github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge remote-tracking branch 'sebres:0.10' into 0.10; closes gh-2763 

action.d/nftables.conf (type=multiport only): fixed port range selector (replacing `:` with `-`)
pull/2814/head
sebres 2020-08-04 13:46:45 +02:00
parent ea35f2ad75 309c8dddd7
commit 62a6771b33
3 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ChangeLog
View File

@ -48,6 +48,7 @@ ver. 0.10.6-dev (20??/??/??) - development edition
between ipset and fail2ban (removal from ipset will be managed by fail2ban only, gh-2703) between ipset and fail2ban (removal from ipset will be managed by fail2ban only, gh-2703)
* `action.d/cloudflare.conf`: fixed `actionunban` (considering new-line chars and optionally real json-parsing * `action.d/cloudflare.conf`: fixed `actionunban` (considering new-line chars and optionally real json-parsing
with `jq`, gh-2140, gh-2656) with `jq`, gh-2140, gh-2656)
* `action.d/nftables.conf` (type=multiport only): fixed port range selector, replacing `:` with `-` (gh-2763)
* `filter.d/common.conf`: avoid substitute of default values in related `lt_*` section, `__prefix_line` * `filter.d/common.conf`: avoid substitute of default values in related `lt_*` section, `__prefix_line`
should be interpolated in definition section (inside the filter-config, gh-2650) should be interpolated in definition section (inside the filter-config, gh-2650)
* `filter.d/courier-smtp.conf`: prefregex extended to consider port in log-message (gh-2697) * `filter.d/courier-smtp.conf`: prefregex extended to consider port in log-message (gh-2697)

2
config/action.d/nftables.conf
View File

@ -34,7 +34,7 @@ type = multiport
rule_match-custom = rule_match-custom =
rule_match-allports = meta l4proto \{ <protocol> \} rule_match-allports = meta l4proto \{ <protocol> \}
rule_match-multiport = $proto dport \{ <port> \} rule_match-multiport = $proto dport \{ $(echo '<port>' | sed s/:/-/g) \}
match = <rule_match-<type>> match = <rule_match-<type>>
# Option: rule_stat # Option: rule_stat

4
fail2ban/tests/servertestcase.py
View File

@ -1296,11 +1296,11 @@ class ServerConfigReaderTests(LogCaptureTestCase):
), ),
'ip4-start': ( 'ip4-start': (
r"`nft add set inet f2b-table addr-set-j-w-nft-mp \{ type ipv4_addr\; \}`", r"`nft add set inet f2b-table addr-set-j-w-nft-mp \{ type ipv4_addr\; \}`",
r"`nft add rule inet f2b-table f2b-chain $proto dport \{ http,https \} ip saddr @addr-set-j-w-nft-mp reject`", r"`nft add rule inet f2b-table f2b-chain $proto dport \{ $(echo 'http,https' | sed s/:/-/g) \} ip saddr @addr-set-j-w-nft-mp reject`",
), ),
'ip6-start': ( 'ip6-start': (
r"`nft add set inet f2b-table addr6-set-j-w-nft-mp \{ type ipv6_addr\; \}`", r"`nft add set inet f2b-table addr6-set-j-w-nft-mp \{ type ipv6_addr\; \}`",
r"`nft add rule inet f2b-table f2b-chain $proto dport \{ http,https \} ip6 saddr @addr6-set-j-w-nft-mp reject`", r"`nft add rule inet f2b-table f2b-chain $proto dport \{ $(echo 'http,https' | sed s/:/-/g) \} ip6 saddr @addr6-set-j-w-nft-mp reject`",
), ),
'flush': ( 'flush': (
"`{ nft flush set inet f2b-table addr-set-j-w-nft-mp 2> /dev/null; } || ", "`{ nft flush set inet f2b-table addr-set-j-w-nft-mp 2> /dev/null; } || ",