From 77f80e8c3f02d7a9e33c5597d292b2692f5c431f Mon Sep 17 00:00:00 2001 From: nodiscc Date: Wed, 23 Aug 2023 12:08:03 +0200 Subject: [PATCH] action.d/*ipset*: make maxelem ipset option configurable through banaction arguments - previously there was no way to override this value and ipsets would stop being updated when full (Hash is full, cannot add more elements) - preserve ipset's default value of 65536 - update tests - Closes #3549 --- ChangeLog | 1 + config/action.d/firewallcmd-ipset.conf | 10 ++++++++-- config/action.d/iptables-ipset-proto4.conf | 10 +++++++++- config/action.d/iptables-ipset.conf | 8 +++++++- config/action.d/shorewall-ipset-proto6.conf | 10 +++++++++- fail2ban/tests/servertestcase.py | 16 ++++++++-------- 6 files changed, 42 insertions(+), 13 deletions(-) diff --git a/ChangeLog b/ChangeLog index f41eb156..14ff4516 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,7 @@ ver. 1.0.3-dev-1 (20??/??/??) - development nightly edition ### Fixes * circumvent SEGFAULT in a python's socket module by getaddrinfo with disabled IPv6 (gh-3438) * `action.d/cloudflare-token.conf` - fixes gh-3479, url-encode args by unban +* `action.d/*ipset*`: make `maxelem` ipset option configurable through banaction arguments ### New Features and Enhancements * better auto-detection for IPv6 support (`allowipv6 = auto` by default), trying to check sysctl net.ipv6.conf.all.disable_ipv6 diff --git a/config/action.d/firewallcmd-ipset.conf b/config/action.d/firewallcmd-ipset.conf index c36ba694..15d22f9e 100644 --- a/config/action.d/firewallcmd-ipset.conf +++ b/config/action.d/firewallcmd-ipset.conf @@ -35,7 +35,7 @@ actionunban = /actionunban> [ipstype_ipset] -actionstart = ipset -exist create hash:ip timeout +actionstart = ipset -exist create hash:ip timeout maxelem actionflush = ipset flush @@ -47,7 +47,7 @@ actionunban = ipset -exist del [ipstype_firewalld] -actionstart = firewall-cmd --direct --new-ipset= --type=hash:ip --option=timeout= +actionstart = firewall-cmd --direct --new-ipset= --type=hash:ip --option=timeout= --option=maxelem= # TODO: there doesn't seem to be an explicit way to invoke the ipset flush function using firewall-cmd actionflush = @@ -77,6 +77,12 @@ default-ipsettime = 0 # Values: [ NUM ] Default: 0 (managed by fail2ban by unban) ipsettime = 0 +# Option: maxelem +# Notes: maximal number of elements which can be stored in the ipset +# You may want to increase this for long-duration/high-volume jails +# Values: [ NUM ] Default: 65536 +maxelem = 65536 + # expresion to caclulate timeout from bantime, example: # banaction = %(known/banaction)s[ipsettime=''] timeout-bantime = $([ "" -le 2147483 ] && echo "" || echo 0) diff --git a/config/action.d/iptables-ipset-proto4.conf b/config/action.d/iptables-ipset-proto4.conf index 37624284..d33008be 100644 --- a/config/action.d/iptables-ipset-proto4.conf +++ b/config/action.d/iptables-ipset-proto4.conf @@ -27,7 +27,7 @@ before = iptables.conf # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # -actionstart = ipset --create f2b- iphash +actionstart = ipset --create f2b- maxelem iphash <_ipt_add_rules> @@ -64,3 +64,11 @@ actionunban = ipset --test f2b- && ipset --del f2b- # Several capabilities used internaly: rule-jump = -m set --match-set f2b- src -j + +[Init] + +# Option: maxelem +# Notes: maximal number of elements which can be stored in the ipset +# You may want to increase this for long-duration/high-volume jails +# Values: [ NUM ] Default: 65536 +maxelem = 65536 diff --git a/config/action.d/iptables-ipset.conf b/config/action.d/iptables-ipset.conf index b44e6ec4..15aadd92 100644 --- a/config/action.d/iptables-ipset.conf +++ b/config/action.d/iptables-ipset.conf @@ -24,7 +24,7 @@ before = iptables.conf # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # -actionstart = ipset -exist create hash:ip timeout +actionstart = ipset -exist create hash:ip timeout maxelem <_ipt_add_rules> # Option: actionflush @@ -76,6 +76,12 @@ default-ipsettime = 0 # Values: [ NUM ] Default: 0 (managed by fail2ban by unban) ipsettime = 0 +# Option: maxelem +# Notes: maximal number of elements which can be stored in the ipset +# You may want to increase this for long-duration/high-volume jails +# Values: [ NUM ] Default: 65536 +maxelem = 65536 + # expresion to caclulate timeout from bantime, example: # banaction = %(known/banaction)s[ipsettime=''] timeout-bantime = $([ "" -le 2147483 ] && echo "" || echo 0) diff --git a/config/action.d/shorewall-ipset-proto6.conf b/config/action.d/shorewall-ipset-proto6.conf index eacb53d9..6f1e02d3 100644 --- a/config/action.d/shorewall-ipset-proto6.conf +++ b/config/action.d/shorewall-ipset-proto6.conf @@ -51,7 +51,7 @@ # Values: CMD # actionstart = if ! ipset -quiet -name list f2b- >/dev/null; - then ipset -quiet -exist create f2b- hash:ip timeout ; + then ipset -quiet -exist create f2b- hash:ip timeout maxelem ; fi # Option: actionstop @@ -91,3 +91,11 @@ ipsettime = 0 # expresion to caclulate timeout from bantime, example: # banaction = %(known/banaction)s[ipsettime=''] timeout-bantime = $([ "" -le 2147483 ] && echo "" || echo 0) + +[Init] + +# Option: maxelem +# Notes: maximal number of elements which can be stored in the ipset +# You may want to increase this for long-duration/high-volume jails +# Values: [ NUM ] Default: 65536 +maxelem = 65536 diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py index 7cba9add..695c80ee 100644 --- a/fail2ban/tests/servertestcase.py +++ b/fail2ban/tests/servertestcase.py @@ -1597,12 +1597,12 @@ class ServerConfigReaderTests(LogCaptureTestCase): "`done`", ), 'ip4-start': ( - "`ipset -exist create f2b-j-w-iptables-ipset hash:ip timeout 0 `", + "`ipset -exist create f2b-j-w-iptables-ipset hash:ip timeout 0 maxelem 65536 `", "`{ iptables -w -C INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable >/dev/null 2>&1; } || " "{ iptables -w -I INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable; }`", ), 'ip6-start': ( - "`ipset -exist create f2b-j-w-iptables-ipset6 hash:ip timeout 0 family inet6`", + "`ipset -exist create f2b-j-w-iptables-ipset6 hash:ip timeout 0 maxelem 65536 family inet6`", "`{ ip6tables -w -C INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable >/dev/null 2>&1; } || " "{ ip6tables -w -I INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable; }`", ), @@ -1646,12 +1646,12 @@ class ServerConfigReaderTests(LogCaptureTestCase): "`done`", ), 'ip4-start': ( - "`ipset -exist create f2b-j-w-iptables-ipset-ap hash:ip timeout 0 `", + "`ipset -exist create f2b-j-w-iptables-ipset-ap hash:ip timeout 0 maxelem 65536 `", "`{ iptables -w -C INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable >/dev/null 2>&1; } || " "{ iptables -w -I INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable; }", ), 'ip6-start': ( - "`ipset -exist create f2b-j-w-iptables-ipset-ap6 hash:ip timeout 0 family inet6`", + "`ipset -exist create f2b-j-w-iptables-ipset-ap6 hash:ip timeout 0 maxelem 65536 family inet6`", "`{ ip6tables -w -C INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable >/dev/null 2>&1; } || " "{ ip6tables -w -I INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable; }", ), @@ -1979,11 +1979,11 @@ class ServerConfigReaderTests(LogCaptureTestCase): ('j-w-fwcmd-ipset', 'firewallcmd-ipset[name=%(__name__)s, port="http", protocol="tcp", chain=""]', { 'ip4': (' f2b-j-w-fwcmd-ipset ',), 'ip6': (' f2b-j-w-fwcmd-ipset6 ',), 'ip4-start': ( - "`ipset -exist create f2b-j-w-fwcmd-ipset hash:ip timeout 0 `", + "`ipset -exist create f2b-j-w-fwcmd-ipset hash:ip timeout 0 maxelem 65536 `", "`firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports http -m set --match-set f2b-j-w-fwcmd-ipset src -j REJECT --reject-with icmp-port-unreachable`", ), 'ip6-start': ( - "`ipset -exist create f2b-j-w-fwcmd-ipset6 hash:ip timeout 0 family inet6`", + "`ipset -exist create f2b-j-w-fwcmd-ipset6 hash:ip timeout 0 maxelem 65536 family inet6`", "`firewall-cmd --direct --add-rule ipv6 filter INPUT_direct 0 -p tcp -m multiport --dports http -m set --match-set f2b-j-w-fwcmd-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`", ), 'flush': ( @@ -2015,11 +2015,11 @@ class ServerConfigReaderTests(LogCaptureTestCase): ('j-w-fwcmd-ipset-ap', 'firewallcmd-ipset[name=%(__name__)s, actiontype=, protocol="tcp", chain=""]', { 'ip4': (' f2b-j-w-fwcmd-ipset-ap ',), 'ip6': (' f2b-j-w-fwcmd-ipset-ap6 ',), 'ip4-start': ( - "`ipset -exist create f2b-j-w-fwcmd-ipset-ap hash:ip timeout 0 `", + "`ipset -exist create f2b-j-w-fwcmd-ipset-ap hash:ip timeout 0 maxelem 65536 `", "`firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m set --match-set f2b-j-w-fwcmd-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`", ), 'ip6-start': ( - "`ipset -exist create f2b-j-w-fwcmd-ipset-ap6 hash:ip timeout 0 family inet6`", + "`ipset -exist create f2b-j-w-fwcmd-ipset-ap6 hash:ip timeout 0 maxelem 65536 family inet6`", "`firewall-cmd --direct --add-rule ipv6 filter INPUT_direct 0 -p tcp -m set --match-set f2b-j-w-fwcmd-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`", ), 'flush': (