mirror of https://github.com/fail2ban/fail2ban
restore timeout for ipset-based actions: on some systems ipset created without default timeout may cause "Kernel error received: Unknown error -1" (gh-1994);
thus new option `default-timeout` introduced (because of dynamical bantime in 0.10, it cannot be used here).pull/2019/merge
sebres
parent
2179db3692
commit
309a1cb337
|
|
@ -18,7 +18,7 @@ before = firewallcmd-common.conf
|
||||||
|
|
||||||
[Definition]
|
[Definition]
|
||||||
|
|
||||||
actionstart = ipset create <ipmset> hash:ip<familyopt>
|
actionstart = ipset create <ipmset> hash:ip timeout <default-timeout><familyopt>
|
||||||
firewall-cmd --direct --add-rule <family> filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set <ipmset> src -j <blocktype>
|
firewall-cmd --direct --add-rule <family> filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set <ipmset> src -j <blocktype>
|
||||||
|
|
||||||
actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set <ipmset> src -j <blocktype>
|
actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set <ipmset> src -j <blocktype>
|
||||||
|
|
@ -40,6 +40,12 @@ actionunban = ipset del <ipmset> <ip> -exist
|
||||||
#
|
#
|
||||||
chain = INPUT_direct
|
chain = INPUT_direct
|
||||||
|
|
||||||
|
# Option: default-timeout
|
||||||
|
# Notes: specifies default timeout in seconds (handled default ipset timeout only)
|
||||||
|
# Values: [ NUM ] Default: 600
|
||||||
|
|
||||||
|
default-timeout = 600
|
||||||
|
|
||||||
ipmset = f2b-<name>
|
ipmset = f2b-<name>
|
||||||
familyopt =
|
familyopt =
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -26,7 +26,7 @@ before = iptables-common.conf
|
||||||
# Notes.: command executed once at the start of Fail2Ban.
|
# Notes.: command executed once at the start of Fail2Ban.
|
||||||
# Values: CMD
|
# Values: CMD
|
||||||
#
|
#
|
||||||
actionstart = ipset create <ipmset> hash:ip<familyopt>
|
actionstart = ipset create <ipmset> hash:ip timeout <default-timeout><familyopt>
|
||||||
<iptables> -I <chain> -m set --match-set <ipmset> src -j <blocktype>
|
<iptables> -I <chain> -m set --match-set <ipmset> src -j <blocktype>
|
||||||
|
|
||||||
# Option: actionflush
|
# Option: actionflush
|
||||||
|
|
@ -63,6 +63,12 @@ actionunban = ipset del <ipmset> <ip> -exist
|
||||||
|
|
||||||
[Init]
|
[Init]
|
||||||
|
|
||||||
|
# Option: default-timeout
|
||||||
|
# Notes: specifies default timeout in seconds (handled default ipset timeout only)
|
||||||
|
# Values: [ NUM ] Default: 600
|
||||||
|
|
||||||
|
default-timeout = 600
|
||||||
|
|
||||||
ipmset = f2b-<name>
|
ipmset = f2b-<name>
|
||||||
familyopt =
|
familyopt =
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -26,7 +26,7 @@ before = iptables-common.conf
|
||||||
# Notes.: command executed once at the start of Fail2Ban.
|
# Notes.: command executed once at the start of Fail2Ban.
|
||||||
# Values: CMD
|
# Values: CMD
|
||||||
#
|
#
|
||||||
actionstart = ipset create <ipmset> hash:ip<familyopt>
|
actionstart = ipset create <ipmset> hash:ip timeout <default-timeout><familyopt>
|
||||||
<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set <ipmset> src -j <blocktype>
|
<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set <ipmset> src -j <blocktype>
|
||||||
|
|
||||||
# Option: actionflush
|
# Option: actionflush
|
||||||
|
|
@ -63,6 +63,12 @@ actionunban = ipset del <ipmset> <ip> -exist
|
||||||
|
|
||||||
[Init]
|
[Init]
|
||||||
|
|
||||||
|
# Option: default-timeout
|
||||||
|
# Notes: specifies default timeout in seconds (handled default ipset timeout only)
|
||||||
|
# Values: [ NUM ] Default: 600
|
||||||
|
|
||||||
|
default-timeout = 600
|
||||||
|
|
||||||
ipmset = f2b-<name>
|
ipmset = f2b-<name>
|
||||||
familyopt =
|
familyopt =
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -51,7 +51,7 @@
|
||||||
# Values: CMD
|
# Values: CMD
|
||||||
#
|
#
|
||||||
actionstart = if ! ipset -quiet -name list f2b-<name> >/dev/null;
|
actionstart = if ! ipset -quiet -name list f2b-<name> >/dev/null;
|
||||||
then ipset -quiet -exist create f2b-<name> hash:ip;
|
then ipset -quiet -exist create f2b-<name> hash:ip timeout <default-timeout>;
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Option: actionstop
|
# Option: actionstop
|
||||||
|
|
@ -78,3 +78,8 @@ actionprolong = %(actionban)s
|
||||||
#
|
#
|
||||||
actionunban = ipset del f2b-<name> <ip> -exist
|
actionunban = ipset del f2b-<name> <ip> -exist
|
||||||
|
|
||||||
|
# Option: default-timeout
|
||||||
|
# Notes: specifies default timeout in seconds (handled default ipset timeout only)
|
||||||
|
# Values: [ NUM ] Default: 600
|
||||||
|
|
||||||
|
default-timeout = 600
|
||||||
|
|
|
||||||
|
|
@ -1322,14 +1322,14 @@ class ServerConfigReaderTests(LogCaptureTestCase):
|
||||||
),
|
),
|
||||||
}),
|
}),
|
||||||
# iptables-ipset-proto6 --
|
# iptables-ipset-proto6 --
|
||||||
('j-w-iptables-ipset', 'iptables-ipset-proto6[name=%(__name__)s, bantime="10m", port="http", protocol="tcp", chain="<known/chain>"]', {
|
('j-w-iptables-ipset', 'iptables-ipset-proto6[name=%(__name__)s, bantime="10m", default-timeout=0, port="http", protocol="tcp", chain="<known/chain>"]', {
|
||||||
'ip4': (' f2b-j-w-iptables-ipset ',), 'ip6': (' f2b-j-w-iptables-ipset6 ',),
|
'ip4': (' f2b-j-w-iptables-ipset ',), 'ip6': (' f2b-j-w-iptables-ipset6 ',),
|
||||||
'ip4-start': (
|
'ip4-start': (
|
||||||
"`ipset create f2b-j-w-iptables-ipset hash:ip`",
|
"`ipset create f2b-j-w-iptables-ipset hash:ip timeout 0`",
|
||||||
"`iptables -w -I INPUT -p tcp -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable`",
|
"`iptables -w -I INPUT -p tcp -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable`",
|
||||||
),
|
),
|
||||||
'ip6-start': (
|
'ip6-start': (
|
||||||
"`ipset create f2b-j-w-iptables-ipset6 hash:ip family inet6`",
|
"`ipset create f2b-j-w-iptables-ipset6 hash:ip timeout 0 family inet6`",
|
||||||
"`ip6tables -w -I INPUT -p tcp -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`",
|
"`ip6tables -w -I INPUT -p tcp -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`",
|
||||||
),
|
),
|
||||||
'flush': (
|
'flush': (
|
||||||
|
|
@ -1360,14 +1360,14 @@ class ServerConfigReaderTests(LogCaptureTestCase):
|
||||||
),
|
),
|
||||||
}),
|
}),
|
||||||
# iptables-ipset-proto6-allports --
|
# iptables-ipset-proto6-allports --
|
||||||
('j-w-iptables-ipset-ap', 'iptables-ipset-proto6-allports[name=%(__name__)s, bantime="10m", chain="<known/chain>"]', {
|
('j-w-iptables-ipset-ap', 'iptables-ipset-proto6-allports[name=%(__name__)s, bantime="10m", default-timeout=0, chain="<known/chain>"]', {
|
||||||
'ip4': (' f2b-j-w-iptables-ipset-ap ',), 'ip6': (' f2b-j-w-iptables-ipset-ap6 ',),
|
'ip4': (' f2b-j-w-iptables-ipset-ap ',), 'ip6': (' f2b-j-w-iptables-ipset-ap6 ',),
|
||||||
'ip4-start': (
|
'ip4-start': (
|
||||||
"`ipset create f2b-j-w-iptables-ipset-ap hash:ip`",
|
"`ipset create f2b-j-w-iptables-ipset-ap hash:ip timeout 0`",
|
||||||
"`iptables -w -I INPUT -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`",
|
"`iptables -w -I INPUT -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`",
|
||||||
),
|
),
|
||||||
'ip6-start': (
|
'ip6-start': (
|
||||||
"`ipset create f2b-j-w-iptables-ipset-ap6 hash:ip family inet6`",
|
"`ipset create f2b-j-w-iptables-ipset-ap6 hash:ip timeout 0 family inet6`",
|
||||||
"`ip6tables -w -I INPUT -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`",
|
"`ip6tables -w -I INPUT -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`",
|
||||||
),
|
),
|
||||||
'flush': (
|
'flush': (
|
||||||
|
|
@ -1667,14 +1667,14 @@ class ServerConfigReaderTests(LogCaptureTestCase):
|
||||||
),
|
),
|
||||||
}),
|
}),
|
||||||
# firewallcmd-ipset --
|
# firewallcmd-ipset --
|
||||||
('j-w-fwcmd-ipset', 'firewallcmd-ipset[name=%(__name__)s, bantime="10m", port="http", protocol="tcp", chain="<known/chain>"]', {
|
('j-w-fwcmd-ipset', 'firewallcmd-ipset[name=%(__name__)s, bantime="10m", default-timeout=0, port="http", protocol="tcp", chain="<known/chain>"]', {
|
||||||
'ip4': (' f2b-j-w-fwcmd-ipset ',), 'ip6': (' f2b-j-w-fwcmd-ipset6 ',),
|
'ip4': (' f2b-j-w-fwcmd-ipset ',), 'ip6': (' f2b-j-w-fwcmd-ipset6 ',),
|
||||||
'ip4-start': (
|
'ip4-start': (
|
||||||
"`ipset create f2b-j-w-fwcmd-ipset hash:ip`",
|
"`ipset create f2b-j-w-fwcmd-ipset hash:ip timeout 0`",
|
||||||
"`firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports http -m set --match-set f2b-j-w-fwcmd-ipset src -j REJECT --reject-with icmp-port-unreachable`",
|
"`firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports http -m set --match-set f2b-j-w-fwcmd-ipset src -j REJECT --reject-with icmp-port-unreachable`",
|
||||||
),
|
),
|
||||||
'ip6-start': (
|
'ip6-start': (
|
||||||
"`ipset create f2b-j-w-fwcmd-ipset6 hash:ip family inet6`",
|
"`ipset create f2b-j-w-fwcmd-ipset6 hash:ip timeout 0 family inet6`",
|
||||||
"`firewall-cmd --direct --add-rule ipv6 filter INPUT_direct 0 -p tcp -m multiport --dports http -m set --match-set f2b-j-w-fwcmd-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`",
|
"`firewall-cmd --direct --add-rule ipv6 filter INPUT_direct 0 -p tcp -m multiport --dports http -m set --match-set f2b-j-w-fwcmd-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`",
|
||||||
),
|
),
|
||||||
'stop': (
|
'stop': (
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue