fix confs iptables

app/example.yml

@@ -3,8 +3,8 @@
 # using YAML anchors `&name` and pointers `*name`
 # definitions are not readed by reaction
 definitions:
-  - &iptablesban [ 'ip46tables', '-w', '-A', 'reaction', '1', '-s', '<ip>', '-j', 'DROP' ]
+  - &iptablesban [ 'ip46tables', '-w', '-A', 'reaction', '-s', '<ip>', '-j', 'DROP' ]
-  - &iptablesunban [ 'ip46tables', '-w', '-D', 'reaction', '1', '-s', '<ip>', '-j', 'DROP' ]
+  - &iptablesunban [ 'ip46tables', '-w', '-D', 'reaction', '-s', '<ip>', '-j', 'DROP' ]
 # ip46tables is a minimal C program (only POSIX dependencies) present as a subdirectory.
 # it permits to handle both ipv4/iptables and ipv6/ip6tables commands
 
@@ -21,7 +21,6 @@ patterns:
 # Those commands will be executed in order at start, before everything else
 start:
   - [ 'ip46tables', '-w', '-N', 'reaction' ]
-  - [ 'ip46tables', '-w', '-A', 'reaction', '-j', 'RETURN' ]
   - [ 'ip46tables', '-w', '-I', 'INPUT', '-p', 'all', '-j', 'reaction' ]
 
 # Those commands will be executed in order at stop, after everything else
@@ -30,7 +29,6 @@ stop:
   - [ 'ip46tables', '-w', '-F', 'reaction' ]
   - [ 'ip46tables', '-w', '-X', 'reaction' ]
 
-
 # streams are commands
 # they are run and their ouptut is captured
 # *example:* `tail -f /var/log/nginx/access.log`
@@ -71,7 +69,7 @@ streams:
             # if you want reaction to run those pending commands before exiting, you can set this:
             onexit: true
             # (defaults to false)
-            # here it is not useful because we will flush the chain containing the bans anyway
+            # here it is not useful because we will flush and delete the chain containing the bans anyway
             # (with the stop commands)
 
 # persistence

config/example.jsonnet

@@ -5,7 +5,7 @@
 
 // JSONNET functions
 local iptables(args) = ['ip46tables', '-w'] + args;
-// ip46tables is a minimal C program (only POSIX dependencies) present as a subdirectory.
+// ip46tables is a minimal C program (only POSIX dependencies) present in a subdirectory of this repo.
 // it permits to handle both ipv4/iptables and ipv6/ip6tables commands
 
 {
@@ -24,12 +24,6 @@ local iptables(args) = ['ip46tables', '-w'] + args;
   start: [
     // Create an iptables chain for reaction
     iptables(['-N', 'reaction']),
-    // Set its default to ACCEPT
-    iptables(['-A', 'reaction', '-j', 'ACCEPT']),
-    // Always accept 127.0.0.1
-    iptables(['-I', 'reaction', '1', '-s', '127.0.0.1', '-j', 'ACCEPT']),
-    // Always accept ::1
-    iptables(['-I', 'reaction', '1', '-s', '::1', '-j', 'ACCEPT']),
     // Insert this chain as the first item of the INPUT chain (for incoming connections)
     iptables(['-I', 'INPUT', '-p', 'all', '-j', 'reaction']),
   ],
@@ -85,7 +79,7 @@ local iptables(args) = ['ip46tables', '-w'] + args;
               // if you want reaction to run those pending commands before exiting, you can set this:
               onexit: true,
               // (defaults to false)
-              // here it is not useful because we will flush the chain containing the bans anyway
+              // here it is not useful because we will flush and delete the chain containing the bans anyway
               // (with the stop commands)
             },
           },