diff --git a/.travis.yml b/.travis.yml index 4dafda11..41eeca27 100644 --- a/.travis.yml +++ b/.travis.yml @@ -12,7 +12,7 @@ before_install: install: - pip install pyinotify - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then sudo apt-get install -qq python-gamin; cp /usr/share/pyshared/gamin.py /usr/lib/pyshared/python2.7/_gamin.so $VIRTUAL_ENV/lib/python2.7/site-packages/; fi - - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then pip install -q coveralls; fi + - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then cd ..; pip install -q coveralls; cd -; fi script: - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then coverage run --rcfile=.travis_coveragerc setup.py test; else python setup.py test; fi after_success: diff --git a/THANKS b/THANKS index f252edbf..f7df14c4 100644 --- a/THANKS +++ b/THANKS @@ -99,5 +99,6 @@ Yaroslav Halchenko Winston Smith ykimon Yehuda Katz +Zbigniew Jędrzejewski-Szmek zugeschmiert Zurd diff --git a/config/action.d/iptables-xt_recent-echo.conf b/config/action.d/iptables-xt_recent-echo.conf index 4be97c44..5d309b56 100644 --- a/config/action.d/iptables-xt_recent-echo.conf +++ b/config/action.d/iptables-xt_recent-echo.conf @@ -33,13 +33,14 @@ before = iptables-blocktype.conf # own rules. The 3600 second timeout is independent and acts as a # safeguard in case the fail2ban process dies unexpectedly. The # shorter of the two timeouts actually matters. -actionstart = iptables -I INPUT -m recent --update --seconds 3600 --name f2b- -j +actionstart = if [ `id -u` -eq 0 ];then iptables -I INPUT -m recent --update --seconds 3600 --name f2b- -j ;fi # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = echo / > /proc/net/xt_recent/f2b- + if [ `id -u` -eq 0 ];then iptables -D INPUT -m recent --update --seconds 3600 --name f2b- -j ;fi # Option: actioncheck # Notes.: command executed once before each actionban command diff --git a/doc/run-rootless.txt b/doc/run-rootless.txt index 5edf6ef6..57cd6f3a 100644 --- a/doc/run-rootless.txt +++ b/doc/run-rootless.txt @@ -74,12 +74,6 @@ further configuration. To run not as root, further setup is necessary: with suitably replaced. - - suppress actionstart for iptables-xt_recent-echo action by creating an override file - iptables-xt_recent-echo.local to accompany iptables-xt_recent-echo.conf with - - [Definition] - actionstart = - - Permissions: make sure that configuration files under /etc/fail2ban are readable by diff --git a/fail2ban/server/filter.py b/fail2ban/server/filter.py index e777d973..67d91538 100644 --- a/fail2ban/server/filter.py +++ b/fail2ban/server/filter.py @@ -357,6 +357,9 @@ class Filter(JailThread): # IP address without CIDR mask if len(s) == 1: s.insert(1, '32') + elif "." in s[1]: # 255.255.255.0 style mask + s[1] = len(re.search( + "(?<=b)1+", bin(DNSUtils.addr2bin(s[1]))).group()) s[1] = long(s[1]) try: a = DNSUtils.cidr(s[0], s[1]) diff --git a/fail2ban/tests/filtertestcase.py b/fail2ban/tests/filtertestcase.py index e7e874b5..40ac6c13 100644 --- a/fail2ban/tests/filtertestcase.py +++ b/fail2ban/tests/filtertestcase.py @@ -236,6 +236,15 @@ class IgnoreIP(LogCaptureTestCase): self.assertFalse(self.filter.inIgnoreIPList('192.168.1.255')) self.assertFalse(self.filter.inIgnoreIPList('192.168.0.255')) + def testIgnoreIPMask(self): + self.filter.addIgnoreIP('192.168.1.0/255.255.255.128') + self.assertTrue(self.filter.inIgnoreIPList('192.168.1.0')) + self.assertTrue(self.filter.inIgnoreIPList('192.168.1.1')) + self.assertTrue(self.filter.inIgnoreIPList('192.168.1.127')) + self.assertFalse(self.filter.inIgnoreIPList('192.168.1.128')) + self.assertFalse(self.filter.inIgnoreIPList('192.168.1.255')) + self.assertFalse(self.filter.inIgnoreIPList('192.168.0.255')) + def testIgnoreInProcessLine(self): setUpMyTime() self.filter.addIgnoreIP('192.168.1.0/25')