From 9fe0a69852e692fd9cc1f47acbf5b13a4d79273f Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Sat, 14 Dec 2013 09:06:01 +0000
Subject: [PATCH] ENH: add firewallcmd-ipset

---
 config/action.d/firewallcmd-ipset.conf | 69 ++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)
 create mode 100644 config/action.d/firewallcmd-ipset.conf

diff --git a/config/action.d/firewallcmd-ipset.conf b/config/action.d/firewallcmd-ipset.conf
new file mode 100644
index 00000000..2c4a36f1
--- /dev/null
+++ b/config/action.d/firewallcmd-ipset.conf
@@ -0,0 +1,69 @@
+# Fail2Ban action file for firewall-cmd/ipset
+#
+# This requires:
+# ipset (package: ipset)
+# firewall-cmd (package: firewalld)
+#
+# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
+# Use ipset -V to see the protocol and version.
+#
+# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
+#
+# If you are running on an older kernel you make need to patch in external
+# modules.
+
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+[Definition]
+
+actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
+              firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
+
+actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
+             ipset flush fail2ban-<name>
+             ipset destroy fail2ban-<name>
+
+actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q '^fail2ban-<name>$'
+
+actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist
+
+actionunban = ipset del fail2ban-<name> <ip> -exist
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Option:  port
+# Notes.:  specifies port to monitor
+# Values:  [ NUM | STRING ]
+#
+port = ssh
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp | icmp | all ]
+#
+protocol = tcp
+
+# Option:  chain
+# Notes    specifies the iptables chain to which the fail2ban rules should be
+#          added
+# Values:  [ STRING ]
+#
+chain = INPUT_direct
+
+# Option: bantime
+# Notes:  specifies the bantime in seconds (handled internally rather than by fail2ban)
+# Values:  [ NUM ]  Default: 600
+
+bantime = 600
+
+
+# DEV NOTES:
+#
+# Author: Edgar Hoch and Daniel Black
+# firewallcmd-new / iptables-ipset-proto6 combined for maximium goodness