Merge pull request #487 from grooverdan/firewall-cmd

BF: fix actioncheck in firewallcmd
2013-12-15 15:13:29 -08:00 · 2013-12-15 15:13:29 -08:00 · 00ad239e2e
parent d402701b9f a398c51d6c
commit 00ad239e2e
3 changed files with 27 additions and 5 deletions
--- a/1
+++ b/1
@ -26,6 +26,7 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better
    settings. Closes gh-458, Debian bug #697333, Redhat bug #891798.
  - complain action - ensure where not matching other IPs in log sample.
    Closes gh-467
+  - Fix firewall-cmd actioncheck - patch from Adam Tkac. Redhat Bug #979622

 - Enhancements:
  - long names on jails documented based on iptables limit of 30 less
--- a/1
+++ b/1
@ -6,6 +6,7 @@ the project.  If you have been left off, please let us know
 (preferably send a pull request on github with the "fix") and you will
 be added

+Adam Tkac
 Adrien Clerc
 ache
 ag4ve (Shawn)
--- a/config/action.d/firewallcmd-new.conf
+++ b/config/action.d/firewallcmd-new.conf
@ -1,9 +1,5 @@
 # Fail2Ban configuration file
 #
-# Author: Edgar Hoch
-# Copied from iptables-new.conf and modified for use with firewalld by Edgar Hoch.
-#  It uses "firewall-cmd" instead of "iptables".
-#
 # Because of the --remove-rules in stop this action requires firewalld-0.3.8+

 [INCLUDES]
@ -20,7 +16,7 @@ actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -m state
             firewall-cmd --direct --remove-rules ipv4 filter fail2ban-<name>
             firewall-cmd --direct --remove-chain ipv4 filter fail2ban-<name>

-actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q 'fail2ban-<name>[ \t]'
+actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q '^fail2ban-<name>$'

 actionban = firewall-cmd --direct --add-rule ipv4 filter fail2ban-<name> 0 -s <ip> -j <blocktype>

@ -50,3 +46,27 @@ protocol = tcp
 # Values:  [ STRING ]
 #
 chain = INPUT_direct
+
+# DEV NOTES:
+#
+# Author: Edgar Hoch
+# Copied from iptables-new.conf and modified for use with firewalld by Edgar Hoch.
+#  It uses "firewall-cmd" instead of "iptables".
+#
+# Output:
+# 
+# $ firewall-cmd --direct --add-chain ipv4 filter fail2ban-name
+# success
+# $ firewall-cmd --direct --add-rule ipv4 filter fail2ban-name 1000 -j RETURN
+# success
+# $ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -m state --state NEW -p tcp --dport 22 -j fail2ban-name
+# success
+# $ firewall-cmd --direct --get-chains ipv4 filter
+# fail2ban-name
+# $ firewall-cmd --direct --get-chains ipv4 filter  | od -h
+# 0000000 6166 6c69 6232 6e61 6e2d 6d61 0a65
+# $ firewall-cmd --direct --get-chains ipv4 filter | grep -Eq 'fail2ban-name( |$)' ; echo $?
+# 0
+# $ firewall-cmd -V
+# 0.3.8
+