Merge pull request #1866 from koeppea/patch-1

Update pf.conf fixing #1863: erroneous flush of all rulesets, also not created with fail2ban.

config/action.d/pf.conf

@@ -15,8 +15,8 @@
 #
 # we don't enable PF automatically; to enable run pfctl -e 
 # or add `pf_enable="YES"` to /etc/rc.conf (tested on FreeBSD)
-actionstart = echo "table <<tablename>-<name>> persist counters" | pfctl -f- 
-              echo "block proto <protocol> from <<tablename>-<name>> to <actiontype>" | pfctl -f-
+actionstart = echo "table <<tablename>-<name>> persist counters" | <pfctl> -f- 
+              echo "block proto <protocol> from <<tablename>-<name>> to <actiontype>" | <pfctl> -f-
 
 # Option:  start_on_demand - to start action on demand
 # Example: `action=pf[actionstart_on_demand=true]`
@@ -27,16 +27,16 @@ actionstart_on_demand = false
 # Values:  CMD
 #
 # we only disable PF rules we've installed prior
-actionstop = pfctl -sr 2>/dev/null | grep -v <tablename>-<name> | pfctl -f-
-             pfctl -t <tablename>-<name> -T flush
-             pfctl -t <tablename>-<name> -T kill
+actionstop = <pfctl> -sr 2>/dev/null | grep -v <tablename>-<name> | <pfctl> -f-
+             <pfctl> -t <tablename>-<name> -T flush
+             <pfctl> -t <tablename>-<name> -T kill
 
 
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = pfctl -sr | grep -q <tablename>-<name>
+actioncheck = <pfctl> -sr | grep -q <tablename>-<name>
 
 
 # Option:  actionban
@@ -47,7 +47,7 @@ actioncheck = pfctl -sr | grep -q <tablename>-<name>
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionban = pfctl -t <tablename>-<name> -T add <ip>
+actionban = <pfctl> -t <tablename>-<name> -T add <ip>
 
 
 # Option:  actionunban
@@ -59,7 +59,14 @@ actionban = pfctl -t <tablename>-<name> -T add <ip>
 # Values:  CMD
 #
 # note -r option used to remove matching rule
-actionunban = pfctl -t <tablename>-<name> -T delete <ip>
+actionunban = <pfctl> -t <tablename>-<name> -T delete <ip>
+
+# Option: pfctl
+#
+# Use anchor as jailname to manipulate affected rulesets only.
+# If more parameter expected it can be extended with `pf[pfctl="<known/pfctl> ..."]`
+# 
+pfctl = pfctl -a f2b/<name>
 
 [Init]
 # Option:  tablename

fail2ban/tests/servertestcase.py

@@ -1524,59 +1524,59 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 				('j-w-pf', 'pf[name=%(__name__)s, actionstart_on_demand=false]', {
 					'ip4': (), 'ip6': (),
 					'start': (
-						'`echo "table <f2b-j-w-pf> persist counters" | pfctl -f-`',
-						'`echo "block proto tcp from <f2b-j-w-pf> to any port <port>" | pfctl -f-`',
+						'`echo "table <f2b-j-w-pf> persist counters" | pfctl -a f2b/j-w-pf -f-`',
+						'`echo "block proto tcp from <f2b-j-w-pf> to any port <port>" | pfctl -a f2b/j-w-pf -f-`',
 					),
 					'stop': (
-						'`pfctl -sr 2>/dev/null | grep -v f2b-j-w-pf | pfctl -f-`',
-						'`pfctl -t f2b-j-w-pf -T flush`',
-						'`pfctl -t f2b-j-w-pf -T kill`',
+						'`pfctl -a f2b/j-w-pf -sr 2>/dev/null | grep -v f2b-j-w-pf | pfctl -a f2b/j-w-pf -f-`',
+						'`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T flush`',
+						'`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T kill`',
 					),
-					'ip4-check': ("`pfctl -sr | grep -q f2b-j-w-pf`",),
-					'ip6-check': ("`pfctl -sr | grep -q f2b-j-w-pf`",),
-					'ip4-ban':   ("`pfctl -t f2b-j-w-pf -T add 192.0.2.1`",),
-					'ip4-unban': ("`pfctl -t f2b-j-w-pf -T delete 192.0.2.1`",),
-					'ip6-ban':   ("`pfctl -t f2b-j-w-pf -T add 2001:db8::`",),
-					'ip6-unban': ("`pfctl -t f2b-j-w-pf -T delete 2001:db8::`",),
+					'ip4-check': ("`pfctl -a f2b/j-w-pf -sr | grep -q f2b-j-w-pf`",),
+					'ip6-check': ("`pfctl -a f2b/j-w-pf -sr | grep -q f2b-j-w-pf`",),
+					'ip4-ban':   ("`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T add 192.0.2.1`",),
+					'ip4-unban': ("`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T delete 192.0.2.1`",),
+					'ip6-ban':   ("`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T add 2001:db8::`",),
+					'ip6-unban': ("`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T delete 2001:db8::`",),
 				}),
 				# pf multiport with custom port --
 				('j-w-pf-mp', 'pf[actiontype=<multiport>][name=%(__name__)s, port=http]', {
 					'ip4': (), 'ip6': (),
 					'start': (
-						'`echo "table <f2b-j-w-pf-mp> persist counters" | pfctl -f-`',
-						'`echo "block proto tcp from <f2b-j-w-pf-mp> to any port http" | pfctl -f-`',
+						'`echo "table <f2b-j-w-pf-mp> persist counters" | pfctl -a f2b/j-w-pf-mp -f-`',
+						'`echo "block proto tcp from <f2b-j-w-pf-mp> to any port http" | pfctl -a f2b/j-w-pf-mp -f-`',
 					),
 					'stop': (
-						'`pfctl -sr 2>/dev/null | grep -v f2b-j-w-pf-mp | pfctl -f-`',
-						'`pfctl -t f2b-j-w-pf-mp -T flush`',
-						'`pfctl -t f2b-j-w-pf-mp -T kill`',
+						'`pfctl -a f2b/j-w-pf-mp -sr 2>/dev/null | grep -v f2b-j-w-pf-mp | pfctl -a f2b/j-w-pf-mp -f-`',
+						'`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T flush`',
+						'`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T kill`',
 					),
-					'ip4-check': ("`pfctl -sr | grep -q f2b-j-w-pf-mp`",),
-					'ip6-check': ("`pfctl -sr | grep -q f2b-j-w-pf-mp`",),
-					'ip4-ban':   ("`pfctl -t f2b-j-w-pf-mp -T add 192.0.2.1`",),
-					'ip4-unban': ("`pfctl -t f2b-j-w-pf-mp -T delete 192.0.2.1`",),
-					'ip6-ban':   ("`pfctl -t f2b-j-w-pf-mp -T add 2001:db8::`",),
-					'ip6-unban': ("`pfctl -t f2b-j-w-pf-mp -T delete 2001:db8::`",),
+					'ip4-check': ("`pfctl -a f2b/j-w-pf-mp -sr | grep -q f2b-j-w-pf-mp`",),
+					'ip6-check': ("`pfctl -a f2b/j-w-pf-mp -sr | grep -q f2b-j-w-pf-mp`",),
+					'ip4-ban':   ("`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T add 192.0.2.1`",),
+					'ip4-unban': ("`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T delete 192.0.2.1`",),
+					'ip6-ban':   ("`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T add 2001:db8::`",),
+					'ip6-unban': ("`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T delete 2001:db8::`",),
 				}),
 				# pf allports -- test additionally "actionstart_on_demand" was set to true
 				('j-w-pf-ap', 'pf[actiontype=<allports>, actionstart_on_demand=true][name=%(__name__)s]', {
 					'ip4': (), 'ip6': (),
 					'ip4-start': (
-						'`echo "table <f2b-j-w-pf-ap> persist counters" | pfctl -f-`',
-						'`echo "block proto tcp from <f2b-j-w-pf-ap> to any" | pfctl -f-`',
+						'`echo "table <f2b-j-w-pf-ap> persist counters" | pfctl -a f2b/j-w-pf-ap -f-`',
+						'`echo "block proto tcp from <f2b-j-w-pf-ap> to any" | pfctl -a f2b/j-w-pf-ap -f-`',
 					),
 					'ip6-start': (), # the same as ipv4
 					'stop': (
-						'`pfctl -sr 2>/dev/null | grep -v f2b-j-w-pf-ap | pfctl -f-`',
-						'`pfctl -t f2b-j-w-pf-ap -T flush`',
-						'`pfctl -t f2b-j-w-pf-ap -T kill`',
+						'`pfctl -a f2b/j-w-pf-ap -sr 2>/dev/null | grep -v f2b-j-w-pf-ap | pfctl -a f2b/j-w-pf-ap -f-`',
+						'`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T flush`',
+						'`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T kill`',
 					),
-					'ip4-check': ("`pfctl -sr | grep -q f2b-j-w-pf-ap`",),
-					'ip6-check': ("`pfctl -sr | grep -q f2b-j-w-pf-ap`",),
-					'ip4-ban':   ("`pfctl -t f2b-j-w-pf-ap -T add 192.0.2.1`",),
-					'ip4-unban': ("`pfctl -t f2b-j-w-pf-ap -T delete 192.0.2.1`",),
-					'ip6-ban':   ("`pfctl -t f2b-j-w-pf-ap -T add 2001:db8::`",),
-					'ip6-unban': ("`pfctl -t f2b-j-w-pf-ap -T delete 2001:db8::`",),
+					'ip4-check': ("`pfctl -a f2b/j-w-pf-ap -sr | grep -q f2b-j-w-pf-ap`",),
+					'ip6-check': ("`pfctl -a f2b/j-w-pf-ap -sr | grep -q f2b-j-w-pf-ap`",),
+					'ip4-ban':   ("`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T add 192.0.2.1`",),
+					'ip4-unban': ("`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T delete 192.0.2.1`",),
+					'ip6-ban':   ("`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T add 2001:db8::`",),
+					'ip6-unban': ("`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T delete 2001:db8::`",),
 				}),
 				# firewallcmd-multiport --
 				('j-w-fwcmd-mp', 'firewallcmd-multiport[name=%(__name__)s, bantime="10m", port="http,https", protocol="tcp", chain="INPUT"]', {