From 25335268276184b5339bb066f19e178da07e3366 Mon Sep 17 00:00:00 2001
From: sebres <info@sebres.de>
Date: Sun, 9 Jun 2024 23:38:58 +0200
Subject: [PATCH] extend ipset actions with new parameter `ipsettype` for the
 type of set (gh-3760), affected actions: `action.d/firewallcmd-ipset.conf`,
 `action.d/iptables-ipset.conf`, `action.d/shorewall-ipset-proto6.conf`

---
 ChangeLog                                   | 2 ++
 config/action.d/firewallcmd-ipset.conf      | 9 +++++++--
 config/action.d/iptables-ipset.conf         | 7 ++++++-
 config/action.d/shorewall-ipset-proto6.conf | 7 ++++++-
 4 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 40d35c42..09be05be 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -22,6 +22,8 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition
   - rename `ipsettype` to `ipsetbackend` (gh-2620), parameter `ipsettype` will be used now to the real set type (gh-3760)
 
 ### New Features and Enhancements
+* `action.d/*-ipset.conf`:
+  - parameter `ipsettype` to set type of ipset, e. g. hash:ip, hash:net, etc (gh-3760)
 
 
 ver. 1.1.0 (2024/04/25) - object-found--norad-59479-cospar-2024-069a--altitude-36267km
diff --git a/config/action.d/firewallcmd-ipset.conf b/config/action.d/firewallcmd-ipset.conf
index 7edfa896..ed498084 100644
--- a/config/action.d/firewallcmd-ipset.conf
+++ b/config/action.d/firewallcmd-ipset.conf
@@ -35,7 +35,7 @@ actionunban = <ipsbackend_<ipsetbackend>/actionunban>
 
 [ipsbackend_ipset]
 
-actionstart = ipset -exist create <ipmset> hash:ip timeout <default-ipsettime> maxelem <maxelem> <familyopt>
+actionstart = ipset -exist create <ipmset> <ipsettype> timeout <default-ipsettime> maxelem <maxelem> <familyopt>
 
 actionflush = ipset flush <ipmset>
 
@@ -47,7 +47,7 @@ actionunban = ipset -exist del <ipmset> <ip>
 
 [ipsbackend_firewalld]
 
-actionstart = firewall-cmd --direct --new-ipset=<ipmset> --type=hash:ip --option=timeout=<default-ipsettime> --option=maxelem=<maxelem> <firewalld_familyopt>
+actionstart = firewall-cmd --direct --new-ipset=<ipmset> --type=<ipsettype> --option=timeout=<default-ipsettime> --option=maxelem=<maxelem> <firewalld_familyopt>
 
 # TODO: there doesn't seem to be an explicit way to invoke the ipset flush function using firewall-cmd
 actionflush = 
@@ -60,6 +60,11 @@ actionunban = firewall-cmd --ipset=<ipmset> --remove-entry=<ip>
 
 [Init]
 
+# Option: ipsettype
+# Notes:  specifies type of set, see `man --pager='less -p "^SET TYPES"' ipset` for details
+# Values: hash:ip, hash:net, etc... Default: hash:ip
+ipsettype = hash:ip
+
 # Option:  chain
 # Notes    specifies the iptables chain to which the fail2ban rules should be
 #          added
diff --git a/config/action.d/iptables-ipset.conf b/config/action.d/iptables-ipset.conf
index 07f89415..89d90142 100644
--- a/config/action.d/iptables-ipset.conf
+++ b/config/action.d/iptables-ipset.conf
@@ -24,7 +24,7 @@ before = iptables.conf
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
 # Values:  CMD
 #
-actionstart = ipset -exist create <ipmset> hash:ip timeout <default-ipsettime> maxelem <maxelem> <familyopt>
+actionstart = ipset -exist create <ipmset> <ipsettype> timeout <default-ipsettime> maxelem <maxelem> <familyopt>
               <_ipt_add_rules>
 
 # Option:  actionflush
@@ -66,6 +66,11 @@ rule-jump = -m set --match-set <ipmset> src -j <blocktype>
 
 [Init]
 
+# Option: ipsettype
+# Notes:  specifies type of set, see `man --pager='less -p "^SET TYPES"' ipset` for details
+# Values: hash:ip, hash:net, etc... Default: hash:ip
+ipsettype = hash:ip
+
 # Option: default-ipsettime
 # Notes:  specifies default timeout in seconds (handled default ipset timeout only)
 # Values:  [ NUM ]  Default: 0 (no timeout, managed by fail2ban by unban)
diff --git a/config/action.d/shorewall-ipset-proto6.conf b/config/action.d/shorewall-ipset-proto6.conf
index fade8107..72e3fea9 100644
--- a/config/action.d/shorewall-ipset-proto6.conf
+++ b/config/action.d/shorewall-ipset-proto6.conf
@@ -51,7 +51,7 @@
 # Values:  CMD
 #
 actionstart = if ! ipset -quiet -name list f2b-<name> >/dev/null;
-              then ipset -quiet -exist create f2b-<name> hash:ip timeout <default-ipsettime> maxelem <maxelem>;
+              then ipset -quiet -exist create f2b-<name> <ipsettype> timeout <default-ipsettime> maxelem <maxelem>;
               fi
 
 # Option:  actionstop
@@ -94,6 +94,11 @@ timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
 
 [Init]
 
+# Option: ipsettype
+# Notes:  specifies type of set, see `man --pager='less -p "^SET TYPES"' ipset` for details
+# Values: hash:ip, hash:net, etc... Default: hash:ip
+ipsettype = hash:ip
+
 # Option: maxelem
 # Notes:  maximal number of elements which can be stored in the ipset
 #         You may want to increase this for long-duration/high-volume jails