diff --git a/cdc.md b/cdc.md
index 806de88..b3cd9c4 100644
--- a/cdc.md
+++ b/cdc.md
@@ -5,19 +5,28 @@
 Avec un défaut à `/etc/reaction/reactiond.conf`
 
 ```yaml
-actions:
-  iptables:
-    
+definitions:
+  - &iptablesban iptables -I reaction 1 -s <ip> -j block
+  - &iptablesunban iptables -D reaction 1 -s <ip> -j block
+
 regexes:
-  IP: '(([0-9]{1,3}\.){3}[0-9]{1,3})|([0-9a-fA-F:]{2,90})'
+  ip: '(([0-9]{1,3}\.){3}[0-9]{1,3})|([0-9a-fA-F:]{2,90})'
 
 streams:
- nextcloud:
-   cmd: journalctl -fu phpfpm-nextcloud.service
-   actions:
-     - regex: '"message":"Login failed: .\+ (Remote IP: \(?<IP>[0-9a-fA-F.:]\+\))"'
-       # Can also be a list
-       cmd: iptables -I f2b-nextcloud 1 -s <ip> -j <blocktype>
+  nextcloud:
+    cmd: journalctl -fu phpfpm-nextcloud.service
+    filters:
+      failed-login:
+        regex:
+          - '"message":"Login failed: .\+ (Remote IP: <ip>)"'
+        retry: 3
+        retry-period: 1h
+        actions:
+          ban:
+            cmd: *iptablesban
+          unban:
+            cmd: *iptablesunban 
+            after: 1h
 ```
 
 reactionc: le client