset
  options:
    set: b
    version: ipv6
a3:
  type: ipset
  options:
    set: c
    version: ip

In summary:

  • The version ip is just a convenient shortcut for transparently handling both ipv4 and ipv6 and is the default.
  • If you need more control, or have an ipv4-only or ipv6-only server, you can set version to ipv4 or ipv6.

chains

The iptables and ip6tables chains where the set must be inserted.

IPv4 sets will be inserted in iptables chains, and IPv6 sets will be inserted in ip6tables chains.

Array of strings. Defaults to ["INPUT", "FORWARD"], but can be any user-defined chain too.

Example:

{
  type: 'ipset',
  options: {
    set: 'reaction',
    // only in INPUT, not in FORWARD
    chains: ['INPUT'],
  }
}

type: ipset
options:
  set: reaction
  # only in INPUT, not in FORWARD
  chains: ['INPUT']

target

The target associated with the match of an IP.

Defaults to DROP, which means that associated packets are simply dropped.

But it can be any user-defined chain too.

Example:

{
  type: 'ipset',
  options: {
    set: 'reaction',
    // user-defined chain
    target: 'nixos-fw-log-refuse',
  }
}

type: 'ipset'
options:
  set: 'reaction'
  # user-defined chain
  target: 'nixos-fw-log-refuse'

timeout

Optional ipset timeout, letting linux/netfilter handle set removal instead of reaction.

If this is used instead of an after action, note that:

  • reaction show and reaction flush won't work.
  • IPs won't be persisted to disk.

Same syntax as Action after.

Example:

{
  type: 'ipset',
  options: {
    set: 'reaction',
    action: 'add',
    timeout: '1d',
  }
}

type: ipset
options:
  set: reaction
  action: add
  timeout: 1d

We recommend using an after command like this instead:

{
  type: 'ipset',
  options: {
    set: 'reaction',
    action: 'add',
  }
},
{
  type: 'ipset',
  options: {
    set: 'reaction',
    action: 'del',
  },
  after: '1d',
}