mirror of https://github.com/fail2ban/fail2ban
regrouping expressions with curly braces, added more escapes (better handling in posix shell)
sebres
parent
8b850864cf
commit
955d690e56
|
|
@ -59,7 +59,7 @@ _nft_add_set = <nftables> add set <table_family> f2b-table <addr_set> \{ type <a
|
||||||
<_nft_for_proto-<type>-iter>
|
<_nft_for_proto-<type>-iter>
|
||||||
<nftables> add rule <table_family> f2b-table f2b-chain %(rule_stat)s
|
<nftables> add rule <table_family> f2b-table f2b-chain %(rule_stat)s
|
||||||
<_nft_for_proto-<type>-done>
|
<_nft_for_proto-<type>-done>
|
||||||
_nft_del_set = (%(_nft_list)s | %(_nft_get_handle_id)s) | while read -r hdl; do
|
_nft_del_set = { %(_nft_list)s | %(_nft_get_handle_id)s; } | while read -r hdl; do
|
||||||
<nftables> delete rule <table_family> f2b-table f2b-chain $hdl; done
|
<nftables> delete rule <table_family> f2b-table f2b-chain $hdl; done
|
||||||
<nftables> delete set <table_family> f2b-table <addr_set>
|
<nftables> delete set <table_family> f2b-table <addr_set>
|
||||||
|
|
||||||
|
|
@ -76,10 +76,10 @@ actionstart = <nftables> add table <table_family> f2b-table
|
||||||
# uses `nft flush set ...` and as fallback (e. g. unsupported) recreates the set (with references)
|
# uses `nft flush set ...` and as fallback (e. g. unsupported) recreates the set (with references)
|
||||||
# Values: CMD
|
# Values: CMD
|
||||||
#
|
#
|
||||||
actionflush = (<nftables> flush set <table_family> f2b-table <addr_set> 2> /dev/null) || (
|
actionflush = { <nftables> flush set <table_family> f2b-table <addr_set> 2> /dev/null; } || {
|
||||||
%(_nft_del_set)s
|
%(_nft_del_set)s
|
||||||
%(_nft_add_set)s
|
%(_nft_add_set)s
|
||||||
)
|
}
|
||||||
|
|
||||||
# Option: actionstop
|
# Option: actionstop
|
||||||
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
|
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
|
||||||
|
|
@ -99,7 +99,7 @@ actioncheck = <nftables> list chain <table_family> f2b-table f2b-chain | grep -q
|
||||||
# Tags: See jail.conf(5) man page
|
# Tags: See jail.conf(5) man page
|
||||||
# Values: CMD
|
# Values: CMD
|
||||||
#
|
#
|
||||||
actionban = <nftables> add element <table_family> f2b-table <addr_set> { <ip> }
|
actionban = <nftables> add element <table_family> f2b-table <addr_set> \{ <ip> \}
|
||||||
|
|
||||||
# Option: actionunban
|
# Option: actionunban
|
||||||
# Notes.: command executed when unbanning an IP. Take care that the
|
# Notes.: command executed when unbanning an IP. Take care that the
|
||||||
|
|
@ -107,7 +107,7 @@ actionban = <nftables> add element <table_family> f2b-table <addr_set> { <ip> }
|
||||||
# Tags: See jail.conf(5) man page
|
# Tags: See jail.conf(5) man page
|
||||||
# Values: CMD
|
# Values: CMD
|
||||||
#
|
#
|
||||||
actionunban = <nftables> delete element <table_family> f2b-table <addr_set> { <ip> }
|
actionunban = <nftables> delete element <table_family> f2b-table <addr_set> \{ <ip> \}
|
||||||
|
|
||||||
[Init]
|
[Init]
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1275,14 +1275,14 @@ class ServerConfigReaderTests(LogCaptureTestCase):
|
||||||
r"`nft add rule inet f2b-table f2b-chain $proto dport \{ http,https \} ip6 saddr @addr6-set-j-w-nft-mp reject`",
|
r"`nft add rule inet f2b-table f2b-chain $proto dport \{ http,https \} ip6 saddr @addr6-set-j-w-nft-mp reject`",
|
||||||
),
|
),
|
||||||
'flush': (
|
'flush': (
|
||||||
"`(nft flush set inet f2b-table addr-set-j-w-nft-mp 2> /dev/null) || ",
|
"`{ nft flush set inet f2b-table addr-set-j-w-nft-mp 2> /dev/null; } || ",
|
||||||
"`(nft flush set inet f2b-table addr6-set-j-w-nft-mp 2> /dev/null) || ",
|
"`{ nft flush set inet f2b-table addr6-set-j-w-nft-mp 2> /dev/null; } || ",
|
||||||
),
|
),
|
||||||
'stop': (
|
'stop': (
|
||||||
"`(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$') | while read -r hdl; do`",
|
"`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`",
|
||||||
"`nft delete rule inet f2b-table f2b-chain $hdl; done`",
|
"`nft delete rule inet f2b-table f2b-chain $hdl; done`",
|
||||||
"`nft delete set inet f2b-table addr-set-j-w-nft-mp`",
|
"`nft delete set inet f2b-table addr-set-j-w-nft-mp`",
|
||||||
"`(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$') | while read -r hdl; do`",
|
"`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`",
|
||||||
"`nft delete rule inet f2b-table f2b-chain $hdl; done`",
|
"`nft delete rule inet f2b-table f2b-chain $hdl; done`",
|
||||||
"`nft delete set inet f2b-table addr6-set-j-w-nft-mp`",
|
"`nft delete set inet f2b-table addr6-set-j-w-nft-mp`",
|
||||||
),
|
),
|
||||||
|
|
@ -1293,16 +1293,16 @@ class ServerConfigReaderTests(LogCaptureTestCase):
|
||||||
r"`nft list chain inet f2b-table f2b-chain | grep -q '@addr6-set-j-w-nft-mp[ \t]'`",
|
r"`nft list chain inet f2b-table f2b-chain | grep -q '@addr6-set-j-w-nft-mp[ \t]'`",
|
||||||
),
|
),
|
||||||
'ip4-ban': (
|
'ip4-ban': (
|
||||||
r"`nft add element inet f2b-table addr-set-j-w-nft-mp { 192.0.2.1 }`",
|
r"`nft add element inet f2b-table addr-set-j-w-nft-mp \{ 192.0.2.1 \}`",
|
||||||
),
|
),
|
||||||
'ip4-unban': (
|
'ip4-unban': (
|
||||||
r"`nft delete element inet f2b-table addr-set-j-w-nft-mp { 192.0.2.1 }`",
|
r"`nft delete element inet f2b-table addr-set-j-w-nft-mp \{ 192.0.2.1 \}`",
|
||||||
),
|
),
|
||||||
'ip6-ban': (
|
'ip6-ban': (
|
||||||
r"`nft add element inet f2b-table addr6-set-j-w-nft-mp { 2001:db8:: }`",
|
r"`nft add element inet f2b-table addr6-set-j-w-nft-mp \{ 2001:db8:: \}`",
|
||||||
),
|
),
|
||||||
'ip6-unban': (
|
'ip6-unban': (
|
||||||
r"`nft delete element inet f2b-table addr6-set-j-w-nft-mp { 2001:db8:: }`",
|
r"`nft delete element inet f2b-table addr6-set-j-w-nft-mp \{ 2001:db8:: \}`",
|
||||||
),
|
),
|
||||||
}),
|
}),
|
||||||
# nft-allports --
|
# nft-allports --
|
||||||
|
|
@ -1321,14 +1321,14 @@ class ServerConfigReaderTests(LogCaptureTestCase):
|
||||||
r"`nft add rule inet f2b-table f2b-chain meta l4proto \{ tcp,udp \} ip6 saddr @addr6-set-j-w-nft-ap reject`",
|
r"`nft add rule inet f2b-table f2b-chain meta l4proto \{ tcp,udp \} ip6 saddr @addr6-set-j-w-nft-ap reject`",
|
||||||
),
|
),
|
||||||
'flush': (
|
'flush': (
|
||||||
"`(nft flush set inet f2b-table addr-set-j-w-nft-ap 2> /dev/null) || ",
|
"`{ nft flush set inet f2b-table addr-set-j-w-nft-ap 2> /dev/null; } || ",
|
||||||
"`(nft flush set inet f2b-table addr6-set-j-w-nft-ap 2> /dev/null) || ",
|
"`{ nft flush set inet f2b-table addr6-set-j-w-nft-ap 2> /dev/null; } || ",
|
||||||
),
|
),
|
||||||
'stop': (
|
'stop': (
|
||||||
"`(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$') | while read -r hdl; do`",
|
"`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`",
|
||||||
"`nft delete rule inet f2b-table f2b-chain $hdl; done`",
|
"`nft delete rule inet f2b-table f2b-chain $hdl; done`",
|
||||||
"`nft delete set inet f2b-table addr-set-j-w-nft-ap`",
|
"`nft delete set inet f2b-table addr-set-j-w-nft-ap`",
|
||||||
"`(nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$') | while read -r hdl; do`",
|
"`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`",
|
||||||
"`nft delete rule inet f2b-table f2b-chain $hdl; done`",
|
"`nft delete rule inet f2b-table f2b-chain $hdl; done`",
|
||||||
"`nft delete set inet f2b-table addr6-set-j-w-nft-ap`",
|
"`nft delete set inet f2b-table addr6-set-j-w-nft-ap`",
|
||||||
),
|
),
|
||||||
|
|
@ -1339,16 +1339,16 @@ class ServerConfigReaderTests(LogCaptureTestCase):
|
||||||
r"""`nft list chain inet f2b-table f2b-chain | grep -q '@addr6-set-j-w-nft-ap[ \t]'`""",
|
r"""`nft list chain inet f2b-table f2b-chain | grep -q '@addr6-set-j-w-nft-ap[ \t]'`""",
|
||||||
),
|
),
|
||||||
'ip4-ban': (
|
'ip4-ban': (
|
||||||
r"`nft add element inet f2b-table addr-set-j-w-nft-ap { 192.0.2.1 }`",
|
r"`nft add element inet f2b-table addr-set-j-w-nft-ap \{ 192.0.2.1 \}`",
|
||||||
),
|
),
|
||||||
'ip4-unban': (
|
'ip4-unban': (
|
||||||
r"`nft delete element inet f2b-table addr-set-j-w-nft-ap { 192.0.2.1 }`",
|
r"`nft delete element inet f2b-table addr-set-j-w-nft-ap \{ 192.0.2.1 \}`",
|
||||||
),
|
),
|
||||||
'ip6-ban': (
|
'ip6-ban': (
|
||||||
r"`nft add element inet f2b-table addr6-set-j-w-nft-ap { 2001:db8:: }`",
|
r"`nft add element inet f2b-table addr6-set-j-w-nft-ap \{ 2001:db8:: \}`",
|
||||||
),
|
),
|
||||||
'ip6-unban': (
|
'ip6-unban': (
|
||||||
r"`nft delete element inet f2b-table addr6-set-j-w-nft-ap { 2001:db8:: }`",
|
r"`nft delete element inet f2b-table addr6-set-j-w-nft-ap \{ 2001:db8:: \}`",
|
||||||
),
|
),
|
||||||
}),
|
}),
|
||||||
# dummy --
|
# dummy --
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue