From 8726c9fb0ab3cfd2289718d2092d2c5da81ac726 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Tue, 17 Oct 2017 13:46:29 +0200
Subject: [PATCH 1/2] pf.conf: enclose ports in braces, multiple ports
 expecting this syntax `... any port {http, https}`. Note this would be
 backwards-incompatible change (for the people already enclosing multiports in
 braces in jail.local). closes gh-1915

---
 config/action.d/pf.conf          | 2 +-
 fail2ban/tests/servertestcase.py | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/config/action.d/pf.conf b/config/action.d/pf.conf
index a4bd83e0..ea3b9995 100644
--- a/config/action.d/pf.conf
+++ b/config/action.d/pf.conf
@@ -110,5 +110,5 @@ allports = any
 # Option: multiport
 # Notes.: addition to block access only to specific ports
 # Usage.: use in jail config: "banaction = pf[actiontype=<multiport>]"
-multiport = any port <port>
+multiport = any port {<port>}
 
diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py
index 1d963d0c..270501e3 100644
--- a/fail2ban/tests/servertestcase.py
+++ b/fail2ban/tests/servertestcase.py
@@ -1503,7 +1503,7 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					'ip4': (), 'ip6': (),
 					'start': (
 						'`echo "table <f2b-j-w-pf> persist counters" | pfctl -a f2b/j-w-pf -f-`',
-						'`echo "block quick proto tcp from <f2b-j-w-pf> to any port <port>" | pfctl -a f2b/j-w-pf -f-`',
+						'`echo "block quick proto tcp from <f2b-j-w-pf> to any port {<port>}" | pfctl -a f2b/j-w-pf -f-`',
 					),
 					'stop': (
 						'`pfctl -a f2b/j-w-pf -sr 2>/dev/null | grep -v f2b-j-w-pf | pfctl -a f2b/j-w-pf -f-`',
@@ -1517,12 +1517,12 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					'ip6-ban':   ("`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T add 2001:db8::`",),
 					'ip6-unban': ("`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T delete 2001:db8::`",),
 				}),
-				# pf multiport with custom port --
-				('j-w-pf-mp', 'pf[actiontype=<multiport>][name=%(__name__)s, port=http]', {
+				# pf multiport with custom ports --
+				('j-w-pf-mp', 'pf[actiontype=<multiport>][name=%(__name__)s, port="http,https"]', {
 					'ip4': (), 'ip6': (),
 					'start': (
 						'`echo "table <f2b-j-w-pf-mp> persist counters" | pfctl -a f2b/j-w-pf-mp -f-`',
-						'`echo "block quick proto tcp from <f2b-j-w-pf-mp> to any port http" | pfctl -a f2b/j-w-pf-mp -f-`',
+						'`echo "block quick proto tcp from <f2b-j-w-pf-mp> to any port {http,https}" | pfctl -a f2b/j-w-pf-mp -f-`',
 					),
 					'stop': (
 						'`pfctl -a f2b/j-w-pf-mp -sr 2>/dev/null | grep -v f2b-j-w-pf-mp | pfctl -a f2b/j-w-pf-mp -f-`',

From 3c4910a3e219a7d77d8bb99b1987bc78e12898e3 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Tue, 17 Oct 2017 16:06:39 +0200
Subject: [PATCH 2/2] ChangeLog entry + note for possible incompatibility.

---
 ChangeLog | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 7c9319a0..4e3560b7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -34,7 +34,14 @@ Incompatibility list (compared to v.0.9):
 ver. 0.10.2-dev-1 (2017/??/??) - development edition
 -----------
 
+### Incompatibility list:
+* The configuration for multiport jails using banaction `pf` can be incompatible after upgrade, if
+  ports are enclosed in curly braces `{ }` in the `jail.local` etc. This may cause a double-brackets now.
+
 ### Fixes
+* action.d/pf.conf: 
+  - fixed syntax error in achnor definition (documentation, see gh-1919);
+  - enclose ports in braces for multiport jails (see gh-1925);
 
 ### New Features