github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

fixed mistake in config (semicolon after space as comment in configs?) and coverage, suppress errors by unsupported flush, better space handling in helper _nft_get_handle_id, etc

pull/2254/head
sebres 2019-09-25 13:47:29 +02:00
parent 492205d30e
commit 8ea00c1d5d
2 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
config/action.d/nftables.conf
View File

@ -53,13 +53,13 @@ _nft_for_proto-multiport-iter = for proto in $(echo '<protocol>' | sed 's/,/ /g'
_nft_for_proto-multiport-done = done _nft_for_proto-multiport-done = done
_nft_list = <nftables> -a list chain <table_family> f2b-table f2b-chain _nft_list = <nftables> -a list chain <table_family> f2b-table f2b-chain
_nft_get_handle_id = grep -oP '@<addr_set> .* \Khandle (\d+)$' _nft_get_handle_id = grep -oP '@<addr_set>\s+.*\s+\Khandle\s+(\d+)$'
_nft_add_set = <nftables> add set <table_family> f2b-table <addr_set> \{ type <addr_type>\; \} _nft_add_set = <nftables> add set <table_family> f2b-table <addr_set> \{ type <addr_type>\; \}
<_nft_for_proto-<type>-iter> <_nft_for_proto-<type>-iter>
<nftables> add rule <table_family> f2b-table f2b-chain %(rule_stat)s <nftables> add rule <table_family> f2b-table f2b-chain %(rule_stat)s
<_nft_for_proto-<type>-done> <_nft_for_proto-<type>-done>
_nft_del_set = $(%(_nft_list)s | %(_nft_get_handle_id)s) | while read -r hdl ; do _nft_del_set = (%(_nft_list)s | %(_nft_get_handle_id)s) | while read -r hdl; do
<nftables> delete rule <table_family> f2b-table f2b-chain $hdl; done <nftables> delete rule <table_family> f2b-table f2b-chain $hdl; done
<nftables> delete set <table_family> f2b-table <addr_set> <nftables> delete set <table_family> f2b-table <addr_set>
@ -76,7 +76,7 @@ actionstart = <nftables> add table <table_family> f2b-table
# uses `nft flush set ...` and as fallback (e. g. unsupported) recreates the set (with references) # uses `nft flush set ...` and as fallback (e. g. unsupported) recreates the set (with references)
# Values: CMD # Values: CMD
# #
actionflush = <nftables> flush set <table_family> f2b-table <addr_set> || ( actionflush = (<nftables> flush set <table_family> f2b-table <addr_set> 2> /dev/null) || (
%(_nft_del_set)s %(_nft_del_set)s
%(_nft_add_set)s %(_nft_add_set)s
) )

16
fail2ban/tests/servertestcase.py
View File

@ -1275,14 +1275,14 @@ class ServerConfigReaderTests(LogCaptureTestCase):
r"`nft add rule inet f2b-table f2b-chain $proto dport \{ http,https \} ip6 saddr @addr6-set-j-w-nft-mp reject`", r"`nft add rule inet f2b-table f2b-chain $proto dport \{ http,https \} ip6 saddr @addr6-set-j-w-nft-mp reject`",
), ),
'flush': ( 'flush': (
"`nft flush set inet f2b-table addr-set-j-w-nft-mp || ", "`(nft flush set inet f2b-table addr-set-j-w-nft-mp 2> /dev/null) || ",
"`nft flush set inet f2b-table addr6-set-j-w-nft-mp || ", "`(nft flush set inet f2b-table addr6-set-j-w-nft-mp 2> /dev/null) || ",
), ),
'stop': ( 'stop': (
"`$(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-mp .* \Khandle (\d+)$') | while read -r hdl`", "`(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$') | while read -r hdl; do`",
"`nft delete rule inet f2b-table f2b-chain $hdl; done`", "`nft delete rule inet f2b-table f2b-chain $hdl; done`",
"`nft delete set inet f2b-table addr-set-j-w-nft-mp`", "`nft delete set inet f2b-table addr-set-j-w-nft-mp`",
"`$(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-mp .* \Khandle (\d+)$') | while read -r hdl`", "`(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$') | while read -r hdl; do`",
"`nft delete rule inet f2b-table f2b-chain $hdl; done`", "`nft delete rule inet f2b-table f2b-chain $hdl; done`",
"`nft delete set inet f2b-table addr6-set-j-w-nft-mp`", "`nft delete set inet f2b-table addr6-set-j-w-nft-mp`",
), ),
@ -1321,14 +1321,14 @@ class ServerConfigReaderTests(LogCaptureTestCase):
r"`nft add rule inet f2b-table f2b-chain meta l4proto \{ tcp,udp \} ip6 saddr @addr6-set-j-w-nft-ap reject`", r"`nft add rule inet f2b-table f2b-chain meta l4proto \{ tcp,udp \} ip6 saddr @addr6-set-j-w-nft-ap reject`",
), ),
'flush': ( 'flush': (
"`nft flush set inet f2b-table addr-set-j-w-nft-ap || ", "`(nft flush set inet f2b-table addr-set-j-w-nft-ap 2> /dev/null) || ",
"`nft flush set inet f2b-table addr6-set-j-w-nft-ap || ", "`(nft flush set inet f2b-table addr6-set-j-w-nft-ap 2> /dev/null) || ",
), ),
'stop': ( 'stop': (
"`$(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-ap .* \Khandle (\d+)$') | while read -r hdl`", "`(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$') | while read -r hdl; do`",
"`nft delete rule inet f2b-table f2b-chain $hdl; done`", "`nft delete rule inet f2b-table f2b-chain $hdl; done`",
"`nft delete set inet f2b-table addr-set-j-w-nft-ap`", "`nft delete set inet f2b-table addr-set-j-w-nft-ap`",
"`$(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-ap .* \Khandle (\d+)$') | while read -r hdl`", "`(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$') | while read -r hdl; do`",
"`nft delete rule inet f2b-table f2b-chain $hdl; done`", "`nft delete rule inet f2b-table f2b-chain $hdl; done`",
"`nft delete set inet f2b-table addr6-set-j-w-nft-ap`", "`nft delete set inet f2b-table addr6-set-j-w-nft-ap`",
), ),