From dbf45920d51e601c8f82cb23f83be1f2d1a8d516 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Tue, 30 Oct 2018 10:38:18 +0100
Subject: [PATCH] manually create the subchain

---
 modules/fail2ban/manifests/init.pp | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/modules/fail2ban/manifests/init.pp b/modules/fail2ban/manifests/init.pp
index 74a650b41..81b020eb2 100644
--- a/modules/fail2ban/manifests/init.pp
+++ b/modules/fail2ban/manifests/init.pp
@@ -19,14 +19,21 @@ class fail2ban {
 				| EOF
 	}
 
-	@ferm::rule { 'dsa-f2b-setup':
+	@ferm::rule { 'dsa-f2b-setup1':
 		prio        => '005',
 		description => 'f2b master rule',
-		chain       => 'INPUT',
+		chain       => 'dsa-f2b',
 		domain      => '(ip ip6)',
-		rule        => 'saddr 0/0 @subchain "dsa-f2b" {}',
+		rule        => '',
 		notarule    => true,
 	}
+	@ferm::rule { 'dsa-f2b-setup2':
+		prio        => '005',
+		description => 'f2b master rule',
+		chain       => 'INPUT',
+		domain      => '(ip ip6)',
+		rule        => 'jump dsa-f2b',
+	}
 
 	# XXX Maybe this will be automatically done in buster, it is certainly needed in stretch. So maybe:  versioncmp($::lsbmajdistrelease, '9') <= 0
 	concat::fragment { 'dsa-puppet-stuff--fail2ban-cleanup':
-- 
2.20.1