Merge branch 'amend-gh-2254' into 0.10

2019-10-18 19:06:42 +02:00 · 2019-10-18 19:06:42 +02:00 · 5e3fef1631
parent 8b850864cf 85ec605358
commit 5e3fef1631
2 changed files with 48 additions and 29 deletions
--- a/config/action.d/nftables.conf
+++ b/config/action.d/nftables.conf
@ -52,23 +52,31 @@ _nft_for_proto-allports-done =
 _nft_for_proto-multiport-iter = for proto in $(echo '<protocol>' | sed 's/,/ /g'); do
 _nft_for_proto-multiport-done = done

-_nft_list = <nftables> -a list chain <table_family> f2b-table f2b-chain
+_nft_list = <nftables> -a list chain <table_family> <table> <chain>
 _nft_get_handle_id = grep -oP '@<addr_set>\s+.*\s+\Khandle\s+(\d+)$'

-_nft_add_set = <nftables> add set <table_family> f2b-table <addr_set> \{ type <addr_type>\; \}
+_nft_add_set = <nftables> add set <table_family> <table> <addr_set> \{ type <addr_type>\; \}
              <_nft_for_proto-<type>-iter>
-              <nftables> add rule <table_family> f2b-table f2b-chain %(rule_stat)s
+              <nftables> add rule <table_family> <table> <chain> %(rule_stat)s
              <_nft_for_proto-<type>-done>
-_nft_del_set = (%(_nft_list)s | %(_nft_get_handle_id)s) | while read -r hdl; do
-               <nftables> delete rule <table_family> f2b-table f2b-chain $hdl; done
-              <nftables> delete set <table_family> f2b-table <addr_set>
+_nft_del_set = { %(_nft_list)s | %(_nft_get_handle_id)s; } | while read -r hdl; do
+               <nftables> delete rule <table_family> <table> <chain> $hdl; done
+              <nftables> delete set <table_family> <table> <addr_set>
+
+# Option:  _nft_shutdown_table
+# Notes.:  command executed after the stop in order to delete table (it checks that no sets are available):
+# Values:  CMD
+#
+_nft_shutdown_table = { <nftables> list table <table_family> <table> | grep -qP '^\s+set\s+'; } || {
+                        <nftables> delete table <table_family> <table>
+                      }

 # Option:  actionstart
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
 # Values:  CMD
 #
-actionstart = <nftables> add table <table_family> f2b-table
-              <nftables> -- add chain <table_family> f2b-table f2b-chain \{ type <chain_type> hook <chain_hook> priority <chain_priority> \; \}
+actionstart = <nftables> add table <table_family> <table>
+              <nftables> -- add chain <table_family> <table> <chain> \{ type <chain_type> hook <chain_hook> priority <chain_priority> \; \}
              %(_nft_add_set)s

 # Option:  actionflush
@ -76,22 +84,23 @@ actionstart = <nftables> add table <table_family> f2b-table
 #          uses `nft flush set ...` and as fallback (e. g. unsupported) recreates the set (with references)
 # Values:  CMD
 #
-actionflush = (<nftables> flush set <table_family> f2b-table <addr_set> 2> /dev/null) || (
+actionflush = { <nftables> flush set <table_family> <table> <addr_set> 2> /dev/null; } || {
              %(_nft_del_set)s
              %(_nft_add_set)s
-              )
+              }

 # Option:  actionstop
 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
 # Values:  CMD
 #
 actionstop = %(_nft_del_set)s
+             <_nft_shutdown_table>

 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = <nftables> list chain <table_family> f2b-table f2b-chain | grep -q '@<addr_set>[ \t]'
+actioncheck = <nftables> list chain <table_family> <table> <chain> | grep -q '@<addr_set>[ \t]'

 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -99,7 +108,7 @@ actioncheck = <nftables> list chain <table_family> f2b-table f2b-chain | grep -q
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = <nftables> add element <table_family> f2b-table <addr_set> { <ip> }
+actionban = <nftables> add element <table_family> <table> <addr_set> \{ <ip> \}

 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@ -107,15 +116,25 @@ actionban = <nftables> add element <table_family> f2b-table <addr_set> { <ip> }
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban = <nftables> delete element <table_family> f2b-table <addr_set> { <ip> }
+actionunban = <nftables> delete element <table_family> <table> <addr_set> \{ <ip> \}

 [Init]

+# Option:  table
+# Notes.:  main table to store chain and sets (automatically created on demand)
+# Values:  STRING  Default: f2b-table
+table = f2b-table
+
 # Option:  table_family
 # Notes.:  address family to work in
 # Values:  [ip | ip6 | inet]  Default: inet
 table_family = inet

+# Option:  chain
+# Notes.:  main chain to store rules
+# Values:  STRING  Default: f2b-chain
+chain = f2b-chain
+
 # Option:  chain_type
 # Notes.:  refers to the kind of chain to be created
 # Values:  [filter | route | nat]  Default: filter
--- a/fail2ban/tests/servertestcase.py
+++ b/fail2ban/tests/servertestcase.py
@ -1275,14 +1275,14 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					r"`nft add rule inet f2b-table f2b-chain $proto dport \{ http,https \} ip6 saddr @addr6-set-j-w-nft-mp reject`",
 				),
 				'flush': (
-					"`(nft flush set inet f2b-table addr-set-j-w-nft-mp 2> /dev/null) || ",
-					"`(nft flush set inet f2b-table addr6-set-j-w-nft-mp 2> /dev/null) || ",
+					"`{ nft flush set inet f2b-table addr-set-j-w-nft-mp 2> /dev/null; } || ",
+					"`{ nft flush set inet f2b-table addr6-set-j-w-nft-mp 2> /dev/null; } || ",
 				),
 				'stop': (
-					"`(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$') | while read -r hdl; do`",
+					"`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`",
 					"`nft delete rule inet f2b-table f2b-chain $hdl; done`",
 					"`nft delete set inet f2b-table addr-set-j-w-nft-mp`",
-					"`(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$') | while read -r hdl; do`",
+					"`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`",
 					"`nft delete rule inet f2b-table f2b-chain $hdl; done`",
 					"`nft delete set inet f2b-table addr6-set-j-w-nft-mp`",
 				),
@ -1293,16 +1293,16 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					r"`nft list chain inet f2b-table f2b-chain | grep -q '@addr6-set-j-w-nft-mp[ \t]'`",
 				),
 				'ip4-ban': (
-					r"`nft add element inet f2b-table addr-set-j-w-nft-mp { 192.0.2.1 }`",
+					r"`nft add element inet f2b-table addr-set-j-w-nft-mp \{ 192.0.2.1 \}`",
 				),
 				'ip4-unban': (
-					r"`nft delete element inet f2b-table addr-set-j-w-nft-mp { 192.0.2.1 }`",
+					r"`nft delete element inet f2b-table addr-set-j-w-nft-mp \{ 192.0.2.1 \}`",
 				),
 				'ip6-ban': (
-					r"`nft add element inet f2b-table addr6-set-j-w-nft-mp { 2001:db8:: }`",
+					r"`nft add element inet f2b-table addr6-set-j-w-nft-mp \{ 2001:db8:: \}`",
 				),
 				'ip6-unban': (
-					r"`nft delete element inet f2b-table addr6-set-j-w-nft-mp { 2001:db8:: }`",
+					r"`nft delete element inet f2b-table addr6-set-j-w-nft-mp \{ 2001:db8:: \}`",
 				),					
 			}),
 			# nft-allports --
@ -1321,14 +1321,14 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					r"`nft add rule inet f2b-table f2b-chain meta l4proto \{ tcp,udp \} ip6 saddr @addr6-set-j-w-nft-ap reject`",
 				),
 				'flush': (
-					"`(nft flush set inet f2b-table addr-set-j-w-nft-ap 2> /dev/null) || ",
-					"`(nft flush set inet f2b-table addr6-set-j-w-nft-ap 2> /dev/null) || ",
+					"`{ nft flush set inet f2b-table addr-set-j-w-nft-ap 2> /dev/null; } || ",
+					"`{ nft flush set inet f2b-table addr6-set-j-w-nft-ap 2> /dev/null; } || ",
 				),
 				'stop': (
-					"`(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$') | while read -r hdl; do`",
+					"`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`",
 					"`nft delete rule inet f2b-table f2b-chain $hdl; done`",
 					"`nft delete set inet f2b-table addr-set-j-w-nft-ap`",
-					"`(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$') | while read -r hdl; do`",
+					"`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`",
 					"`nft delete rule inet f2b-table f2b-chain $hdl; done`",
 					"`nft delete set inet f2b-table addr6-set-j-w-nft-ap`",
 				),
@ -1339,16 +1339,16 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					r"""`nft list chain inet f2b-table f2b-chain | grep -q '@addr6-set-j-w-nft-ap[ \t]'`""",
 				),
 				'ip4-ban': (
-					r"`nft add element inet f2b-table addr-set-j-w-nft-ap { 192.0.2.1 }`",
+					r"`nft add element inet f2b-table addr-set-j-w-nft-ap \{ 192.0.2.1 \}`",
 				),
 				'ip4-unban': (
-					r"`nft delete element inet f2b-table addr-set-j-w-nft-ap { 192.0.2.1 }`",
+					r"`nft delete element inet f2b-table addr-set-j-w-nft-ap \{ 192.0.2.1 \}`",
 				),
 				'ip6-ban': (
-					r"`nft add element inet f2b-table addr6-set-j-w-nft-ap { 2001:db8:: }`",
+					r"`nft add element inet f2b-table addr6-set-j-w-nft-ap \{ 2001:db8:: \}`",
 				),
 				'ip6-unban': (
-					r"`nft delete element inet f2b-table addr6-set-j-w-nft-ap { 2001:db8:: }`",
+					r"`nft delete element inet f2b-table addr6-set-j-w-nft-ap \{ 2001:db8:: \}`",
 				),					
 			}),
 			# dummy --