From 955d690e564d3ff60e5b8cc8d17ee11dade03b10 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Fri, 18 Oct 2019 18:34:48 +0200
Subject: [PATCH] regrouping expressions with curly braces, added more escapes
 (better handling in posix shell)

---
 config/action.d/nftables.conf    | 10 +++++-----
 fail2ban/tests/servertestcase.py | 32 ++++++++++++++++----------------
 2 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/config/action.d/nftables.conf b/config/action.d/nftables.conf
index e7186c47..251aa419 100644
--- a/config/action.d/nftables.conf
+++ b/config/action.d/nftables.conf
@@ -59,7 +59,7 @@ _nft_add_set = <nftables> add set <table_family> f2b-table <addr_set> \{ type <a
               <_nft_for_proto-<type>-iter>
               <nftables> add rule <table_family> f2b-table f2b-chain %(rule_stat)s
               <_nft_for_proto-<type>-done>
-_nft_del_set = (%(_nft_list)s | %(_nft_get_handle_id)s) | while read -r hdl; do
+_nft_del_set = { %(_nft_list)s | %(_nft_get_handle_id)s; } | while read -r hdl; do
                <nftables> delete rule <table_family> f2b-table f2b-chain $hdl; done
               <nftables> delete set <table_family> f2b-table <addr_set>
 
@@ -76,10 +76,10 @@ actionstart = <nftables> add table <table_family> f2b-table
 #          uses `nft flush set ...` and as fallback (e. g. unsupported) recreates the set (with references)
 # Values:  CMD
 #
-actionflush = (<nftables> flush set <table_family> f2b-table <addr_set> 2> /dev/null) || (
+actionflush = { <nftables> flush set <table_family> f2b-table <addr_set> 2> /dev/null; } || {
               %(_nft_del_set)s
               %(_nft_add_set)s
-              )
+              }
 
 # Option:  actionstop
 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
@@ -99,7 +99,7 @@ actioncheck = <nftables> list chain <table_family> f2b-table f2b-chain | grep -q
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = <nftables> add element <table_family> f2b-table <addr_set> { <ip> }
+actionban = <nftables> add element <table_family> f2b-table <addr_set> \{ <ip> \}
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@@ -107,7 +107,7 @@ actionban = <nftables> add element <table_family> f2b-table <addr_set> { <ip> }
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban = <nftables> delete element <table_family> f2b-table <addr_set> { <ip> }
+actionunban = <nftables> delete element <table_family> f2b-table <addr_set> \{ <ip> \}
 
 [Init]
 
diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py
index 901b7399..19c93145 100644
--- a/fail2ban/tests/servertestcase.py
+++ b/fail2ban/tests/servertestcase.py
@@ -1275,14 +1275,14 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					r"`nft add rule inet f2b-table f2b-chain $proto dport \{ http,https \} ip6 saddr @addr6-set-j-w-nft-mp reject`",
 				),
 				'flush': (
-					"`(nft flush set inet f2b-table addr-set-j-w-nft-mp 2> /dev/null) || ",
-					"`(nft flush set inet f2b-table addr6-set-j-w-nft-mp 2> /dev/null) || ",
+					"`{ nft flush set inet f2b-table addr-set-j-w-nft-mp 2> /dev/null; } || ",
+					"`{ nft flush set inet f2b-table addr6-set-j-w-nft-mp 2> /dev/null; } || ",
 				),
 				'stop': (
-					"`(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$') | while read -r hdl; do`",
+					"`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`",
 					"`nft delete rule inet f2b-table f2b-chain $hdl; done`",
 					"`nft delete set inet f2b-table addr-set-j-w-nft-mp`",
-					"`(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$') | while read -r hdl; do`",
+					"`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`",
 					"`nft delete rule inet f2b-table f2b-chain $hdl; done`",
 					"`nft delete set inet f2b-table addr6-set-j-w-nft-mp`",
 				),
@@ -1293,16 +1293,16 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					r"`nft list chain inet f2b-table f2b-chain | grep -q '@addr6-set-j-w-nft-mp[ \t]'`",
 				),
 				'ip4-ban': (
-					r"`nft add element inet f2b-table addr-set-j-w-nft-mp { 192.0.2.1 }`",
+					r"`nft add element inet f2b-table addr-set-j-w-nft-mp \{ 192.0.2.1 \}`",
 				),
 				'ip4-unban': (
-					r"`nft delete element inet f2b-table addr-set-j-w-nft-mp { 192.0.2.1 }`",
+					r"`nft delete element inet f2b-table addr-set-j-w-nft-mp \{ 192.0.2.1 \}`",
 				),
 				'ip6-ban': (
-					r"`nft add element inet f2b-table addr6-set-j-w-nft-mp { 2001:db8:: }`",
+					r"`nft add element inet f2b-table addr6-set-j-w-nft-mp \{ 2001:db8:: \}`",
 				),
 				'ip6-unban': (
-					r"`nft delete element inet f2b-table addr6-set-j-w-nft-mp { 2001:db8:: }`",
+					r"`nft delete element inet f2b-table addr6-set-j-w-nft-mp \{ 2001:db8:: \}`",
 				),					
 			}),
 			# nft-allports --
@@ -1321,14 +1321,14 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					r"`nft add rule inet f2b-table f2b-chain meta l4proto \{ tcp,udp \} ip6 saddr @addr6-set-j-w-nft-ap reject`",
 				),
 				'flush': (
-					"`(nft flush set inet f2b-table addr-set-j-w-nft-ap 2> /dev/null) || ",
-					"`(nft flush set inet f2b-table addr6-set-j-w-nft-ap 2> /dev/null) || ",
+					"`{ nft flush set inet f2b-table addr-set-j-w-nft-ap 2> /dev/null; } || ",
+					"`{ nft flush set inet f2b-table addr6-set-j-w-nft-ap 2> /dev/null; } || ",
 				),
 				'stop': (
-					"`(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$') | while read -r hdl; do`",
+					"`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`",
 					"`nft delete rule inet f2b-table f2b-chain $hdl; done`",
 					"`nft delete set inet f2b-table addr-set-j-w-nft-ap`",
-					"`(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$') | while read -r hdl; do`",
+					"`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`",
 					"`nft delete rule inet f2b-table f2b-chain $hdl; done`",
 					"`nft delete set inet f2b-table addr6-set-j-w-nft-ap`",
 				),
@@ -1339,16 +1339,16 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					r"""`nft list chain inet f2b-table f2b-chain | grep -q '@addr6-set-j-w-nft-ap[ \t]'`""",
 				),
 				'ip4-ban': (
-					r"`nft add element inet f2b-table addr-set-j-w-nft-ap { 192.0.2.1 }`",
+					r"`nft add element inet f2b-table addr-set-j-w-nft-ap \{ 192.0.2.1 \}`",
 				),
 				'ip4-unban': (
-					r"`nft delete element inet f2b-table addr-set-j-w-nft-ap { 192.0.2.1 }`",
+					r"`nft delete element inet f2b-table addr-set-j-w-nft-ap \{ 192.0.2.1 \}`",
 				),
 				'ip6-ban': (
-					r"`nft add element inet f2b-table addr6-set-j-w-nft-ap { 2001:db8:: }`",
+					r"`nft add element inet f2b-table addr6-set-j-w-nft-ap \{ 2001:db8:: \}`",
 				),
 				'ip6-unban': (
-					r"`nft delete element inet f2b-table addr6-set-j-w-nft-ap { 2001:db8:: }`",
+					r"`nft delete element inet f2b-table addr6-set-j-w-nft-ap \{ 2001:db8:: \}`",
 				),					
 			}),
 			# dummy --