refined it to work nicely with current approach to handle externally modified iptables

2005-10-12 15:08:05 +00:00 · 2005-10-12 15:08:05 +00:00 · 9c639040bc
parent da0bb74180
commit 9c639040bc
4 changed files with 35 additions and 21 deletions
--- a/config/fail2ban.conf.default
+++ b/config/fail2ban.conf.default
@ -97,6 +97,21 @@ cmdend =
 #
 polltime = 1

+# Option:  reinittime
+# Notes.:  minimal number of seconds between the re-initialization of
+#          firewalls due to external changes in their rules (see fwcheck)
+# Values:  NUM  Default:  100
+#
+reinittime = 10
+
+# Option:  maxreinits
+# Notes.:  maximal number of re-initialization of firewalls due to external
+#          changes. -1 stays for infinite, so only reinittime is of importance
+# Values:  NUM  Default:  -1
+#
+maxreinits = -1
+
+
 [MAIL]
 # Option:  enabled
 # Notes.:  enable mail notification when banning an IP address.
--- a/debian/changelog
+++ b/debian/changelog
@ -1,19 +1,19 @@
 fail2ban (0.5.4-5.7) unstable; urgency=low

  * Added a notification regarding the importance of 0.5.4-5 change of
-    failregex in the config file
-  * Adjusted address to FSF
+    failregex in the config file.
+  * Adjusted address to FSF.
  * Adjusted failregex for SSH so it bans "Illegal user" entries as well, and
    restricted full failregex more to include ":" at the beginning, because
    otherwise it might not be sufficient and would revive bug 330827 (closes:
-    #333056)
+    #333056).
  * Adjusted failregex for SSH to accommodate recent changes in logging of
-    SSH: Illegal -> Invalid. Should match both now
+    SSH: Illegal -> Invalid. Should match both now.
  * Fixed a problem of raise AttributeError exception reported as a side
-    effect of crash during parsing of the config file
+    effect of crash during parsing of the config file.
  * Introduced fwcheck option to verify consistency of the
    chains. Implemented automatic restart of fail2ban main function in
-    case if check of fwban failed. Should close few bugs
+    case if check of fwban or fwban command failed (closes: #329163, #331695).

 -- Yaroslav Halchenko <debian@onerussian.com>  Mon,  3 Oct 2005 22:26:28 -1000

--- a/fail2ban.py
+++ b/fail2ban.py
@ -216,7 +216,9 @@ def main():
 					["str", "ignoreip", ""],
 					["int", "polltime", 1],
 					["str", "cmdstart", ""],
-					["str", "cmdend", ""])
+					["str", "cmdend", ""],
+					["int", "reinittime", 100],
+					["int", "maxreinits", 100])

 	# Gets global configuration options
 	conf.update(confReader.getLogOptions("DEFAULT", optionValues))
@ -415,13 +417,8 @@ def main():
 	
 	initializeFwRules()
 	
-	# yoh: I don't think that this parameters need to be configured
-	#      and probably maxRestarts should be removed
-	legitRestartTime = 10				 # legitimate minimal restart time
-	maxRestarts = 100			  # max number of times to perform restart
-
-	lastRestartTime = time.time()
-	restarts = 0
+	lastReinitTime = time.time()-conf["reinittime"]-1 # try to reinit once if it fails immediately
+	reinits = 0
 	# Main loop
 	while True:
 		try:
@ -484,12 +481,14 @@ def main():
 		except ExternalError, e:
 			# Something wrong while dealing with Iptables.
 			# May be chain got removed?
-			logSys.error("Fail2Ban got a problem: " + e.__str__())
-			if (unixTime - lastRestartTime > legitRestartTime) and (restarts < maxRestarts):
-				logSys.error("Reinitializing firewalls for the %dst time "%restarts)
-				lastRestartTime = time.time()
+			reinits += 1
+			logSys.error(e)
+			if ((unixTime - lastReinitTime > conf["reinittime"]) and
+				((conf["maxreinits"]<0) or (reinits < conf["maxreinits"]))):
+				logSys.warn("#%d reinitialization of firewalls"%reinits)
+				lastReinitTime = unixTime
 			else:
-				logSys.error("Exiting: restarts follow too often, or too many restart attempts")
+				logSys.error("Exiting: reinits follow too often, or too many reinit attempts")
 				killApp()

 			# save firewalls to keep a list of IPs for rebanning
@ -499,7 +498,7 @@ def main():
 			# reinitialize all the chains
 			initializeFwRules()
 			# restore the lists of baned IPs
-			logFwList = logFwListCopy
+			logFwList.__init__(logFwListCopy)
 			# reBan known IPs
 			reBan()
 		except KeyboardInterrupt:
--- a/firewall/firewall.py
+++ b/firewall/firewall.py
@ -49,12 +49,12 @@ class Firewall:
 		""" Bans an IP.
 		"""
 		ip = aInfo["ip"]
+		self.runCheck("pre-fwban", debug)
 		if not self.inBanList(ip):
 			crtTime = time.time()
 			logSys.warn("Ban " + ip)
 			self.banList[ip] = crtTime
 			aInfo["bantime"] = crtTime
-			self.runCheck("pre-fwban", debug)
 			cmd = self.banIP(aInfo)
 			if executeCmd(cmd, debug):
 				raise ExternalError("Firewall: execution of fwban command '%s' failed"%cmd)