From 529866b2bb41586342652af19aaca7435ab28c28 Mon Sep 17 00:00:00 2001
From: oukb <5672797+oukb@users.noreply.github.com>
Date: Mon, 8 Mar 2021 19:14:28 +0300
Subject: [PATCH 1/3] nsd.conf: fix for the current log format

New nsd 4.3.5 log format:

|  [2021-03-05 05:25:14.562] nsd[160800]: info: axfr for example.com. from 192.35.168.32 refused, no acl matches
|  [2021-03-06 05:24:33.223] nsd[356033]: info: axfr for localhost. from 192.35.168.160 refused, no acl matches
|  [2021-03-07 05:23:26.641] nsd[547893]: info: axfr for example.com. from 192.35.168.64 refused, no acl matches
|  [2021-03-08 05:18:54.067] nsd[739606]: info: axfr for example.com. from 192.35.168.32 refused, no acl matches
---
 config/filter.d/nsd.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/filter.d/nsd.conf b/config/filter.d/nsd.conf
index bfd99544..9399db23 100644
--- a/config/filter.d/nsd.conf
+++ b/config/filter.d/nsd.conf
@@ -23,9 +23,9 @@ _daemon = nsd
 # Values:  TEXT
 
 failregex =  ^%(__prefix_line)sinfo: ratelimit block .* query <HOST> TYPE255$
-             ^%(__prefix_line)sinfo: .* <HOST> refused, no acl matches\.$
+             ^%(__prefix_line)sinfo: .* <HOST> refused, no acl matches
 
 ignoreregex =
 
 datepattern = {^LN-BEG}Epoch
-              {^LN-BEG}
\ No newline at end of file
+              {^LN-BEG}

From 1215cb28ac6a79acda2699694556bc1a6cef1e45 Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <serg.brester@sebres.de>
Date: Sat, 3 Apr 2021 20:58:26 +0200
Subject: [PATCH 2/3] Update nsd

---
 fail2ban/tests/files/logs/nsd | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fail2ban/tests/files/logs/nsd b/fail2ban/tests/files/logs/nsd
index a33a52a9..63c162e9 100644
--- a/fail2ban/tests/files/logs/nsd
+++ b/fail2ban/tests/files/logs/nsd
@@ -2,3 +2,5 @@
 [1387288694] nsd[7745]: info: ratelimit block example.com. type any target 192.0.2.0/24 query 192.0.2.105 TYPE255
 # failJSON: { "time": "2013-12-18T07:42:15", "match": true , "host": "192.0.2.115" }
 [1387348935] nsd[23600]: info: axfr for zone domain.nl. from client 192.0.2.115 refused, no acl matches.
+# failJSON: { "time": "2021-03-05T05:25:14", "match": true , "host": "192.0.2.32", "desc": "new format, no client after from, no dot at end, gh-2965" }
+[2021-03-05 05:25:14.562] nsd[160800]: info: axfr for example.com. from 192.0.2.32 refused, no acl matches

From a838deba7f8066d50984ed24983fb90f15edfaaf Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <serg.brester@sebres.de>
Date: Sat, 3 Apr 2021 21:00:14 +0200
Subject: [PATCH 3/3] restore anchor (e. g. catch all in the middle), dot is
 optional now, RE rewritten a bit more precise

---
 config/filter.d/nsd.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/filter.d/nsd.conf b/config/filter.d/nsd.conf
index 9399db23..0589c16c 100644
--- a/config/filter.d/nsd.conf
+++ b/config/filter.d/nsd.conf
@@ -22,8 +22,8 @@ _daemon = nsd
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 
-failregex =  ^%(__prefix_line)sinfo: ratelimit block .* query <HOST> TYPE255$
-             ^%(__prefix_line)sinfo: .* <HOST> refused, no acl matches
+failregex =  ^%(__prefix_line)sinfo: ratelimit block .* query <ADDR> TYPE255$
+             ^%(__prefix_line)sinfo: .* from(?: client)? <ADDR> refused, no acl matches\.?$
 
 ignoreregex =