From f69e28adfc754f74ca87a104031d949c201013c7 Mon Sep 17 00:00:00 2001 From: sebres Date: Thu, 18 Jan 2018 14:05:22 +0100 Subject: [PATCH 1/2] action.d/pf.conf: compatibility fix - recognizes that parameter `port` specified as empty, with or without braces (should be more backwards compatible to 0.9 now). --- config/action.d/pf.conf | 5 +++-- fail2ban/tests/servertestcase.py | 6 ++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/config/action.d/pf.conf b/config/action.d/pf.conf index b3a33cf2..905312c3 100644 --- a/config/action.d/pf.conf +++ b/config/action.d/pf.conf @@ -26,7 +26,8 @@ # } # to your main pf ruleset, where "namei" are the names of the jails # which invoke this action -actionstart = echo "table <-> persist counters" | -f- +actionstart = echo "table <-> persist counters" | -f- + port=""; if [ "$port" != "" ] && case "$port" in \{*) false;; esac; then port="{$port}"; fi echo " proto from <-> to " | -f- # Option: start_on_demand - to start action on demand @@ -119,5 +120,5 @@ allports = any # Option: multiport # Notes.: addition to block access only to specific ports # Usage.: use in jail config: "banaction = pf[actiontype=]" -multiport = any port {} +multiport = any port $port diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py index a5e93d2d..8485aa74 100644 --- a/fail2ban/tests/servertestcase.py +++ b/fail2ban/tests/servertestcase.py @@ -1503,7 +1503,8 @@ class ServerConfigReaderTests(LogCaptureTestCase): 'ip4': (), 'ip6': (), 'start': ( '`echo "table persist counters" | pfctl -a f2b/j-w-pf -f-`', - '`echo "block quick proto tcp from to any port {}" | pfctl -a f2b/j-w-pf -f-`', + 'port=""', + '`echo "block quick proto tcp from to any port $port" | pfctl -a f2b/j-w-pf -f-`', ), 'flush': ( '`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T flush`', @@ -1525,7 +1526,8 @@ class ServerConfigReaderTests(LogCaptureTestCase): 'ip4': (), 'ip6': (), 'start': ( '`echo "table persist counters" | pfctl -a f2b/j-w-pf-mp -f-`', - '`echo "block quick proto tcp from to any port {http,https}" | pfctl -a f2b/j-w-pf-mp -f-`', + 'port="http,https"', + '`echo "block quick proto tcp from to any port $port" | pfctl -a f2b/j-w-pf-mp -f-`', ), 'flush': ( '`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T flush`', From 81b61fe30c062332febc4966ed54cf4f1b226437 Mon Sep 17 00:00:00 2001 From: sebres Date: Thu, 18 Jan 2018 14:19:55 +0100 Subject: [PATCH 2/2] ChangeLog update --- ChangeLog | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6052b0f1..a2fb8390 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,7 +15,7 @@ Incompatibility list (compared to v.0.9): rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)` (or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings). - Of course you can always your own capture-group (like below `_cond_ip_`) to do this. + Of course you can always define your own capture-group (like below `_cond_ip_`) to do this. ``` testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1" fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_>): bad host (?P=_cond_ip_)$" @@ -35,8 +35,9 @@ ver. 0.10.2-dev-1 (2017/??/??) - development edition ----------- ### Incompatibility list: -* The configuration for multiport jails using banaction `pf` can be incompatible after upgrade, if - ports are enclosed in curly braces `{ }` in the `jail.local` etc. This may cause a double-brackets now. +* The configuration for jails using banaction `pf` can be incompatible after upgrade, because pf-action uses + anchors now (see `action.d/pf.conf` for more information). If you want use obsolete handling without anchors, + just rewrite it in the `jail.local` by overwrite of `pfctl` parameter, e. g. like `banaction = pf[pfctl="pfctl"]`. ### Fixes * Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid