From 9c639040bc68ceb5e9dbb554ff0ff2ef63651f3e Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed, 12 Oct 2005 15:08:05 +0000
Subject: [PATCH] refined it to work nicely with current approach to handle
 externally modified iptables

---
 config/fail2ban.conf.default | 15 +++++++++++++++
 debian/changelog             | 12 ++++++------
 fail2ban.py                  | 27 +++++++++++++--------------
 firewall/firewall.py         |  2 +-
 4 files changed, 35 insertions(+), 21 deletions(-)

diff --git a/config/fail2ban.conf.default b/config/fail2ban.conf.default
index 0675165b..1bf63358 100644
--- a/config/fail2ban.conf.default
+++ b/config/fail2ban.conf.default
@@ -97,6 +97,21 @@ cmdend =
 #
 polltime = 1
 
+# Option:  reinittime
+# Notes.:  minimal number of seconds between the re-initialization of
+#          firewalls due to external changes in their rules (see fwcheck)
+# Values:  NUM  Default:  100
+#
+reinittime = 10
+
+# Option:  maxreinits
+# Notes.:  maximal number of re-initialization of firewalls due to external
+#          changes. -1 stays for infinite, so only reinittime is of importance
+# Values:  NUM  Default:  -1
+#
+maxreinits = -1
+
+
 [MAIL]
 # Option:  enabled
 # Notes.:  enable mail notification when banning an IP address.
diff --git a/debian/changelog b/debian/changelog
index 70545aee..e4db4370 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,19 +1,19 @@
 fail2ban (0.5.4-5.7) unstable; urgency=low
 
   * Added a notification regarding the importance of 0.5.4-5 change of
-    failregex in the config file
-  * Adjusted address to FSF
+    failregex in the config file.
+  * Adjusted address to FSF.
   * Adjusted failregex for SSH so it bans "Illegal user" entries as well, and
     restricted full failregex more to include ":" at the beginning, because
     otherwise it might not be sufficient and would revive bug 330827 (closes:
-    #333056)
+    #333056).
   * Adjusted failregex for SSH to accommodate recent changes in logging of
-    SSH: Illegal -> Invalid. Should match both now
+    SSH: Illegal -> Invalid. Should match both now.
   * Fixed a problem of raise AttributeError exception reported as a side
-    effect of crash during parsing of the config file
+    effect of crash during parsing of the config file.
   * Introduced fwcheck option to verify consistency of the
     chains. Implemented automatic restart of fail2ban main function in
-    case if check of fwban failed. Should close few bugs
+    case if check of fwban or fwban command failed (closes: #329163, #331695).
 
  -- Yaroslav Halchenko <debian@onerussian.com>  Mon,  3 Oct 2005 22:26:28 -1000
 
diff --git a/fail2ban.py b/fail2ban.py
index fa1c16d4..63c60095 100755
--- a/fail2ban.py
+++ b/fail2ban.py
@@ -216,7 +216,9 @@ def main():
 					["str", "ignoreip", ""],
 					["int", "polltime", 1],
 					["str", "cmdstart", ""],
-					["str", "cmdend", ""])
+					["str", "cmdend", ""],
+					["int", "reinittime", 100],
+					["int", "maxreinits", 100])
 
 	# Gets global configuration options
 	conf.update(confReader.getLogOptions("DEFAULT", optionValues))
@@ -415,13 +417,8 @@ def main():
 	
 	initializeFwRules()
 	
-	# yoh: I don't think that this parameters need to be configured
-	#      and probably maxRestarts should be removed
-	legitRestartTime = 10				 # legitimate minimal restart time
-	maxRestarts = 100			  # max number of times to perform restart
-
-	lastRestartTime = time.time()
-	restarts = 0
+	lastReinitTime = time.time()-conf["reinittime"]-1 # try to reinit once if it fails immediately
+	reinits = 0
 	# Main loop
 	while True:
 		try:
@@ -484,12 +481,14 @@ def main():
 		except ExternalError, e:
 			# Something wrong while dealing with Iptables.
 			# May be chain got removed?
-			logSys.error("Fail2Ban got a problem: " + e.__str__())
-			if (unixTime - lastRestartTime > legitRestartTime) and (restarts < maxRestarts):
-				logSys.error("Reinitializing firewalls for the %dst time "%restarts)
-				lastRestartTime = time.time()
+			reinits += 1
+			logSys.error(e)
+			if ((unixTime - lastReinitTime > conf["reinittime"]) and
+				((conf["maxreinits"]<0) or (reinits < conf["maxreinits"]))):
+				logSys.warn("#%d reinitialization of firewalls"%reinits)
+				lastReinitTime = unixTime
 			else:
-				logSys.error("Exiting: restarts follow too often, or too many restart attempts")
+				logSys.error("Exiting: reinits follow too often, or too many reinit attempts")
 				killApp()
 
 			# save firewalls to keep a list of IPs for rebanning
@@ -499,7 +498,7 @@ def main():
 			# reinitialize all the chains
 			initializeFwRules()
 			# restore the lists of baned IPs
-			logFwList = logFwListCopy
+			logFwList.__init__(logFwListCopy)
 			# reBan known IPs
 			reBan()
 		except KeyboardInterrupt:
diff --git a/firewall/firewall.py b/firewall/firewall.py
index 4077e4b0..c552bf3a 100644
--- a/firewall/firewall.py
+++ b/firewall/firewall.py
@@ -49,12 +49,12 @@ class Firewall:
 		""" Bans an IP.
 		"""
 		ip = aInfo["ip"]
+		self.runCheck("pre-fwban", debug)
 		if not self.inBanList(ip):
 			crtTime = time.time()
 			logSys.warn("Ban " + ip)
 			self.banList[ip] = crtTime
 			aInfo["bantime"] = crtTime
-			self.runCheck("pre-fwban", debug)
 			cmd = self.banIP(aInfo)
 			if executeCmd(cmd, debug):
 				raise ExternalError("Firewall: execution of fwban command '%s' failed"%cmd)