Merge pull request #618 from kwirk/xt_recent-tweaks

ENH: Add root user check in xt_recent, and add missing actionstop

THANKS

@@ -92,5 +92,6 @@ Yaroslav Halchenko
 Winston Smith
 ykimon
 Yehuda Katz
+Zbigniew Jędrzejewski-Szmek
 zugeschmiert
 Zurd

config/action.d/iptables-xt_recent-echo.conf

@@ -33,13 +33,14 @@ before = iptables-blocktype.conf
 #    own rules. The 3600 second timeout is independent and acts as a
 #    safeguard in case the fail2ban process dies unexpectedly. The
 #    shorter of the two timeouts actually matters.
-actionstart = iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j <blocktype>
+actionstart = if [ `id -u` -eq 0 ];then iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j <blocktype>;fi
 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
 actionstop = echo / > /proc/net/xt_recent/fail2ban-<name>
+             if [ `id -u` -eq 0 ];then iptables -D INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j <blocktype>;fi
 
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command

doc/run-rootless.txt

@@ -74,12 +74,6 @@ further configuration. To run not as root, further setup is necessary:
 
     with <name> suitably replaced.
 
-  - suppress actionstart for iptables-xt_recent-echo action by creating an override file
-    iptables-xt_recent-echo.local to accompany iptables-xt_recent-echo.conf with
-
-     [Definition]
-     actionstart =
-
 - Permissions:
 
   make sure that configuration files under /etc/fail2ban are readable by