From 55d7440fe1fb742779463b14fea6c045d5f62720 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun, 15 Jan 2006 20:18:39 +0000
Subject: [PATCH] decided to use "interpolations" in the config file to make it
 more readable

---
 config/fail2ban.conf.default | 170 ++++++++++++++++-------------------
 confreader/configreader.py   |   2 +
 debian/README.Debian         |  15 +++-
 debian/changelog             |   6 ++
 4 files changed, 99 insertions(+), 94 deletions(-)

diff --git a/config/fail2ban.conf.default b/config/fail2ban.conf.default
index 9b7592f9..19093717 100644
--- a/config/fail2ban.conf.default
+++ b/config/fail2ban.conf.default
@@ -76,20 +76,20 @@ findtime = 600
 #          Example:  ignoreip = 192.168.0.1/24 123.45.235.65
 # Values:  IP  Default:
 #
-ignoreip = 
+ignoreip =
 
 
 # Option:  cmdstart
 # Notes.:  command executed once at the start of Fail2Ban
 # Values:  CMD  Default:
 #
-cmdstart = 
+cmdstart =
 
 # Option:  cmdend
 # Notes.:  command executed once at the end of Fail2Ban.
 # Values:  CMD  Default:
 #
-cmdend = 
+cmdend =
 
 # Option:  polltime
 # Notes.:  number of seconds fail2ban sleeps between iterations.
@@ -111,6 +111,68 @@ reinittime = 10
 #
 maxreinits = -1
 
+#
+# NOTE: Interpolations
+#
+# fwstart, as well as fwend, fwcheck, fwban, fwunban, ise interpolations
+#  so %(__name__)s  will be substituted by a name of each section
+#  (unless the option is overriden in a section).
+#  If you are going to use interpolations in your setup, please make
+#  sure that you specified options port and protocol (which also has
+#  an option in DEFAULT)
+#
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+
+# Option:  fwstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD  Default:
+#
+fwstart = iptables -N fail2ban-%(__name__)s
+          iptables -A fail2ban-%(__name__)s -j RETURN
+          iptables -I INPUT -p %(protocol)s --dport %(port)s -j fail2ban-%(__name__)s
+
+# Option:  fwend
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD  Default:
+#
+fwend = iptables -D INPUT -p %(protocol)s --dport %(port)s -j fail2ban-%(__name__)s
+        iptables -F fail2ban-%(__name__)s
+        iptables -X fail2ban-%(__name__)s
+
+# Option:  fwcheck
+# Notes.:  command executed once before each fwban command
+# Values:  CMD  Default:
+#
+fwcheck = iptables -L INPUT | grep -q fail2ban-%(__name__)s
+
+# Option:  fwban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <failtime>  unix timestamp of the last failure
+#          <bantime>  unix timestamp of the ban time
+# Values:  CMD
+# Default: iptables -I INPUT 1 -s <ip> -j DROP
+#
+fwban = iptables -I fail2ban-%(__name__)s 1 -s <ip> -j DROP
+
+# Option:  fwunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <bantime>  unix timestamp of the ban time
+#          <unbantime>  unix timestamp of the unban time
+# Values:  CMD
+# Default: iptables -D INPUT -s <ip> -j DROP
+#
+fwunban = iptables -D fail2ban-%(__name__)s -s <ip> -j DROP
+
 
 [MAIL]
 # Option:  enabled
@@ -188,57 +250,18 @@ message = Hi,<br>
 #
 enabled = false
 
+# Option:  port
+# Notes.:  specifies port to monitor
+# Values:  [ NUM | STRING ]  Default:
+#
+port = http
+
 # Option:  logfile
 # Notes.:  logfile to monitor.
 # Values:  FILE  Default:  /var/log/apache/access.log
 #
 logfile = /var/log/apache/access.log
 
-# Option:  fwstart
-# Notes.:  command executed once at the start of Fail2Ban
-# Values:  CMD  Default:
-#
-fwstart = iptables -N fail2ban-http
-          iptables -A fail2ban-http -j RETURN
-          iptables -I INPUT -p tcp --dport http -j fail2ban-http
-
-# Option:  fwend
-# Notes.:  command executed once at the end of Fail2Ban
-# Values:  CMD  Default:
-#
-fwend = iptables -D INPUT -p tcp --dport http -j fail2ban-http
-        iptables -F fail2ban-http
-        iptables -X fail2ban-http
-
-# Option:  fwcheck
-# Notes.:  command executed once before each fwban command
-# Values:  CMD  Default:
-#
-fwcheck = iptables -L INPUT | grep -q fail2ban-http
-
-# Option:  fwban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
-#          <failures>  number of failures
-#          <failtime>  unix timestamp of the last failure
-#          <bantime>  unix timestamp of the ban time
-# Values:  CMD
-# Default: iptables -I INPUT 1 -s <ip> -j DROP
-#
-fwban = iptables -I fail2ban-http 1 -s <ip> -j DROP
-
-# Option:  fwunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
-#          <bantime>  unix timestamp of the ban time
-#          <unbantime>  unix timestamp of the unban time
-# Values:  CMD
-# Default: iptables -D INPUT -s <ip> -j DROP
-#
-fwunban = iptables -D fail2ban-http -s <ip> -j DROP
-
 # Option:  timeregex
 # Notes.:  regex to match timestamp in Apache logfile.
 # Values:  [Wed Jan 05 15:08:01 2005]
@@ -267,57 +290,18 @@ failregex = [[]client (?P<host>\S*)[]] user .*(?:: authentication failure|not fo
 #
 enabled = true
 
+# Option:  port
+# Notes.:  specifies port to monitor
+# Values:  [ NUM | STRING ]  Default:
+#
+port = ssh
+
 # Option:  logfile
 # Notes.:  logfile to monitor.
 # Values:  FILE  Default:  /var/log/auth.log
 #
 logfile = /var/log/auth.log
 
-# Option:  fwstart
-# Notes.:  command executed once at the start of Fail2Ban
-# Values:  CMD  Default:
-#
-fwstart = iptables -N fail2ban-ssh
-          iptables -A fail2ban-ssh -j RETURN
-          iptables -I INPUT -p tcp --dport ssh -j fail2ban-ssh
-
-# Option:  fwend
-# Notes.:  command executed once at the end of Fail2Ban
-# Values:  CMD  Default:
-#
-fwend = iptables -D INPUT -p tcp --dport ssh -j fail2ban-ssh
-        iptables -F fail2ban-ssh
-        iptables -X fail2ban-ssh
-
-# Option:  fwcheck
-# Notes.:  command executed once before each fwban command
-# Values:  CMD  Default:
-#
-fwcheck = iptables -L INPUT | grep -q fail2ban-ssh
-
-# Option:  fwbanrule
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
-#          <failures>  number of failures
-#          <failtime>  unix timestamp of the last failure
-#          <bantime>  unix timestamp of the ban time
-# Values:  CMD
-# Default: iptables -I INPUT 1 -s <ip> -j DROP
-#
-fwban = iptables -I fail2ban-ssh 1 -s <ip> -j DROP
-
-# Option:  fwunbanrule
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
-#          <bantime>  unix timestamp of the ban time
-#          <unbantime>  unix timestamp of the unban time
-# Values:  CMD
-# Default: iptables -D INPUT -s <ip> -j DROP
-#
-fwunban = iptables -D fail2ban-ssh -s <ip> -j DROP
-
 # Option:  timeregex
 # Notes.:  regex to match timestamp in SSH logfile.
 # Values:  [Mar  7 17:53:28]
diff --git a/confreader/configreader.py b/confreader/configreader.py
index 47691154..a32292a3 100644
--- a/confreader/configreader.py
+++ b/confreader/configreader.py
@@ -80,6 +80,8 @@ class ConfigReader:
 					v = self.configParser.get(sec, option[1])
 				
 				values[option[1]] = v
+				logSys.debug("%s: Accepted value %s=%s"%(
+					sec, option[1], `v`))
 			except NoOptionError:
 				logSys.warn("No '" + option[1] + "' defined in '" + sec +
 							"'. Using default one: '" + `option[2]` + "'")
diff --git a/debian/README.Debian b/debian/README.Debian
index 2d620fef..9f0a0886 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -34,6 +34,19 @@ just a single group (?P<host>...)
 
 [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330827
 
+"Interpolations" in the config file:
+
+Since version 0.6.0-3 to reduce duplication, thus to improve
+readability of the config file, interpolations provided by the module
+ConfigParser are used. If you had custom sections defined before, you
+might benefit from updating config file and adding appropriate
+information for the new sections.
+
+N.B. If you have some nice additional sections defined, I would really
+appreciate if you share them with me, so they could be eventually
+included in the fail2ban package for general use by the rest of the
+community.
+
 Mailing:
 
 As it was reported (bug #329722) you might need to provide a full
@@ -60,4 +73,4 @@ had enough of failed logins within "findtime" will be banned for
 "bantime" since [re]start moment, not since the last failed login
 time.
 
- -- Yaroslav O. Halchenko <debian@onerussian.com>, Sun Nov 20 21:44:56 2005
+ -- Yaroslav O. Halchenko <debian@onerussian.com>, Sun Jan 15 15:18:13 2006
diff --git a/debian/changelog b/debian/changelog
index 8ae87dbe..e488d9d1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,12 @@
 fail2ban (0.6.0-3) unstable; urgency=low
 
   * ignoreip is now empty by default (closes: #347766)
+  * increased verbosity in verbose=2 mode: now prints options accepted
+    from the config file
+  * to make fail2ban.conf more compact, thus to improve its readability,
+    fail2ban.conf was converted to use "interpolations" provided by
+    ConfigParser class. fw{start,end,{,un}ban} options were moved into
+    DEFAULT section and required options (port, protocol) were added
 
  -- Yaroslav Halchenko <debian@onerussian.com>  Thu, 12 Jan 2006 18:32:14 -0500