diff --git a/ChangeLog b/ChangeLog index 265ec368..81834eea 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,7 +15,7 @@ Incompatibility list (compared to v.0.9): rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)` (or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings). - Of course you can always your own capture-group (like below `_cond_ip_`) to do this. + Of course you can always define your own capture-group (like below `_cond_ip_`) to do this. ``` testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1" fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_>): bad host (?P=_cond_ip_)$" @@ -35,8 +35,9 @@ ver. 0.11.0-dev-0 (2017/??/??) - development nightly edition ----------- ### Incompatibility list: -* The configuration for multiport jails using banaction `pf` can be incompatible after upgrade, if - ports are enclosed in curly braces `{ }` in the `jail.local` etc. This may cause a double-brackets now. +* The configuration for jails using banaction `pf` can be incompatible after upgrade, because pf-action uses + anchors now (see `action.d/pf.conf` for more information). If you want use obsolete handling without anchors, + just rewrite it in the `jail.local` by overwrite of `pfctl` parameter, e. g. like `banaction = pf[pfctl="pfctl"]`. ### Fixes * Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid diff --git a/config/action.d/pf.conf b/config/action.d/pf.conf index b3a33cf2..905312c3 100644 --- a/config/action.d/pf.conf +++ b/config/action.d/pf.conf @@ -26,7 +26,8 @@ # } # to your main pf ruleset, where "namei" are the names of the jails # which invoke this action -actionstart = echo "table <-> persist counters" | -f- +actionstart = echo "table <-> persist counters" | -f- + port=""; if [ "$port" != "" ] && case "$port" in \{*) false;; esac; then port="{$port}"; fi echo " proto from <-> to " | -f- # Option: start_on_demand - to start action on demand @@ -119,5 +120,5 @@ allports = any # Option: multiport # Notes.: addition to block access only to specific ports # Usage.: use in jail config: "banaction = pf[actiontype=]" -multiport = any port {} +multiport = any port $port diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py index aab62fde..d1bd3d87 100644 --- a/fail2ban/tests/servertestcase.py +++ b/fail2ban/tests/servertestcase.py @@ -1524,7 +1524,8 @@ class ServerConfigReaderTests(LogCaptureTestCase): 'ip4': (), 'ip6': (), 'start': ( '`echo "table persist counters" | pfctl -a f2b/j-w-pf -f-`', - '`echo "block quick proto tcp from to any port {}" | pfctl -a f2b/j-w-pf -f-`', + 'port=""', + '`echo "block quick proto tcp from to any port $port" | pfctl -a f2b/j-w-pf -f-`', ), 'flush': ( '`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T flush`', @@ -1546,7 +1547,8 @@ class ServerConfigReaderTests(LogCaptureTestCase): 'ip4': (), 'ip6': (), 'start': ( '`echo "table persist counters" | pfctl -a f2b/j-w-pf-mp -f-`', - '`echo "block quick proto tcp from to any port {http,https}" | pfctl -a f2b/j-w-pf-mp -f-`', + 'port="http,https"', + '`echo "block quick proto tcp from to any port $port" | pfctl -a f2b/j-w-pf-mp -f-`', ), 'flush': ( '`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T flush`',