From b3bd877d23e578e12791c6db4ca9fd82108d75c3 Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Tue, 30 Apr 2013 07:48:01 +1000
Subject: [PATCH 01/46] BF: change common.conf to handle formats of syslog -v
 and syslog -vv in BSD

---
 config/filter.d/common.conf | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/config/filter.d/common.conf b/config/filter.d/common.conf
index 18bf41c5..a5fe1176 100644
--- a/config/filter.d/common.conf
+++ b/config/filter.d/common.conf
@@ -41,7 +41,10 @@ __hostname = \S+
 #
 # Common line prefixes (beginnings) which could be used in filters
 #
-#       [hostname] [vserver tag] daemon_id spaces
-# this can be optional (for instance if we match named native log files)
-__prefix_line = \s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s*
-
+#      [bsdverbose]? [hostname] [vserver tag] daemon_id spaces
+# 
+# bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or
+# <auth.info> appearing before the host as per testcases/files/logs/bsd/*.
+#
+# This can be optional (for instance if we match named native log files)
+__prefix_line = \s*(<[^.]+.[^.]+>)?\s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s*

From cde710803367b8529cde6093232ca1151d20ddd7 Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Mon, 29 Apr 2013 13:47:33 +1000
Subject: [PATCH 02/46] DOC: bsd syslog files thanks to Nick Hilliard

---
 testcases/files/logs/bsd/syslog-plain.txt |  3 +++
 testcases/files/logs/bsd/syslog-v.txt     | 10 ++++++++++
 testcases/files/logs/bsd/syslog-vv.txt    |  5 +++++
 3 files changed, 18 insertions(+)
 create mode 100644 testcases/files/logs/bsd/syslog-plain.txt
 create mode 100644 testcases/files/logs/bsd/syslog-v.txt
 create mode 100644 testcases/files/logs/bsd/syslog-vv.txt

diff --git a/testcases/files/logs/bsd/syslog-plain.txt b/testcases/files/logs/bsd/syslog-plain.txt
new file mode 100644
index 00000000..7dcecb2e
--- /dev/null
+++ b/testcases/files/logs/bsd/syslog-plain.txt
@@ -0,0 +1,3 @@
+Apr  2 17:52:55 pancake sshd[55657]: Invalid user oracle from 192.0.2.100
+Apr  2 17:53:01 pancake sshd[55657]: error: PAM: authentication error for illegal user oracle from test.example.com
+Apr  2 17:53:01 pancake sshd[55657]: Failed keyboard-interactive/pam for invalid user oracle from 192.0.2.100 port 48856 ssh2
diff --git a/testcases/files/logs/bsd/syslog-v.txt b/testcases/files/logs/bsd/syslog-v.txt
new file mode 100644
index 00000000..319582ba
--- /dev/null
+++ b/testcases/files/logs/bsd/syslog-v.txt
@@ -0,0 +1,10 @@
+Apr  2 17:51:27 <4.3> pancake sshd[55624]: error: PAM: authentication error for nick from test.example.com
+Apr  2 17:51:32 <4.6> pancake sshd[55628]: Invalid user r00t from 192.0.2.100
+Apr  2 17:51:33 <4.3> pancake sshd[55628]: error: PAM: authentication error for illegal user r00t from test.example.com
+Apr  2 17:51:33 <4.6> pancake sshd[55628]: Failed keyboard-interactive/pam for invalid user r00t from 192.0.2.100 port 46050 ssh2
+Apr  2 17:51:34 <4.3> pancake sshd[55628]: error: PAM: authentication error for illegal user r00t from test.example.com
+Apr  2 17:51:34 <4.6> pancake sshd[55628]: Failed keyboard-interactive/pam for invalid user r00t from 192.0.2.100 port 46050 ssh2
+Apr  2 17:51:36 <4.3> pancake sshd[55628]: error: PAM: authentication error for illegal user r00t from test.example.com
+Apr  2 17:51:36 <4.6> pancake sshd[55628]: Failed keyboard-interactive/pam for invalid user r00t from 192.0.2.100 port 46050 ssh2
+Apr  2 17:52:06 <4.6> pancake sshd[55647]: Invalid user oracle from 192.0.2.100
+Apr  2 17:52:07 <4.3> pancake sshd[55647]: error: PAM: authentication error for illegal user oracle from test.example.com
diff --git a/testcases/files/logs/bsd/syslog-vv.txt b/testcases/files/logs/bsd/syslog-vv.txt
new file mode 100644
index 00000000..74143226
--- /dev/null
+++ b/testcases/files/logs/bsd/syslog-vv.txt
@@ -0,0 +1,5 @@
+Mar 19 23:48:18 <auth.info> pancake sshd[55517]: Invalid user r00t from 183.60.159.20
+Mar 19 23:48:20 <auth.info> pancake sshd[55519]: Invalid user r00t from 183.60.159.20
+Mar 19 23:50:03 <auth.info> pancake sshd[55604]: Invalid user http from 183.60.159.20
+Mar 19 23:50:05 <auth.info> pancake sshd[55606]: Invalid user kylix from 183.60.159.20
+Mar 19 23:50:08 <auth.info> pancake sshd[55608]: Invalid user nagios from 183.60.159.20

From ebfab512bc7618365ea8eaf64f4039ea709c6f5b Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Fri, 3 May 2013 16:15:26 +1000
Subject: [PATCH 03/46] DOC: credits for bsd log

---
 ChangeLog | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index c80e3b3c..24a88587 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -50,6 +50,8 @@ Borreli, blotus:
      gh-70. Thanks to iGeorgeX for the idea.
   blotus
    * [96eb8986] ' and " should also be escaped in action tags Closes gh-109
+  Christoph Theis, Nick Hilliard, Daniel Black
+   * [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD
 - New features:
   Yaroslav Halchenko
    * [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile}

From b6d0e8ad9c7b688e8bc4dd375bdc897293a21320 Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Fri, 3 May 2013 16:31:45 +1000
Subject: [PATCH 04/46] ENH: add ipfw rule for bsd using the tables.

---
 config/action.d/bsd-ipfw.conf | 82 +++++++++++++++++++++++++++++++++++
 config/jail.conf              | 13 ++++++
 2 files changed, 95 insertions(+)
 create mode 100644 config/action.d/bsd-ipfw.conf

diff --git a/config/action.d/bsd-ipfw.conf b/config/action.d/bsd-ipfw.conf
new file mode 100644
index 00000000..33f176e4
--- /dev/null
+++ b/config/action.d/bsd-ipfw.conf
@@ -0,0 +1,82 @@
+# Fail2Ban configuration file
+#
+# Author: Nick Munger
+# Modified by: Ken Menzel
+#              Daniel Black (start/stop)
+#              Fabian Wenk (many ideas as per fail2ban users list)
+#
+# Ensure firewall_enable="YES" in the top of /etc/rc.conf
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = ipfw show | fgrep -q 'table(<table>)' || ( ipfw show | awk 'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }'; num=$?; ipfw -q add $num deny <block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>" )
+
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop =  [ -f <startstatefile> ] && ( read num < "<startstatefile>" <br> ipfw -q delete $num <br> rm "<startstatefile>" )
+
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+# requires an ipfw rule like "deny ip from table(1) to me"
+actionban = ipfw table <table> add <ip>
+
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = ipfw table <table> delete <ip>
+
+[Init]
+# Option:  table
+# Notes:   The ipfw table to use. If a ipfw rule using this table already exists,
+#          this action will not create a ipfw rule to block it and the following
+#          options will have no effect.
+# Values:  NUM
+table = 1
+
+# Option:  port
+# Notes.:  Specifies port to monitor. Blank indicate block all ports.
+# Values:  [ NUM | STRING ]
+#
+port = 
+
+# Option:  startstatefile
+# Notes:   A file to indicate that the table rule that was added. Ensure it is unique per table.
+# Values:  STRING
+startstatefile = /var/run/fail2ban/ipfw-started-table_<table>
+
+# Option:  action
+# Notes:   This is the action to take for automaticly created rules. See the 
+#          ACTION defination at the top of man ipfw for allowed values.
+#          "deny" and "unreach port" are probably the useful.
+# Values:  STRING
+action = deny
+
+# Option: block
+# Notes:  This is how much to block.
+#         Can be "ip", "tcp", "udp" or various other options.
+# Values: STRING
+block = ip
diff --git a/config/jail.conf b/config/jail.conf
index 8b82d1d7..17c4dfe9 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -139,6 +139,19 @@ action   = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
 logpath  = /var/log/sshd.log
 maxretry = 5
 
+# bsd-ipfw is ipfw used by BSD. It uses ipfw tables.
+# table number must be unique.
+# 
+# This will create a deny rule for that table ONLY if a rule 
+# for the table doesn't ready exist.
+#
+[ssh-bsd-ipfw]
+enabled  = false
+filter   = sshd
+action   = bsd-ipfw[port=ssh,table=1]
+logpath  = /var/log/auth.log
+maxretry = 5
+
 # This jail demonstrates the use of wildcards in "logpath".
 # Moreover, it is possible to give other files on a new line.
 

From f402609f19fcbf2467adbe9d64766fa9107aad30 Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Fri, 3 May 2013 16:32:11 +1000
Subject: [PATCH 05/46] DOC: credits for bsd-ipfw

---
 ChangeLog | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index c80e3b3c..35c706cc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -69,6 +69,9 @@ Borreli, blotus:
    * [5f2d383] Add roundcube auth filter. Closes Debian bug #699442.
   Daniel Black
    * [be06b1b] Add action for iptables-ipsets. Closes gh-102.
+  Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk
+   * [b6d0e8a] Add and enhance the bsd-ipfw action from
+     FreeBSD ports.
   Soulard Morgan
    * [f336d9f] Add filter for webmin. Closes gh-99.
 - Enhancements:

From 0c5a9c53e1542784b7c1ab2d41463aa464f54104 Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Tue, 16 Apr 2013 21:11:06 +1000
Subject: [PATCH 06/46] ENH: pf action thanks to Nick Hilliard
 <nick@foobar.org>.

---
 config/action.d/pf.conf | 62 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 config/action.d/pf.conf

diff --git a/config/action.d/pf.conf b/config/action.d/pf.conf
new file mode 100644
index 00000000..d82cbb12
--- /dev/null
+++ b/config/action.d/pf.conf
@@ -0,0 +1,62 @@
+# Fail2Ban configuration file
+#
+# OpenBSD pf ban/unban
+#
+# Author: Nick Hilliard <nick@foobar.org>
+#
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+# we don't enable PF automatically, as it will be enabled elsewhere
+actionstart = 
+
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+# we don't disable PF automatically either
+actionstop = 
+
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = /sbin/pfctl -t <tablename> -T add <ip>/32
+
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+# note -r option used to remove matching rule
+actionunban = /sbin/pfctl -t <tablename> -T delete <ip>/32
+
+[Init]
+# Option:  tablename
+# Notes.:  The pf table name.
+# Values:  [ STRING ]  Default: fail2ban
+#
+tablename = fail2ban
+

From 462dafa32f4766c0d6e8e9267adda776c9b11e9c Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Fri, 3 May 2013 16:38:30 +1000
Subject: [PATCH 07/46] DOC: credit for pf action. Origin:
 http://svnweb.freebsd.org/ports/head/security/py-fail2ban/files/patch-pf.conf?view=log

---
 ChangeLog | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index c80e3b3c..00898141 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -71,6 +71,8 @@ Borreli, blotus:
    * [be06b1b] Add action for iptables-ipsets. Closes gh-102.
   Soulard Morgan
    * [f336d9f] Add filter for webmin. Closes gh-99.
+  Nick Hilliard
+   * [0c5a9c5] Add pf action.
 - Enhancements:
   Enrico Labedzki
    * [24a8d07] Added new date format for ASSP SMTP Proxy.

From aa52743f52014ae57bc705c77a33a8157df40338 Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Fri, 3 May 2013 16:42:10 +1000
Subject: [PATCH 08/46] DOC: add jail.conf entry for pf

---
 config/jail.conf | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/config/jail.conf b/config/jail.conf
index 8b82d1d7..1549e6a4 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -380,3 +380,14 @@ action   = iptables-allports[name=recidive]
 bantime  = 604800  ; 1 week
 findtime = 86400   ; 1 day
 maxretry = 5
+
+# PF is a BSD based firewall
+[ssh-pf]
+
+enabled=false
+filter = sshd
+action = pf
+logpath  = /var/log/sshd.log
+maxretry=5
+
+

From 8a17a70d250b515f01ec6091d5e71e27fed0a878 Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Fri, 3 May 2013 17:12:55 +1000
Subject: [PATCH 09/46] BF: missed MANIFEST include

---
 MANIFEST | 1 +
 1 file changed, 1 insertion(+)

diff --git a/MANIFEST b/MANIFEST
index 364c0b08..0a0cbbce 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -97,6 +97,7 @@ config/filter.d/dropbear.conf
 config/filter.d/lighttpd-auth.conf
 config/filter.d/recidive.conf
 config/filter.d/roundcube-auth.conf
+config/action.d/bsd-ipfw.conf
 config/action.d/dummy.conf
 config/action.d/iptables-ipset-proto4.conf
 config/action.d/iptables-ipset-proto6.conf

From 54c2bf3dfb71b164f5b6a1abe2e6e480499502fa Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Fri, 3 May 2013 17:14:20 +1000
Subject: [PATCH 10/46] BF: missed MANIFEST include

---
 MANIFEST | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/MANIFEST b/MANIFEST
index 364c0b08..05eb35b1 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -43,6 +43,9 @@ server/datetemplate.py
 server/mytime.py
 server/failregex.py
 testcases/files/testcase-usedns.log
+testcases/files/logs/bsd/syslog-plain.txt
+testcases/files/logs/bsd/syslog-v.txt
+testcases/files/logs/bsd/syslog-vv.txt
 testcases/banmanagertestcase.py
 testcases/failmanagertestcase.py
 testcases/clientreadertestcase.py

From f52142b5cbe95ac3122b516aa101021a168c8403 Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Fri, 3 May 2013 17:15:28 +1000
Subject: [PATCH 11/46] BF: missed MANIFEST include

---
 MANIFEST | 1 +
 1 file changed, 1 insertion(+)

diff --git a/MANIFEST b/MANIFEST
index 364c0b08..6dd54366 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -117,6 +117,7 @@ config/action.d/mail-buffered.conf
 config/action.d/mail-whois.conf
 config/action.d/mail-whois-lines.conf
 config/action.d/mynetwatchman.conf
+config/action.d/pf.conf
 config/action.d/sendmail.conf
 config/action.d/sendmail-buffered.conf
 config/action.d/sendmail-whois.conf

From 3b4a7b7926234fce415372d3d5b1d5ba43e5c4a5 Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Sun, 5 May 2013 15:43:18 +1000
Subject: [PATCH 12/46] ENH: add blocktype to all relevant actions. Also
 default the rejection to a ICMP reject rather than a drop

---
 config/action.d/ipfilter.conf                |  9 +++++++--
 config/action.d/ipfw.conf                    | 10 +++++++++-
 config/action.d/iptables-allports.conf       | 11 +++++++++--
 config/action.d/iptables-ipset-proto4.conf   | 10 ++++++++--
 config/action.d/iptables-ipset-proto6.conf   |  6 ++++++
 config/action.d/iptables-multiport-log.conf  |  9 ++++++++-
 config/action.d/iptables-multiport.conf      | 11 +++++++++--
 config/action.d/iptables-new.conf            | 11 +++++++++--
 config/action.d/iptables-xt_recent-echo.conf |  9 ++++++++-
 config/action.d/iptables.conf                | 12 ++++++++++--
 config/action.d/route.conf                   | 13 ++++++-------
 config/action.d/shorewall.conf               |  8 +++++++-
 12 files changed, 96 insertions(+), 23 deletions(-)

diff --git a/config/action.d/ipfilter.conf b/config/action.d/ipfilter.conf
index d77de9bf..61420e38 100644
--- a/config/action.d/ipfilter.conf
+++ b/config/action.d/ipfilter.conf
@@ -37,7 +37,7 @@ actioncheck =
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = echo block in quick from <ip>/32 | /sbin/ipf -f -
+actionban = echo block <blocktype> in quick from <ip>/32 | /sbin/ipf -f -
 
 
 # Option:  actionunban
@@ -47,7 +47,12 @@ actionban = echo block in quick from <ip>/32 | /sbin/ipf -f -
 # Values:  CMD
 #
 # note -r option used to remove matching rule
-actionunban = echo block in quick from <ip>/32 | /sbin/ipf -r -f -
+actionunban = echo block <blocktype> in quick from <ip>/32 | /sbin/ipf -r -f -
 
 [Init]
 
+# Option: Blocktype
+# Notes : This is the return-icmp[return-code] mentioned in the ipf man page section 5. Keep this quoted to prevent
+#         Shell expansion. This should be blank (unquoted) to drop the packet.
+# Values: STRING
+blocktype = "return-icmp(port-unr)"
diff --git a/config/action.d/ipfw.conf b/config/action.d/ipfw.conf
index 62612307..bf4dd43f 100644
--- a/config/action.d/ipfw.conf
+++ b/config/action.d/ipfw.conf
@@ -35,7 +35,7 @@ actioncheck =
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = ipfw add deny tcp from <ip> to <localhost> <port>
+actionban = ipfw add <blocktype> tcp from <ip> to <localhost> <port>
 
 
 # Option:  actionunban
@@ -59,3 +59,11 @@ port = ssh
 # Values:  IP
 #
 localhost = 127.0.0.1
+
+
+# Option:  blocktype
+# Notes.:  How to block the traffic. Use a action from man 5 ipfw
+#          Common values: deny, unreach port, reset
+# Values:  STRING
+#
+blocktype = unreach port
diff --git a/config/action.d/iptables-allports.conf b/config/action.d/iptables-allports.conf
index a02ba63d..66ad0178 100644
--- a/config/action.d/iptables-allports.conf
+++ b/config/action.d/iptables-allports.conf
@@ -37,7 +37,7 @@ actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@@ -45,7 +45,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
 
 [Init]
 
@@ -64,3 +64,10 @@ protocol = tcp
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
+
+# Option:  blocktype
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the iptables man page (section 8). Common values are DROP
+#          REJECT, REJECT --reject-with icmp-port-unreachable
+# Values:  STRING
+blocktype = REJECT --reject-with icmp-port-unreachable
diff --git a/config/action.d/iptables-ipset-proto4.conf b/config/action.d/iptables-ipset-proto4.conf
index 4221dd8d..0999bca0 100644
--- a/config/action.d/iptables-ipset-proto4.conf
+++ b/config/action.d/iptables-ipset-proto4.conf
@@ -25,13 +25,13 @@
 # Values:  CMD
 #
 actionstart = ipset --create fail2ban-<name> iphash
-              iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j DROP
+              iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j DROP
+actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
              ipset --flush fail2ban-<name>
              ipset --destroy fail2ban-<name>
 
@@ -69,3 +69,9 @@ port = ssh
 #
 protocol = tcp
 
+# Option:  blocktype
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the iptables man page (section 8). Common values are DROP
+#          REJECT, REJECT --reject-with icmp-port-unreachable
+# Values:  STRING
+blocktype = REJECT --reject-with icmp-port-unreachable
diff --git a/config/action.d/iptables-ipset-proto6.conf b/config/action.d/iptables-ipset-proto6.conf
index d90acd44..95ff27c9 100644
--- a/config/action.d/iptables-ipset-proto6.conf
+++ b/config/action.d/iptables-ipset-proto6.conf
@@ -76,3 +76,9 @@ protocol = tcp
 bantime = 600
 
 
+# Option:  blocktype
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the iptables man page (section 8). Common values are DROP
+#          REJECT, REJECT --reject-with icmp-port-unreachable
+# Values:  STRING
+blocktype = REJECT --reject-with icmp-port-unreachable
diff --git a/config/action.d/iptables-multiport-log.conf b/config/action.d/iptables-multiport-log.conf
index 49958013..5ae93861 100644
--- a/config/action.d/iptables-multiport-log.conf
+++ b/config/action.d/iptables-multiport-log.conf
@@ -21,7 +21,7 @@ actionstart = iptables -N fail2ban-<name>
               iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
               iptables -N fail2ban-<name>-log
               iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
-              iptables -A fail2ban-<name>-log -j DROP
+              iptables -A fail2ban-<name>-log -j <blocktype>
 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
@@ -78,3 +78,10 @@ protocol = tcp
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
+
+# Option:  blocktype
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the iptables man page (section 8). Common values are DROP
+#          REJECT, REJECT --reject-with icmp-port-unreachable
+# Values:  STRING
+blocktype = REJECT --reject-with icmp-port-unreachable
diff --git a/config/action.d/iptables-multiport.conf b/config/action.d/iptables-multiport.conf
index ab0ee8de..b7827451 100644
--- a/config/action.d/iptables-multiport.conf
+++ b/config/action.d/iptables-multiport.conf
@@ -35,7 +35,7 @@ actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@@ -43,7 +43,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
 
 [Init]
 
@@ -68,3 +68,10 @@ protocol = tcp
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
+
+# Option:  blocktype
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the iptables man page (section 8). Common values are DROP
+#          REJECT, REJECT --reject-with icmp-port-unreachable
+# Values:  STRING
+blocktype = REJECT --reject-with icmp-port-unreachable
diff --git a/config/action.d/iptables-new.conf b/config/action.d/iptables-new.conf
index 12f398c7..f5467ee2 100644
--- a/config/action.d/iptables-new.conf
+++ b/config/action.d/iptables-new.conf
@@ -37,7 +37,7 @@ actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@@ -45,7 +45,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
 
 [Init]
 
@@ -70,3 +70,10 @@ protocol = tcp
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
+
+# Option:  blocktype
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the iptables man page (section 8). Common values are DROP
+#          REJECT, REJECT --reject-with icmp-port-unreachable
+# Values:  STRING
+blocktype = REJECT --reject-with icmp-port-unreachable
diff --git a/config/action.d/iptables-xt_recent-echo.conf b/config/action.d/iptables-xt_recent-echo.conf
index 887311be..e7d7182f 100644
--- a/config/action.d/iptables-xt_recent-echo.conf
+++ b/config/action.d/iptables-xt_recent-echo.conf
@@ -29,7 +29,7 @@
 #    own rules. The 3600 second timeout is independent and acts as a
 #    safeguard in case the fail2ban process dies unexpectedly. The
 #    shorter of the two timeouts actually matters.
-actionstart = iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j DROP
+actionstart = iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j <blocktype>
 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
@@ -70,3 +70,10 @@ name = default
 # Values:  [ tcp | udp | icmp | all ] Default: tcp
 #
 protocol = tcp
+
+# Option:  blocktype
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the iptables man page (section 8). Common values are DROP
+#          REJECT, REJECT --reject-with icmp-port-unreachable
+# Values:  STRING
+blocktype = REJECT --reject-with icmp-port-unreachable
diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf
index a3412f6b..be4b880c 100644
--- a/config/action.d/iptables.conf
+++ b/config/action.d/iptables.conf
@@ -35,7 +35,7 @@ actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@@ -43,7 +43,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
 
 [Init]
 
@@ -68,3 +68,11 @@ protocol = tcp
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
+
+Option:  blocktype
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the iptables man page (section 8). Common values are DROP
+#          REJECT, REJECT --reject-with icmp-port-unreachable
+# Values:  STRING
+blocktype = REJECT --reject-with icmp-port-unreachable
+
diff --git a/config/action.d/route.conf b/config/action.d/route.conf
index ec940b74..9e3164cd 100644
--- a/config/action.d/route.conf
+++ b/config/action.d/route.conf
@@ -15,11 +15,10 @@
 #   - Blocking is per IP and NOT per service, but ideal as action against ssh password bruteforcing hosts
 
 [Definition]
-actionban   = ip route add <type> <ip>
-actionunban = ip route del <type> <ip>
+actionban   = ip route add <blocktype> <ip>
+actionunban = ip route del <blocktype> <ip>
 
-# Type of blocking
-#
-# Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages.
-
-type = blackhole
+# Option:  blocktype
+# Note:    Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages.
+# Values:  STRING
+blocktype = prohibit
diff --git a/config/action.d/shorewall.conf b/config/action.d/shorewall.conf
index aca3a256..7e0cee25 100644
--- a/config/action.d/shorewall.conf
+++ b/config/action.d/shorewall.conf
@@ -39,7 +39,7 @@ actioncheck =
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = shorewall drop <ip>
+actionban = shorewall <blocktype> <ip>
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@@ -48,3 +48,9 @@ actionban = shorewall drop <ip>
 # Values:  CMD
 #
 actionunban = shorewall allow <ip>
+
+# Option:  blocktype
+# Note:    This is what the action does with rules.
+#          See man page of shorewall for options that include drop, logdrop, reject, or logreject
+# Values:  STRING
+blocktype = reject

From 92dff6d645b26ce35c09689e654c2a4c6fb656c9 Mon Sep 17 00:00:00 2001
From: Steven Hiscocks <steven@hiscocks.me.uk>
Date: Mon, 6 May 2013 20:17:26 +0100
Subject: [PATCH 13/46] DOC: Added bash-completion script

---
 files/bash-completion | 152 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 152 insertions(+)
 create mode 100644 files/bash-completion

diff --git a/files/bash-completion b/files/bash-completion
new file mode 100644
index 00000000..25ccbc30
--- /dev/null
+++ b/files/bash-completion
@@ -0,0 +1,152 @@
+# fail2ban bash-completion                                 -*- shell-script -*-
+#
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+__sudo () {
+    sudo -n "$@" 2>/dev/null || return 0
+}
+__fail2ban_jails () {
+    __sudo "$1" status | awk -F"\t+" '/Jail list/{print $2}' | sed 's/, / /g'
+}
+
+_fail2ban () {
+    local cur prev words cword
+    _init_completion || return 
+
+    case $prev in
+        -V|--version|-h|--help)
+            return 0 # No further completion valid
+            ;;
+        -c)
+            _filedir -d # Directories
+            return 0
+            ;;
+        -s|-p)
+            _filedir # Files
+            return 0
+            ;;
+        *)
+            if [[ "$cur" == "-"* ]];then
+                COMPREPLY=( $( compgen -W \
+                    "$( _parse_help "$1" --help 2>/dev/null) -V" \
+                     -- "$cur") )
+                return 0
+            fi
+            ;;
+    esac
+
+    if [[ "$1" == *"fail2ban-regex" ]];then
+        _filedir
+        return 0
+    elif [[ "$1" == *"fail2ban-client" ]];then
+        local cmd jail
+        case $prev in
+            "$1")
+                COMPREPLY=( $( compgen -W \
+                    "$( "$1" --help 2>/dev/null | awk '/^    [a-z]+/{print $1}')" \
+                    -- "$cur") )
+                return 0
+                ;;
+            start|reload|stop|status)
+                COMPREPLY=( $(compgen -W "$(__fail2ban_jails "$1")" -- "$cur" ) )
+                return 0
+                ;;
+            set|get)
+                COMPREPLY=( $( compgen -W \
+                    "$( "$1" --help 2>/dev/null | awk '/^    '$prev' [^<]/{print $2}')" \
+                    -- "$cur") )
+                COMPREPLY+=( $(compgen -W "$(__fail2ban_jails "$1")" -- "$cur" ) )
+                return 0
+                ;;
+            *)
+                if [[ "${words[$cword-2]}" == "add" ]];then
+                    COMPREPLY=( $( compgen -W "auto polling gamin pyinotify" -- "$cur" ) )
+                    return 0
+                elif [[ "${words[$cword-2]}" == "set" ||  "${words[$cword-2]}" == "get" ]];then
+                    cmd="${words[cword-2]}"
+                    # Handle in section below
+                elif [[ "${words[$cword-3]}" == "set" || "${words[$cword-3]}" == "get" ]];then
+                    cmd="${words[$cword-3]}"
+                    jail="${words[$cword-2]}"
+                    # Handle in section below
+                fi
+            ;;
+        esac
+
+        if [[ -z "$jail" && -n "$cmd" ]];then
+            case $prev in
+                loglevel)
+                    if [[ "$cmd" == "set" ]];then
+                        COMPREPLY=( $( compgen -W "0 1 2 3 4" -- "$cur" ) )
+                    fi
+                    return 0
+                    ;;
+                logtarget)
+                    if [[ "$cmd" == "set" ]];then
+                        COMPREPLY=( $( compgen -W "STDOUT STDERR SYSLOG" -- "$cur" ) )
+                        _filedir # And files
+                    fi
+                    return 0
+                    ;;
+                *) # Jail name
+                    COMPREPLY=( $( compgen -W \
+                        "$( "$1" --help 2>/dev/null | awk '/^    '${cmd}' <JAIL>/{print $3}')" \
+                        -- "$cur") )
+                    return 0
+                    ;;
+            esac
+        elif [[ -n "$jail" && "$cmd" == "set" ]];then
+            case $prev in
+                addlogpath)
+                    _filedir
+                    return 0
+                    ;;
+                dellogpath|delignoreip)
+                    COMPREPLY=( $( compgen -W \
+                        "$( __sudo "$1" get "$jail" "${prev/del/}" | awk -F- '{print $2}')" \
+                    -- "$cur" ) )
+                    if [[ -z "$COMPREPLY" && "$prev" == "dellogpath" ]];then
+                        _filedir
+                    fi
+                    return 0
+                    ;;
+                delfailregex|delignoregex)
+                    COMPREPLY=( $( compgen -W \
+                        "$( __sudo "$1" get "$jail" "${prev/del/}" | awk -F"[][]" '{print $2}')" \
+                    -- "$cur" ) )
+                    return 0
+                    ;;
+                unbanip)
+                    COMPREPLY=( $( compgen -W \
+                        "$( __sudo "$1" status "$jail" | awk -F"\t+" '/IP list:/{print $2}')" \
+                    -- "$cur" ) )
+                    return 0
+                    ;;
+                idle)
+                    COMPREPLY=( $( compgen -W "on off" -- "$cur" ) )
+                    return 0
+                    ;;
+                usedns)
+                    COMPREPLY=( $( compgen -W "yes no warn" -- "$cur" ) )
+                    return 0
+                    ;;
+            esac
+        fi
+
+    fi # fail2ban-client
+} &&
+complete -F _fail2ban fail2ban-client fail2ban-server fail2ban-regex

From 95726b3976500b3d51d74ea24f0cb4640c79aaed Mon Sep 17 00:00:00 2001
From: Steven Hiscocks <steven@hiscocks.me.uk>
Date: Mon, 6 May 2013 20:37:58 +0100
Subject: [PATCH 14/46] DOC: Drop sudo from bash-completion

---
 files/bash-completion | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/files/bash-completion b/files/bash-completion
index 25ccbc30..7a42bd1e 100644
--- a/files/bash-completion
+++ b/files/bash-completion
@@ -16,11 +16,8 @@
 # along with Fail2Ban; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
-__sudo () {
-    sudo -n "$@" 2>/dev/null || return 0
-}
 __fail2ban_jails () {
-    __sudo "$1" status | awk -F"\t+" '/Jail list/{print $2}' | sed 's/, / /g'
+    "$1" status 2>/dev/null | awk -F"\t+" '/Jail list/{print $2}' | sed 's/, / /g'
 }
 
 _fail2ban () {
@@ -117,7 +114,7 @@ _fail2ban () {
                     ;;
                 dellogpath|delignoreip)
                     COMPREPLY=( $( compgen -W \
-                        "$( __sudo "$1" get "$jail" "${prev/del/}" | awk -F- '{print $2}')" \
+                        "$( "$1" get "$jail" "${prev/del/}" 2>/dev/null | awk -F- '{print $2}')" \
                     -- "$cur" ) )
                     if [[ -z "$COMPREPLY" && "$prev" == "dellogpath" ]];then
                         _filedir
@@ -126,13 +123,13 @@ _fail2ban () {
                     ;;
                 delfailregex|delignoregex)
                     COMPREPLY=( $( compgen -W \
-                        "$( __sudo "$1" get "$jail" "${prev/del/}" | awk -F"[][]" '{print $2}')" \
+                        "$( "$1" get "$jail" "${prev/del/}" 2>/dev/null | awk -F"[][]" '{print $2}')" \
                     -- "$cur" ) )
                     return 0
                     ;;
                 unbanip)
                     COMPREPLY=( $( compgen -W \
-                        "$( __sudo "$1" status "$jail" | awk -F"\t+" '/IP list:/{print $2}')" \
+                        "$( "$1" status "$jail" 2>/dev/null | awk -F"\t+" '/IP list:/{print $2}')" \
                     -- "$cur" ) )
                     return 0
                     ;;

From de563476197d2d6a15082801d3d49daa8d7bc9a9 Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Wed, 8 May 2013 06:32:27 +1000
Subject: [PATCH 15/46] ENH: separate out regex and escape a .

---
 config/filter.d/common.conf | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/config/filter.d/common.conf b/config/filter.d/common.conf
index a5fe1176..4bd519b3 100644
--- a/config/filter.d/common.conf
+++ b/config/filter.d/common.conf
@@ -38,6 +38,9 @@ __kernel_prefix = kernel: \[\d+\.\d+\]
 
 __hostname = \S+
 
+
+__bsd_syslog_verbose = (<[^.]+\.[^.]+>)
+
 #
 # Common line prefixes (beginnings) which could be used in filters
 #
@@ -47,4 +50,4 @@ __hostname = \S+
 # <auth.info> appearing before the host as per testcases/files/logs/bsd/*.
 #
 # This can be optional (for instance if we match named native log files)
-__prefix_line = \s*(<[^.]+.[^.]+>)?\s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s*
+__prefix_line = \s*%(__bsd_syslog_verbose)s?\s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s*

From c7fd7779664dda7247840485277315193f999102 Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Wed, 8 May 2013 07:31:31 +1000
Subject: [PATCH 16/46] BF: default type to unreachable

---
 config/action.d/route.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/action.d/route.conf b/config/action.d/route.conf
index 9e3164cd..bb4ec8e1 100644
--- a/config/action.d/route.conf
+++ b/config/action.d/route.conf
@@ -21,4 +21,4 @@ actionunban = ip route del <blocktype> <ip>
 # Option:  blocktype
 # Note:    Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages.
 # Values:  STRING
-blocktype = prohibit
+blocktype = unreachable

From 9c03ee6d9ebc31bb1d00be8c747379c06cfde278 Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Wed, 8 May 2013 07:52:08 +1000
Subject: [PATCH 17/46] ENH: consolidate where blocktype is defined for
 iptables rules

---
 MANIFEST                                     |  1 +
 config/action.d/iptables-allports.conf       | 12 +++++------
 config/action.d/iptables-blocktype.conf      | 22 ++++++++++++++++++++
 config/action.d/iptables-ipset-proto4.conf   | 11 ++++------
 config/action.d/iptables-ipset-proto6.conf   | 13 +++++-------
 config/action.d/iptables-multiport-log.conf  | 11 ++++------
 config/action.d/iptables-multiport.conf      | 11 ++++------
 config/action.d/iptables-new.conf            | 12 +++++------
 config/action.d/iptables-xt_recent-echo.conf | 12 +++++------
 config/action.d/iptables.conf                | 12 ++++-------
 10 files changed, 59 insertions(+), 58 deletions(-)
 create mode 100644 config/action.d/iptables-blocktype.conf

diff --git a/MANIFEST b/MANIFEST
index 364c0b08..999a6a95 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -98,6 +98,7 @@ config/filter.d/lighttpd-auth.conf
 config/filter.d/recidive.conf
 config/filter.d/roundcube-auth.conf
 config/action.d/dummy.conf
+config/action.d/iptables-blocktype.conf
 config/action.d/iptables-ipset-proto4.conf
 config/action.d/iptables-ipset-proto6.conf
 config/action.d/iptables-xt_recent-echo.conf
diff --git a/config/action.d/iptables-allports.conf b/config/action.d/iptables-allports.conf
index 66ad0178..17c75dda 100644
--- a/config/action.d/iptables-allports.conf
+++ b/config/action.d/iptables-allports.conf
@@ -7,6 +7,11 @@
 # $Revision$
 #
 
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+
 [Definition]
 
 # Option:  actionstart
@@ -64,10 +69,3 @@ protocol = tcp
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
-
-# Option:  blocktype
-# Note:    This is what the action does with rules. This can be any jump target
-#          as per the iptables man page (section 8). Common values are DROP
-#          REJECT, REJECT --reject-with icmp-port-unreachable
-# Values:  STRING
-blocktype = REJECT --reject-with icmp-port-unreachable
diff --git a/config/action.d/iptables-blocktype.conf b/config/action.d/iptables-blocktype.conf
new file mode 100644
index 00000000..c505e49c
--- /dev/null
+++ b/config/action.d/iptables-blocktype.conf
@@ -0,0 +1,22 @@
+# Fail2Ban configuration file
+#
+# Author: Daniel Black
+#
+# This is a included configuration file and includes the defination for the blocktype
+# used in all iptables based actions by default.
+#
+# The user can override the default in iptables-blocktype.local
+
+[INCLUDES]
+
+after = iptables-blocktype.local
+
+[Init]
+
+# Option:  blocktype
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the iptables man page (section 8). Common values are DROP
+#          REJECT, REJECT --reject-with icmp-port-unreachable
+# Values:  STRING
+blocktype = REJECT --reject-with icmp-port-unreachable
+
diff --git a/config/action.d/iptables-ipset-proto4.conf b/config/action.d/iptables-ipset-proto4.conf
index 0999bca0..3ed778f9 100644
--- a/config/action.d/iptables-ipset-proto4.conf
+++ b/config/action.d/iptables-ipset-proto4.conf
@@ -18,6 +18,10 @@
 # apt-get install ipset xtables-addons-source 
 # module-assistant auto-install xtables-addons
 
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
 [Definition]
 
 # Option:  actionstart
@@ -68,10 +72,3 @@ port = ssh
 # Values:  [ tcp | udp | icmp | all ] Default: tcp
 #
 protocol = tcp
-
-# Option:  blocktype
-# Note:    This is what the action does with rules. This can be any jump target
-#          as per the iptables man page (section 8). Common values are DROP
-#          REJECT, REJECT --reject-with icmp-port-unreachable
-# Values:  STRING
-blocktype = REJECT --reject-with icmp-port-unreachable
diff --git a/config/action.d/iptables-ipset-proto6.conf b/config/action.d/iptables-ipset-proto6.conf
index 95ff27c9..3cf9b140 100644
--- a/config/action.d/iptables-ipset-proto6.conf
+++ b/config/action.d/iptables-ipset-proto6.conf
@@ -18,6 +18,11 @@
 # apt-get install ipset xtables-addons-source 
 # module-assistant auto-install xtables-addons
 
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+
 [Definition]
 
 # Option:  actionstart
@@ -74,11 +79,3 @@ protocol = tcp
 # Values:  [ NUM ]  Default: 600
 
 bantime = 600
-
-
-# Option:  blocktype
-# Note:    This is what the action does with rules. This can be any jump target
-#          as per the iptables man page (section 8). Common values are DROP
-#          REJECT, REJECT --reject-with icmp-port-unreachable
-# Values:  STRING
-blocktype = REJECT --reject-with icmp-port-unreachable
diff --git a/config/action.d/iptables-multiport-log.conf b/config/action.d/iptables-multiport-log.conf
index 5ae93861..add57338 100644
--- a/config/action.d/iptables-multiport-log.conf
+++ b/config/action.d/iptables-multiport-log.conf
@@ -10,6 +10,10 @@
 # $Revision$
 #
 
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
 [Definition]
 
 # Option:  actionstart
@@ -78,10 +82,3 @@ protocol = tcp
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
-
-# Option:  blocktype
-# Note:    This is what the action does with rules. This can be any jump target
-#          as per the iptables man page (section 8). Common values are DROP
-#          REJECT, REJECT --reject-with icmp-port-unreachable
-# Values:  STRING
-blocktype = REJECT --reject-with icmp-port-unreachable
diff --git a/config/action.d/iptables-multiport.conf b/config/action.d/iptables-multiport.conf
index b7827451..e5ae97f0 100644
--- a/config/action.d/iptables-multiport.conf
+++ b/config/action.d/iptables-multiport.conf
@@ -5,6 +5,10 @@
 # $Revision$
 #
 
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
 [Definition]
 
 # Option:  actionstart
@@ -68,10 +72,3 @@ protocol = tcp
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
-
-# Option:  blocktype
-# Note:    This is what the action does with rules. This can be any jump target
-#          as per the iptables man page (section 8). Common values are DROP
-#          REJECT, REJECT --reject-with icmp-port-unreachable
-# Values:  STRING
-blocktype = REJECT --reject-with icmp-port-unreachable
diff --git a/config/action.d/iptables-new.conf b/config/action.d/iptables-new.conf
index f5467ee2..c8664a22 100644
--- a/config/action.d/iptables-new.conf
+++ b/config/action.d/iptables-new.conf
@@ -7,6 +7,11 @@
 # $Revision$
 #
 
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+
 [Definition]
 
 # Option:  actionstart
@@ -70,10 +75,3 @@ protocol = tcp
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
-
-# Option:  blocktype
-# Note:    This is what the action does with rules. This can be any jump target
-#          as per the iptables man page (section 8). Common values are DROP
-#          REJECT, REJECT --reject-with icmp-port-unreachable
-# Values:  STRING
-blocktype = REJECT --reject-with icmp-port-unreachable
diff --git a/config/action.d/iptables-xt_recent-echo.conf b/config/action.d/iptables-xt_recent-echo.conf
index e7d7182f..1094839d 100644
--- a/config/action.d/iptables-xt_recent-echo.conf
+++ b/config/action.d/iptables-xt_recent-echo.conf
@@ -5,6 +5,11 @@
 # $Revision: 1 $
 #
 
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+
 [Definition]
 
 # Option:  actionstart
@@ -70,10 +75,3 @@ name = default
 # Values:  [ tcp | udp | icmp | all ] Default: tcp
 #
 protocol = tcp
-
-# Option:  blocktype
-# Note:    This is what the action does with rules. This can be any jump target
-#          as per the iptables man page (section 8). Common values are DROP
-#          REJECT, REJECT --reject-with icmp-port-unreachable
-# Values:  STRING
-blocktype = REJECT --reject-with icmp-port-unreachable
diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf
index be4b880c..2368cbdc 100644
--- a/config/action.d/iptables.conf
+++ b/config/action.d/iptables.conf
@@ -5,6 +5,10 @@
 # $Revision$
 #
 
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
 [Definition]
 
 # Option:  actionstart
@@ -68,11 +72,3 @@ protocol = tcp
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
-
-Option:  blocktype
-# Note:    This is what the action does with rules. This can be any jump target
-#          as per the iptables man page (section 8). Common values are DROP
-#          REJECT, REJECT --reject-with icmp-port-unreachable
-# Values:  STRING
-blocktype = REJECT --reject-with icmp-port-unreachable
-

From ac1944ac6d12a24c88b0c723ea7a8bd0225bc750 Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Wed, 8 May 2013 08:21:17 +1000
Subject: [PATCH 18/46] DOC: ChangeLog for default action type change

---
 ChangeLog | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index c80e3b3c..ae55bb2c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -99,6 +99,8 @@ Borreli, blotus:
    * [41b9f7b,32d10e9] More complete ssh filter rules to match openssh source.
    * [1d9abd1] Action files can have tags in definition that refer to other
      tags.
+   * [10886e7,cec5da2,adb991a] Change actions to response with ICMP port
+     unreachable rather than just a drop of the packet.
   Pascal Borreli
    * [a2b29b4] Fixed lots of typos in config files and documentation.
   hamilton5

From b3f11df317ac199a62fbd577d93ae6452a780692 Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Wed, 8 May 2013 08:27:38 +1000
Subject: [PATCH 19/46] BF: add bash-completion to MANIFEST

---
 MANIFEST | 1 +
 1 file changed, 1 insertion(+)

diff --git a/MANIFEST b/MANIFEST
index 364c0b08..a9375268 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -144,3 +144,4 @@ files/cacti/cacti_host_template_fail2ban.xml
 files/cacti/README
 files/nagios/check_fail2ban
 files/nagios/f2ban.txt
+files/bash-completion

From 63b9e4f358250e7f5b04fac4aa53aad3ec1b7f31 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed, 8 May 2013 10:10:04 -0400
Subject: [PATCH 20/46] Changelog entries for the latest merges

---
 ChangeLog | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index b10931be..899f9d30 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -71,6 +71,8 @@ Borreli, blotus:
    * [be06b1b] Add action for iptables-ipsets. Closes gh-102.
   Soulard Morgan
    * [f336d9f] Add filter for webmin. Closes gh-99.
+  Steven Hiscocks
+   * [..746c7d9] bash interactive shell completions for fail2ban-*'s
 - Enhancements:
   Enrico Labedzki
    * [24a8d07] Added new date format for ASSP SMTP Proxy.
@@ -106,6 +108,11 @@ Borreli, blotus:
    * [7ede1e8] Update dovecot filter config.
   Romain Riviere
    * [0ac8746] Enhance named-refused filter for views.
+  James Stout
+   * [..2143cdf] Solaris support enhancements:
+     - README.Solaris
+     - failregex'es tune ups (sshd.conf)
+     - hostsdeny: do not rely on support of '-i' in sed
 
 Special Kudos also go to Fabian Wenk, Arturo 'Buanzo' Busleiman, Tom
 Hendrikx and other TBN heroes supporting users on fail2ban-users

From 11031d5ec9268cece9138ad7ed8304a4ad1576fe Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed, 8 May 2013 10:15:18 -0400
Subject: [PATCH 21/46] DOC: Slight tune ups to ChangeLog -- we must release!

---
 ChangeLog | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 899f9d30..9aedd52a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -7,23 +7,27 @@
 Fail2Ban (version 0.8.9)                                              2013/04/XX
 ================================================================================
 
-ver. 0.8.9 (2013/04/XX) - wanna-be-stable
+ver. 0.8.9 (2013/05/XX) - wanna-be-stable
 ----------
 
-Although primarily a bugfix release, it incorporates many new
-enhancements, few new features, but more importantly -- quite extended
-tests battery with current 94% coverage.  This release incorporates
-more than a 100 of non-merge commits from 14 contributors (sorted by
-number of commits): Yaroslav Halchenko, Daniel Black, Steven Hiscocks,
-ArndRa, hamilton5, pigsyn, Erwan Ben Souiden, Michael Gebetsroither,
-Orion Poplawski, Artur Penttinen, sebres, Nicolas Collignon, Pascal
-Borreli, blotus:
+Originally targeted as a bugfix release, it incorporated many new
+enhancements, few new features, and more importantly -- quite extended
+tests battery with current 94% coverage.
 
-- Fixes:
-  Yaroslav Halchenko
-   * [6f4dad46] Documentation python-2.4 is the minimium version.
-   * [1eb23cf8] do not rely on scripts being under /usr -- might differ eg on
-     Fedora. Closes gh-112. Thanks to Camusensei for the bug report.
+This release introduces over 200 of non-merge commits from 16
+contributors (sorted by number of commits): Yaroslav Halchenko, Daniel
+Black, Steven Hiscocks, James Stout, Orion Poplawski, Enrico Labedzki,
+ArndRa, hamilton5, pigsyn, Erwan Ben Souiden, Michael Gebetsroither,
+Artur Penttinen, blotus, sebres, Nicolas Collignon, Pascal Borreli.
+
+Special Kudos also go to Fabian Wenk, Arturo 'Buanzo' Busleiman, Tom
+Hendrikx, Yehuda Katz and other TBN heroes supporting users on
+fail2ban-users mailing list and IRC.
+
+- Fixes: Yaroslav Halchenko
+   * [6f4dad46] python-2.4 is the minimal version.
+   * [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g.
+     on Fedora. Closes gh-112. Thanks to Camusensei for the bug report.
    * [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for
      insight. Closes gh-103.
    * [ab044b75] delay check for the existence of config directory until read.
@@ -99,7 +103,7 @@ Borreli, blotus:
    * [c8c7b0b,23bbc60] Better logging of log file read errors.
    * [3665e6d] Added code coverage to development process.
    * [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh
-	   source. Also include BSD changes.
+     source. Also include BSD changes.
    * [1d9abd1] Action files can have tags in definition that refer to other
      tags.
   Pascal Borreli
@@ -114,10 +118,6 @@ Borreli, blotus:
      - failregex'es tune ups (sshd.conf)
      - hostsdeny: do not rely on support of '-i' in sed
 
-Special Kudos also go to Fabian Wenk, Arturo 'Buanzo' Busleiman, Tom
-Hendrikx and other TBN heroes supporting users on fail2ban-users
-mailing list and IRC.
-
 ver. 0.8.8 (2012/12/06) - stable
 ----------
 - Fixes:

From 571cadd80c3dea4ea3b32c3c5b3d6dd36d898581 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed, 8 May 2013 10:30:38 -0400
Subject: [PATCH 22/46] ENH: Use real (resolving) example.com instead of
 test.example.com

---
 testcases/files/logs/bsd/syslog-plain.txt |  2 +-
 testcases/files/logs/bsd/syslog-v.txt     | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/testcases/files/logs/bsd/syslog-plain.txt b/testcases/files/logs/bsd/syslog-plain.txt
index 7dcecb2e..575d8b89 100644
--- a/testcases/files/logs/bsd/syslog-plain.txt
+++ b/testcases/files/logs/bsd/syslog-plain.txt
@@ -1,3 +1,3 @@
 Apr  2 17:52:55 pancake sshd[55657]: Invalid user oracle from 192.0.2.100
-Apr  2 17:53:01 pancake sshd[55657]: error: PAM: authentication error for illegal user oracle from test.example.com
+Apr  2 17:53:01 pancake sshd[55657]: error: PAM: authentication error for illegal user oracle from example.com
 Apr  2 17:53:01 pancake sshd[55657]: Failed keyboard-interactive/pam for invalid user oracle from 192.0.2.100 port 48856 ssh2
diff --git a/testcases/files/logs/bsd/syslog-v.txt b/testcases/files/logs/bsd/syslog-v.txt
index 319582ba..a8db3d77 100644
--- a/testcases/files/logs/bsd/syslog-v.txt
+++ b/testcases/files/logs/bsd/syslog-v.txt
@@ -1,10 +1,10 @@
-Apr  2 17:51:27 <4.3> pancake sshd[55624]: error: PAM: authentication error for nick from test.example.com
+Apr  2 17:51:27 <4.3> pancake sshd[55624]: error: PAM: authentication error for nick from example.com
 Apr  2 17:51:32 <4.6> pancake sshd[55628]: Invalid user r00t from 192.0.2.100
-Apr  2 17:51:33 <4.3> pancake sshd[55628]: error: PAM: authentication error for illegal user r00t from test.example.com
+Apr  2 17:51:33 <4.3> pancake sshd[55628]: error: PAM: authentication error for illegal user r00t from example.com
 Apr  2 17:51:33 <4.6> pancake sshd[55628]: Failed keyboard-interactive/pam for invalid user r00t from 192.0.2.100 port 46050 ssh2
-Apr  2 17:51:34 <4.3> pancake sshd[55628]: error: PAM: authentication error for illegal user r00t from test.example.com
+Apr  2 17:51:34 <4.3> pancake sshd[55628]: error: PAM: authentication error for illegal user r00t from example.com
 Apr  2 17:51:34 <4.6> pancake sshd[55628]: Failed keyboard-interactive/pam for invalid user r00t from 192.0.2.100 port 46050 ssh2
-Apr  2 17:51:36 <4.3> pancake sshd[55628]: error: PAM: authentication error for illegal user r00t from test.example.com
+Apr  2 17:51:36 <4.3> pancake sshd[55628]: error: PAM: authentication error for illegal user r00t from example.com
 Apr  2 17:51:36 <4.6> pancake sshd[55628]: Failed keyboard-interactive/pam for invalid user r00t from 192.0.2.100 port 46050 ssh2
 Apr  2 17:52:06 <4.6> pancake sshd[55647]: Invalid user oracle from 192.0.2.100
-Apr  2 17:52:07 <4.3> pancake sshd[55647]: error: PAM: authentication error for illegal user oracle from test.example.com
+Apr  2 17:52:07 <4.3> pancake sshd[55647]: error: PAM: authentication error for illegal user oracle from example.com

From 6fef85ff2d0be4e33b8e99d4012c42d25258ef27 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed, 8 May 2013 12:07:26 -0400
Subject: [PATCH 23/46] ENH: strip CR and LF while analyzing the lines
 (processLine) (Close #202)

This should allow to resolve issues with logs written in MS-DOS fashion,
e.g. with daemontools

See https://github.com/fail2ban/fail2ban/issues/202\#issuecomment-17393613
---
 server/filter.py            |  1 +
 testcases/filtertestcase.py | 28 +++++++++++++++++++++++-----
 2 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/server/filter.py b/server/filter.py
index 754a2a08..90530f92 100644
--- a/server/filter.py
+++ b/server/filter.py
@@ -290,6 +290,7 @@ class Filter(JailThread):
 			l = line.decode('utf-8')
 		except UnicodeDecodeError:
 			l = line
+		l = l.rstrip('\r\n')
 		timeMatch = self.dateDetector.matchTime(l)
 		if timeMatch:
 			# Lets split into time part and log part of the line
diff --git a/testcases/filtertestcase.py b/testcases/filtertestcase.py
index 00946f90..ce142bfd 100644
--- a/testcases/filtertestcase.py
+++ b/testcases/filtertestcase.py
@@ -579,11 +579,29 @@ class GetFailures(unittest.TestCase):
 
 
 
-	def testGetFailures01(self):
-		self.filter.addLogPath(GetFailures.FILENAME_01)
-		self.filter.addFailRegex("(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) <HOST>")
-		self.filter.getFailures(GetFailures.FILENAME_01)
-		_assert_correct_last_attempt(self, self.filter, GetFailures.FAILURES_01)
+	def testGetFailures01(self, filename=None, failures=None):
+		filename = filename or GetFailures.FILENAME_01
+		failures = failures or GetFailures.FAILURES_01
+
+		self.filter.addLogPath(filename)
+		self.filter.addFailRegex("(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) <HOST>$")
+		self.filter.getFailures(filename)
+		_assert_correct_last_attempt(self, self.filter,  failures)
+
+	def testCRLFFailures01(self):
+		# We first adjust logfile/failures to end with CR+LF
+		fname = tempfile.mktemp(prefix='tmp_fail2ban', suffix='crlf')
+		f = open(fname, 'w')
+		for l in open(GetFailures.FILENAME_01).readlines():
+			f.write('%s\r\n' % l.rstrip('\n'))
+		f.close()
+
+		# now see if we should be getting the "same" failures
+		self.testGetFailures01(filename=fname,
+							   failures=GetFailures.FAILURES_01[:3] +
+							   ([x.rstrip('\n') + '\r\n' for x in
+								 GetFailures.FAILURES_01[-1]],))
+		_killfile(f, fname)
 
 
 	def testGetFailures02(self):

From 239406a8b9c26829453daf5a078c0debc2f4d990 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed, 8 May 2013 12:09:06 -0400
Subject: [PATCH 24/46] Changelog for preceeding commit

---
 ChangeLog | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ChangeLog b/ChangeLog
index be28f028..a4dc4b75 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -103,6 +103,7 @@ fail2ban-users mailing list and IRC.
    * [40c5a2d] adding more of diagnostic messages into -client while starting
      the daemon.
    * [8e63d4c] Compare against None with 'is' instead of '=='.
+   * [6fef85f] Strip CR and LF while analyzing the log line
   Daniel Black
    * [3aeb1a9] Add jail.conf manual page. Closes gh-143.
    * [MANY] man page edits.

From c9dd163852c8d35e43460b665ed90070239053f5 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed, 8 May 2013 13:46:06 -0400
Subject: [PATCH 25/46] Add README.Solaris into distribution

---
 MANIFEST | 1 +
 1 file changed, 1 insertion(+)

diff --git a/MANIFEST b/MANIFEST
index b7ac5f33..0537abae 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -1,4 +1,5 @@
 README.md
+README.Solaris
 ChangeLog
 TODO
 THANKS

From 582d1c5ea51e6850350b7c2677f23af7d84ccb80 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed, 8 May 2013 13:59:09 -0400
Subject: [PATCH 26/46] ENH: remove use of $Revision and $Date SVN tags

---
 client/__init__.py                | 2 --
 client/actionreader.py            | 2 --
 client/configparserinc.py         | 2 --
 client/configreader.py            | 2 --
 client/configurator.py            | 2 --
 client/csocket.py                 | 2 --
 client/fail2banreader.py          | 2 --
 client/filterreader.py            | 2 --
 client/jailreader.py              | 2 --
 client/jailsreader.py             | 2 --
 common/__init__.py                | 2 --
 common/helpers.py                 | 2 --
 common/protocol.py                | 2 --
 testcases/__init__.py             | 2 --
 testcases/actiontestcase.py       | 2 --
 testcases/banmanagertestcase.py   | 2 --
 testcases/datedetectortestcase.py | 2 --
 testcases/failmanagertestcase.py  | 2 --
 testcases/servertestcase.py       | 2 --
 testcases/sockettestcase.py       | 2 --
 20 files changed, 40 deletions(-)

diff --git a/client/__init__.py b/client/__init__.py
index 3de9058c..2b76f4b6 100644
--- a/client/__init__.py
+++ b/client/__init__.py
@@ -21,7 +21,5 @@
 # 
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision$"
-__date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
diff --git a/client/actionreader.py b/client/actionreader.py
index c1a64245..8f60b55b 100644
--- a/client/actionreader.py
+++ b/client/actionreader.py
@@ -21,8 +21,6 @@
 # 
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision$"
-__date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
diff --git a/client/configparserinc.py b/client/configparserinc.py
index df5af1ac..f5e124a1 100644
--- a/client/configparserinc.py
+++ b/client/configparserinc.py
@@ -21,8 +21,6 @@
 # Modified: Cyril Jaquier
 
 __author__ = 'Yaroslav Halhenko'
-__revision__ = '$Revision$'
-__date__ = '$Date$'
 __copyright__ = 'Copyright (c) 2007 Yaroslav Halchenko'
 __license__ = 'GPL'
 
diff --git a/client/configreader.py b/client/configreader.py
index 9fb6b3eb..3d3aff94 100644
--- a/client/configreader.py
+++ b/client/configreader.py
@@ -21,8 +21,6 @@
 # Modified by: Yaroslav Halchenko (SafeConfigParserWithIncludes)
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision$"
-__date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
diff --git a/client/configurator.py b/client/configurator.py
index fc588558..d5f46305 100644
--- a/client/configurator.py
+++ b/client/configurator.py
@@ -21,8 +21,6 @@
 # 
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision$"
-__date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
diff --git a/client/csocket.py b/client/csocket.py
index c6f318f2..3d8362b5 100644
--- a/client/csocket.py
+++ b/client/csocket.py
@@ -21,8 +21,6 @@
 # 
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision$"
-__date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
diff --git a/client/fail2banreader.py b/client/fail2banreader.py
index 026076fa..ada88084 100644
--- a/client/fail2banreader.py
+++ b/client/fail2banreader.py
@@ -21,8 +21,6 @@
 # 
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision$"
-__date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
diff --git a/client/filterreader.py b/client/filterreader.py
index b8c47558..f75190f9 100644
--- a/client/filterreader.py
+++ b/client/filterreader.py
@@ -21,8 +21,6 @@
 # 
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision$"
-__date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
diff --git a/client/jailreader.py b/client/jailreader.py
index d6f678ee..f8757e26 100644
--- a/client/jailreader.py
+++ b/client/jailreader.py
@@ -21,8 +21,6 @@
 # 
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision$"
-__date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
diff --git a/client/jailsreader.py b/client/jailsreader.py
index f87794dd..098b525d 100644
--- a/client/jailsreader.py
+++ b/client/jailsreader.py
@@ -21,8 +21,6 @@
 # 
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision$"
-__date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
diff --git a/common/__init__.py b/common/__init__.py
index 3de9058c..2b76f4b6 100644
--- a/common/__init__.py
+++ b/common/__init__.py
@@ -21,7 +21,5 @@
 # 
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision$"
-__date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
diff --git a/common/helpers.py b/common/helpers.py
index 3c830138..dba4c9d6 100644
--- a/common/helpers.py
+++ b/common/helpers.py
@@ -22,8 +22,6 @@
 # 
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision$"
-__date__ = "$Date$"
 __copyright__ = "Copyright (c) 2009 Cyril Jaquier"
 __license__ = "GPL"
 
diff --git a/common/protocol.py b/common/protocol.py
index ccd44398..9309ce7f 100644
--- a/common/protocol.py
+++ b/common/protocol.py
@@ -21,8 +21,6 @@
 # 
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision$"
-__date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
diff --git a/testcases/__init__.py b/testcases/__init__.py
index 3de9058c..2b76f4b6 100644
--- a/testcases/__init__.py
+++ b/testcases/__init__.py
@@ -21,7 +21,5 @@
 # 
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision$"
-__date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
diff --git a/testcases/actiontestcase.py b/testcases/actiontestcase.py
index e8a03abf..9a7776ac 100644
--- a/testcases/actiontestcase.py
+++ b/testcases/actiontestcase.py
@@ -21,8 +21,6 @@
 # 
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision$"
-__date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
diff --git a/testcases/banmanagertestcase.py b/testcases/banmanagertestcase.py
index 58651573..1e585244 100644
--- a/testcases/banmanagertestcase.py
+++ b/testcases/banmanagertestcase.py
@@ -21,8 +21,6 @@
 # 
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision$"
-__date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
diff --git a/testcases/datedetectortestcase.py b/testcases/datedetectortestcase.py
index 4b38fb12..8a838700 100644
--- a/testcases/datedetectortestcase.py
+++ b/testcases/datedetectortestcase.py
@@ -21,8 +21,6 @@
 # 
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision$"
-__date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
diff --git a/testcases/failmanagertestcase.py b/testcases/failmanagertestcase.py
index de23219c..1bfab339 100644
--- a/testcases/failmanagertestcase.py
+++ b/testcases/failmanagertestcase.py
@@ -21,8 +21,6 @@
 # 
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision$"
-__date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
diff --git a/testcases/servertestcase.py b/testcases/servertestcase.py
index 9a285553..ff3f2e88 100644
--- a/testcases/servertestcase.py
+++ b/testcases/servertestcase.py
@@ -21,8 +21,6 @@
 # 
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision$"
-__date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
diff --git a/testcases/sockettestcase.py b/testcases/sockettestcase.py
index cd13c772..d70c45cf 100644
--- a/testcases/sockettestcase.py
+++ b/testcases/sockettestcase.py
@@ -21,8 +21,6 @@
 # 
 
 __author__ = "Steven Hiscocks"
-__version__ = "$Revision$"
-__date__ = "$Date$"
 __copyright__ = "Copyright (c) 2013 Steven Hiscocks"
 __license__ = "GPL"
 

From 28794d842dc8d737f7fb17ad5bbc91297f0aba0f Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed, 8 May 2013 15:14:28 -0400
Subject: [PATCH 27/46] ENH: close files in _test_move_into_file

---
 testcases/filtertestcase.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/testcases/filtertestcase.py b/testcases/filtertestcase.py
index 00946f90..6cfa53a7 100644
--- a/testcases/filtertestcase.py
+++ b/testcases/filtertestcase.py
@@ -477,8 +477,8 @@ def get_monitor_failures_testcase(Filter_):
 
 		def _test_move_into_file(self, interim_kill=False):
 			# if we move a new file into the location of an old (monitored) file
-			self.file1 = _copy_lines_between_files(GetFailures.FILENAME_01, self.name,
-												  n=100)
+			_copy_lines_between_files(GetFailures.FILENAME_01, self.name,
+									  n=100).close()
 			# make sure that it is monitored first
 			self.assert_correct_last_attempt(GetFailures.FAILURES_01)
 			self.assertEqual(self.filter.failManager.getFailTotal(), 3)
@@ -488,14 +488,15 @@ def get_monitor_failures_testcase(Filter_):
 				time.sleep(0.2)				  # let them know
 
 			# now create a new one to override old one
-			self.file = _copy_lines_between_files(GetFailures.FILENAME_01,
-												   self.name + '.new', n=100)
+			_copy_lines_between_files(GetFailures.FILENAME_01, self.name + '.new',
+									  n=100).close()
 			os.rename(self.name + '.new', self.name)
 			self.assert_correct_last_attempt(GetFailures.FAILURES_01)
 			self.assertEqual(self.filter.failManager.getFailTotal(), 6)
 
 			# and to make sure that it now monitored for changes
-			_copy_lines_between_files(GetFailures.FILENAME_01, self.name, n=100)
+			_copy_lines_between_files(GetFailures.FILENAME_01, self.name,
+									  n=100).close()
 			self.assert_correct_last_attempt(GetFailures.FAILURES_01)
 			self.assertEqual(self.filter.failManager.getFailTotal(), 9)
 

From f4d2b5b33860c6ad6b6e8e83e67c2e451dabc04c Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed, 8 May 2013 16:12:37 -0400
Subject: [PATCH 28/46] Previous coverage was 56% (without disregarding any
 pragma)

---
 ChangeLog | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index be28f028..50ffe209 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,7 +12,7 @@ ver. 0.8.9 (2013/05/XX) - wanna-be-stable
 
 Originally targeted as a bugfix release, it incorporated many new
 enhancements, few new features, and more importantly -- quite extended
-tests battery with current 94% coverage.
+tests battery with current 94% coverage (from 56% of 0.8.8).
 
 This release introduces over 200 of non-merge commits from 16
 contributors (sorted by number of commits): Yaroslav Halchenko, Daniel

From 7a6eecbe219d42aed0d667f175e185e98159f134 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Thu, 9 May 2013 13:25:29 -0400
Subject: [PATCH 29/46] ENH: close open file in a test

---
 testcases/filtertestcase.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/testcases/filtertestcase.py b/testcases/filtertestcase.py
index c1e91e74..1657f694 100644
--- a/testcases/filtertestcase.py
+++ b/testcases/filtertestcase.py
@@ -592,17 +592,19 @@ class GetFailures(unittest.TestCase):
 	def testCRLFFailures01(self):
 		# We first adjust logfile/failures to end with CR+LF
 		fname = tempfile.mktemp(prefix='tmp_fail2ban', suffix='crlf')
-		f = open(fname, 'w')
-		for l in open(GetFailures.FILENAME_01).readlines():
-			f.write('%s\r\n' % l.rstrip('\n'))
-		f.close()
+		# poor man unix2dos:
+		fin, fout = open(GetFailures.FILENAME_01), open(fname, 'w')
+		for l in fin.readlines():
+			fout.write('%s\r\n' % l.rstrip('\n'))
+		fin.close()
+		fout.close()
 
 		# now see if we should be getting the "same" failures
 		self.testGetFailures01(filename=fname,
 							   failures=GetFailures.FAILURES_01[:3] +
 							   ([x.rstrip('\n') + '\r\n' for x in
 								 GetFailures.FAILURES_01[-1]],))
-		_killfile(f, fname)
+		_killfile(fout, fname)
 
 
 	def testGetFailures02(self):

From 728aaec6b851b45afa5dcf030e229fda29a66373 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Thu, 9 May 2013 22:27:16 -0400
Subject: [PATCH 30/46] ENH: point to the status of master branch on travis

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 04f8b349..65183b92 100644
--- a/README.md
+++ b/README.md
@@ -56,7 +56,7 @@ the website: http://www.fail2ban.org
 Code status:
 ------------
 
-* [![tests status](https://secure.travis-ci.org/fail2ban/fail2ban.png)](https://travis-ci.org/fail2ban/fail2ban) travis-ci.org (master branch)
+* [![tests status](https://secure.travis-ci.org/fail2ban/fail2ban.png?branch=master)](https://travis-ci.org/fail2ban/fail2ban) travis-ci.org (master branch)
 
 * [![Coverage Status](https://coveralls.io/repos/fail2ban/fail2ban/badge.png?branch=master)](https://coveralls.io/r/fail2ban/fail2ban)
 

From 90d6a4a6cd8c2de9004239039c82dba80e562384 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Thu, 9 May 2013 22:46:59 -0400
Subject: [PATCH 31/46] ENH: consistent operation of formatExceptionInfo +
 unittest for it

---
 common/helpers.py         | 12 ++++++-----
 fail2ban-testcases        |  3 +++
 server/asyncserver.py     |  4 ++--
 testcases/misctestcase.py | 44 +++++++++++++++++++++++++++++++++++++++
 4 files changed, 56 insertions(+), 7 deletions(-)
 create mode 100644 testcases/misctestcase.py

diff --git a/common/helpers.py b/common/helpers.py
index dba4c9d6..c0cf052e 100644
--- a/common/helpers.py
+++ b/common/helpers.py
@@ -17,11 +17,7 @@
 # along with Fail2Ban; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
-# Author: Cyril Jaquier
-# Author: Arturo 'Buanzo' Busleiman
-# 
-
-__author__ = "Cyril Jaquier"
+__author__ = "Cyril Jaquier, Arturo 'Buanzo' Busleiman"
 __copyright__ = "Copyright (c) 2009 Cyril Jaquier"
 __license__ = "GPL"
 
@@ -33,6 +29,12 @@ def formatExceptionInfo():
 	excName = cla.__name__
 	try:
 		excArgs = exc.__dict__["args"]
+		# Assure that we always return a string, without unneeded
+		# 'decorations' with python <= 2.5 where args would be a tuple
+		if isinstance(excArgs, tuple) and len(excArgs) == 1:
+			excArgs = excArgs[0]
+		excArgs = str(excArgs)
 	except KeyError:
+		# And always provide a string output
 		excArgs = str(exc)
 	return (excName, excArgs)
diff --git a/fail2ban-testcases b/fail2ban-testcases
index e00cc908..4e6689ea 100755
--- a/fail2ban-testcases
+++ b/fail2ban-testcases
@@ -36,6 +36,7 @@ from testcases import servertestcase
 from testcases import datedetectortestcase
 from testcases import actiontestcase
 from testcases import sockettestcase
+from testcases import misctestcase
 
 from testcases.utils import FormatterWithTraceBack
 from server.mytime import MyTime
@@ -150,6 +151,8 @@ tests.addTest(unittest.makeSuite(clientreadertestcase.JailReaderTest))
 tests.addTest(unittest.makeSuite(clientreadertestcase.JailsReaderTest))
 # CSocket and AsyncServer
 tests.addTest(unittest.makeSuite(sockettestcase.Socket))
+# Misc helpers
+tests.addTest(unittest.makeSuite(misctestcase.HelpersTest))
 
 # Filter
 if not opts.no_network:
diff --git a/server/asyncserver.py b/server/asyncserver.py
index 87f91633..62a5dd8b 100644
--- a/server/asyncserver.py
+++ b/server/asyncserver.py
@@ -70,8 +70,8 @@ class RequestHandler(asynchat.async_chat):
 		self.close_when_done()
 		
 	def handle_error(self):
-		e1,e2 = helpers.formatExceptionInfo()
-		logSys.error("Unexpected communication error: "+e2)
+		e1, e2 = helpers.formatExceptionInfo()
+		logSys.error("Unexpected communication error: %s" % str(e2))
 		logSys.error(traceback.format_exc().splitlines())
 		self.close()
 		
diff --git a/testcases/misctestcase.py b/testcases/misctestcase.py
new file mode 100644
index 00000000..9b053c13
--- /dev/null
+++ b/testcases/misctestcase.py
@@ -0,0 +1,44 @@
+# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
+# vi: set ft=python sts=4 ts=4 sw=4 noet :
+
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+__author__ = "Yaroslav Halchenko"
+__copyright__ = "Copyright (c) 2013 Yaroslav Halchenko"
+__license__ = "GPL"
+
+import unittest
+from common.helpers import formatExceptionInfo
+
+class HelpersTest(unittest.TestCase):
+
+	def testFormatExceptionInfoBasic(self):
+		try:
+			raise ValueError("Very bad exception")
+		except:
+			name, args = formatExceptionInfo()
+			self.assertEqual(name, "ValueError")
+			self.assertEqual(args, "Very bad exception")
+
+	def testFormatExceptionConvertArgs(self):
+		try:
+			raise ValueError("Very bad", None)
+		except:
+			name, args = formatExceptionInfo()
+			self.assertEqual(name, "ValueError")
+			# might be fragile due to ' vs "
+			self.assertEqual(args, "('Very bad', None)")

From 26715d5e5e4b1671ce6cbfabe13a6495a9f64b75 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Thu, 9 May 2013 23:08:20 -0400
Subject: [PATCH 32/46] ENH: basic test for setup.py itself (when applicable,
 should greatly improve coverage ;) )

---
 fail2ban-testcases        |  1 +
 testcases/misctestcase.py | 38 +++++++++++++++++++++++++++++++++++++-
 2 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/fail2ban-testcases b/fail2ban-testcases
index 4e6689ea..94b8208e 100755
--- a/fail2ban-testcases
+++ b/fail2ban-testcases
@@ -153,6 +153,7 @@ tests.addTest(unittest.makeSuite(clientreadertestcase.JailsReaderTest))
 tests.addTest(unittest.makeSuite(sockettestcase.Socket))
 # Misc helpers
 tests.addTest(unittest.makeSuite(misctestcase.HelpersTest))
+tests.addTest(unittest.makeSuite(misctestcase.SetupTest))
 
 # Filter
 if not opts.no_network:
diff --git a/testcases/misctestcase.py b/testcases/misctestcase.py
index 9b053c13..e3c20882 100644
--- a/testcases/misctestcase.py
+++ b/testcases/misctestcase.py
@@ -21,7 +21,12 @@ __author__ = "Yaroslav Halchenko"
 __copyright__ = "Copyright (c) 2013 Yaroslav Halchenko"
 __license__ = "GPL"
 
-import unittest
+import os, sys, unittest
+import tempfile
+import shutil
+
+from glob import glob
+
 from common.helpers import formatExceptionInfo
 
 class HelpersTest(unittest.TestCase):
@@ -42,3 +47,34 @@ class HelpersTest(unittest.TestCase):
 			self.assertEqual(name, "ValueError")
 			# might be fragile due to ' vs "
 			self.assertEqual(args, "('Very bad', None)")
+
+
+class SetupTest(unittest.TestCase):
+
+	def setUp(self):
+		setup = os.path.join(os.path.dirname(__file__), '..', 'setup.py')
+		self.setup = os.path.exists(setup) and setup or None
+		if not self.setup and sys.version_info >= (2,7): # running not out of the source
+			raise unittest.SkipTest(
+				"Seems to be running not out of source distribution"
+				" -- cannot locate setup.py")
+
+	def testSetupInstallRoot(self):
+		if not self.setup: return			  # if verbose skip didn't work out
+		tmp = tempfile.mkdtemp()
+		os.system("%s install --root=%s >/dev/null" % (self.setup, tmp))
+
+		def addpath(l):
+			return [os.path.join(tmp, x) for x in l]
+
+		self.assertEqual(sorted(glob('%s/*' % tmp)),
+						 addpath(['etc', 'usr', 'var']))
+
+		# Assure presence of some files we expect to see in the installation
+		for f in ('etc/fail2ban/fail2ban.conf',
+				  'etc/fail2ban/jail.conf'):
+			self.assertTrue(os.path.exists(os.path.join(tmp, f)),
+							msg="Can't find %s" % f)
+
+		# clean up
+		shutil.rmtree(tmp)

From e70d01bc1010a2ad617b3c2d5ecbc8d8bdb35459 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Thu, 9 May 2013 23:16:03 -0400
Subject: [PATCH 33/46] TST: cover few more lines in fail2banreader.py

---
 testcases/clientreadertestcase.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/testcases/clientreadertestcase.py b/testcases/clientreadertestcase.py
index fad16f04..faa8dcd6 100644
--- a/testcases/clientreadertestcase.py
+++ b/testcases/clientreadertestcase.py
@@ -160,6 +160,15 @@ class JailsReaderTest(unittest.TestCase):
 		self.assertEqual(opts['socket'], '/var/run/fail2ban/fail2ban.sock')
 		self.assertEqual(opts['pidfile'], '/var/run/fail2ban/fail2ban.pid')
 
+		configurator.getOptions()
+		configurator.convertToProtocol()
+		commands = configurator.getConfigStream()
+		# and there is logging information left to be passed into the
+		# server
+		self.assertEqual(commands,
+						 [['set', 'loglevel', 3],
+						  ['set', 'logtarget', '/var/log/fail2ban.log']])
+
 		# and if we force change configurator's fail2ban's baseDir
 		# there should be an error message (test visually ;) --
 		# otherwise just a code smoke test)

From dc05eee0f502e94b10c3d6cdf0cda1fcc7f93b49 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Thu, 9 May 2013 23:42:51 -0400
Subject: [PATCH 34/46] TST: Some primarily smoke tests for tests utils

---
 fail2ban-testcases        |  1 +
 testcases/misctestcase.py | 54 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+)

diff --git a/fail2ban-testcases b/fail2ban-testcases
index 94b8208e..5ad7494e 100755
--- a/fail2ban-testcases
+++ b/fail2ban-testcases
@@ -154,6 +154,7 @@ tests.addTest(unittest.makeSuite(sockettestcase.Socket))
 # Misc helpers
 tests.addTest(unittest.makeSuite(misctestcase.HelpersTest))
 tests.addTest(unittest.makeSuite(misctestcase.SetupTest))
+tests.addTest(unittest.makeSuite(misctestcase.TestsUtilsTest))
 
 # Filter
 if not opts.no_network:
diff --git a/testcases/misctestcase.py b/testcases/misctestcase.py
index e3c20882..89be2b17 100644
--- a/testcases/misctestcase.py
+++ b/testcases/misctestcase.py
@@ -21,12 +21,14 @@ __author__ = "Yaroslav Halchenko"
 __copyright__ = "Copyright (c) 2013 Yaroslav Halchenko"
 __license__ = "GPL"
 
+import logging
 import os, sys, unittest
 import tempfile
 import shutil
 
 from glob import glob
 
+from utils import mbasename, TraceBack, FormatterWithTraceBack
 from common.helpers import formatExceptionInfo
 
 class HelpersTest(unittest.TestCase):
@@ -78,3 +80,55 @@ class SetupTest(unittest.TestCase):
 
 		# clean up
 		shutil.rmtree(tmp)
+
+class TestsUtilsTest(unittest.TestCase):
+
+	def testmbasename(self):
+		self.assertEqual(mbasename("sample.py"), 'sample')
+		self.assertEqual(mbasename("/long/path/sample.py"), 'sample')
+		# this one would include only the directory for the __init__ and base files
+		self.assertEqual(mbasename("/long/path/__init__.py"), 'path.__init__')
+		self.assertEqual(mbasename("/long/path/base.py"), 'path.base')
+		self.assertEqual(mbasename("/long/path/base"), 'path.base')
+
+	def testTraceBack(self):
+		# pretty much just a smoke test since tests runners swallow all the detail
+
+		for compress in True, False:
+			tb = TraceBack(compress=compress)
+
+			def func_raise():
+				raise ValueError()
+
+			def deep_function(i):
+				if i: deep_function(i-1)
+				else: func_raise()
+
+			try:
+				print deep_function(3)
+			except ValueError:
+				s = tb()
+			self.assertTrue('>' in s)
+			self.assertTrue(':' in s)
+
+
+	def testFormatterWithTraceBack(self):
+		from StringIO import StringIO
+		strout = StringIO()
+		Formatter = FormatterWithTraceBack
+
+		# and both types of traceback at once
+		fmt = ' %(tb)s | %(tbc)s : %(message)s'
+		logSys = logging.getLogger("fail2ban_tests")
+		out = logging.StreamHandler(strout)
+		out.setFormatter(Formatter(fmt))
+		logSys.addHandler(out)
+		logSys.error("XXX")
+
+		s = strout.getvalue()
+		self.assertTrue(s.rstrip().endswith(': XXX'))
+		pindex = s.index('|')
+
+		# in this case compressed and not should be the same (?)
+		self.assertTrue(pindex > 10)	  # we should have some traceback
+		self.assertEqual(s[:pindex], s[pindex+1:pindex*2 + 1])

From 281d310b7eb45bca49c0a57a32a6c430f6bfddac Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Fri, 10 May 2013 00:02:49 -0400
Subject: [PATCH 35/46] ENH: actually tune up TraceBack to determine "unittest"
 portions of the stack across all python  releases

before for 2.7 it would spit out "suite" and other components of unittest module
---
 testcases/misctestcase.py | 2 +-
 testcases/utils.py        | 9 +++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/testcases/misctestcase.py b/testcases/misctestcase.py
index 89be2b17..c9449407 100644
--- a/testcases/misctestcase.py
+++ b/testcases/misctestcase.py
@@ -108,7 +108,7 @@ class TestsUtilsTest(unittest.TestCase):
 				print deep_function(3)
 			except ValueError:
 				s = tb()
-			self.assertTrue('>' in s)
+			self.assertFalse('>' in s)  # There is only "fail2ban-testcases" in this case, no true traceback
 			self.assertTrue(':' in s)
 
 
diff --git a/testcases/utils.py b/testcases/utils.py
index 6b894193..87aab915 100644
--- a/testcases/utils.py
+++ b/testcases/utils.py
@@ -61,11 +61,12 @@ class TraceBack(object):
 
 	def __call__(self):
 		ftb = traceback.extract_stack(limit=100)[:-2]
-		entries = [[mbasename(x[0]), str(x[1])] for x in ftb]
-		entries = [ e for e in entries
-					if not e[0] in ['unittest', 'logging.__init__' ]]
+		entries = [[mbasename(x[0]), dirname(x[0]), str(x[1])] for x in ftb]
+		entries = [ [e[0], e[2]] for e in entries
+					if not (e[0] in ['unittest', 'logging.__init__']
+							or e[1].endswith('/unittest'))]
 
-		# lets make it more consize
+		# lets make it more concise
 		entries_out = [entries[0]]
 		for entry in entries[1:]:
 			if entry[0] == entries_out[-1][0]:

From bdc86e5f1d1ff9dd09f46e11491671d515e3b4a2 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Fri, 10 May 2013 11:17:04 -0400
Subject: [PATCH 36/46] ENH: use the same python executable for setup.py test

This doesn't anyhow resolve gh-161 which was revealed consistently on Debian sytem
after adding this testSetupInstallRoot
---
 testcases/misctestcase.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/testcases/misctestcase.py b/testcases/misctestcase.py
index c9449407..4a6b4241 100644
--- a/testcases/misctestcase.py
+++ b/testcases/misctestcase.py
@@ -64,7 +64,8 @@ class SetupTest(unittest.TestCase):
 	def testSetupInstallRoot(self):
 		if not self.setup: return			  # if verbose skip didn't work out
 		tmp = tempfile.mkdtemp()
-		os.system("%s install --root=%s >/dev/null" % (self.setup, tmp))
+		os.system("%s %s install --root=%s >/dev/null"
+				  % (sys.executable, self.setup, tmp))
 
 		def addpath(l):
 			return [os.path.join(tmp, x) for x in l]

From 8161038987608d58c5202977048a8b3f6a462ad6 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Fri, 10 May 2013 11:40:12 -0400
Subject: [PATCH 37/46] ENH: strengthen detection of working pyinotify

Even though import might work -- pyinotify might be dysfunctional.
Check by creating/deleting a dummy WatchManager upon import
---
 server/filterpyinotify.py | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/server/filterpyinotify.py b/server/filterpyinotify.py
index 4c270d2e..cea82711 100644
--- a/server/filterpyinotify.py
+++ b/server/filterpyinotify.py
@@ -23,19 +23,28 @@ __author__ = "Cyril Jaquier, Lee Clemens, Yaroslav Halchenko"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2012 Lee Clemens, 2012 Yaroslav Halchenko"
 __license__ = "GPL"
 
+import time, logging, pyinotify
+
 from distutils.version import LooseVersion
+from os.path import dirname, sep as pathsep
 
 from failmanager import FailManagerEmpty
 from filter import FileFilter
 from mytime import MyTime
 
-import time, logging, pyinotify
 
 if not hasattr(pyinotify, '__version__') \
   or LooseVersion(pyinotify.__version__) < '0.8.3':
   raise ImportError("Fail2Ban requires pyinotify >= 0.8.3")
 
-from os.path import dirname, sep as pathsep
+# Verify that pyinotify is functional on this system
+# Even though imports -- might be dysfunctional, e.g. as on kfreebsd
+try:
+	manager = pyinotify.WatchManager()
+	del manager
+except Exception, e:
+	raise ImportError("Pyinotify is probably not functional on this system: %s"
+					  % str(e))
 
 # Gets the instance of the logger.
 logSys = logging.getLogger("fail2ban.filter")

From 8af3ffb332a3e0aecabe09e97c6805169f72421e Mon Sep 17 00:00:00 2001
From: Steven Hiscocks <steven@hiscocks.me.uk>
Date: Fri, 10 May 2013 16:54:53 +0100
Subject: [PATCH 38/46] BF: Fix for filterpoll incorrectly checking for
 jailless state

---
 server/filterpoll.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/server/filterpoll.py b/server/filterpoll.py
index 8a6a88e7..20cde0ca 100644
--- a/server/filterpoll.py
+++ b/server/filterpoll.py
@@ -104,7 +104,8 @@ class FilterPoll(FileFilter):
 				time.sleep(self.getSleepTime())
 			else:
 				time.sleep(self.getSleepTime())
-		logSys.debug((self.jail and self.jail.getName() or "jailless") +
+		logSys.debug(
+			(self.jail is not None and self.jail.getName() or "jailless") +
 					 " filter terminated")
 		return True
 
@@ -130,7 +131,7 @@ class FilterPoll(FileFilter):
 			self.__file404Cnt[filename] += 1
 			if self.__file404Cnt[filename] > 2:
 				logSys.warn("Too many errors. Setting the jail idle")
-				if self.jail:
+				if self.jail is not None:
 					self.jail.setIdle(True)
 				else:
 					logSys.warn("No jail is assigned to %s" % self)

From 90b8433ac5113d17b458005ee77dc89d692cbd52 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun, 12 May 2013 21:42:59 -0400
Subject: [PATCH 39/46] DOC: inline commends with ';' are in effect only if ';'
 follows as space

---
 README.Solaris       | 2 +-
 config/fail2ban.conf | 2 +-
 config/jail.conf     | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.Solaris b/README.Solaris
index 49056062..10a5f88c 100644
--- a/README.Solaris
+++ b/README.Solaris
@@ -71,7 +71,7 @@ OPT: Create /etc/fail2ban/fail2ban.local containing:
 
 # Fail2Ban main configuration file
 #
-# Comments: use '#' for comment lines and ';' for inline comments
+# Comments: use '#' for comment lines and ';' (following a space) for inline comments
 #
 # Changes:  in most of the cases you should not modify this
 #           file, but provide customizations in fail2ban.local file, e.g.:
diff --git a/config/fail2ban.conf b/config/fail2ban.conf
index 1888eddb..4094c8cd 100644
--- a/config/fail2ban.conf
+++ b/config/fail2ban.conf
@@ -1,6 +1,6 @@
 # Fail2Ban main configuration file
 #
-# Comments: use '#' for comment lines and ';' for inline comments
+# Comments: use '#' for comment lines and ';' (following a space) for inline comments
 #
 # Changes:  in most of the cases you should not modify this
 #           file, but provide customizations in fail2ban.local file, e.g.:
diff --git a/config/jail.conf b/config/jail.conf
index 33453ab5..ec5b32ef 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -1,6 +1,6 @@
 # Fail2Ban jail specifications file
 #
-# Comments: use '#' for comment lines and ';' for inline comments
+# Comments: use '#' for comment lines and ';' (following a space) for inline comments
 #
 # Changes:  in most of the cases you should not modify this
 #           file, but provide customizations in jail.local file, e.g.:

From 571ff33fde2c43b47c9a22ebdff020bdf77a3c17 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun, 12 May 2013 22:19:17 -0400
Subject: [PATCH 40/46] ENH: issue a warning if jail name is longer than 19
 symbols (Close #222)

---
 fail2ban-testcases          |  1 +
 server/jail.py              |  6 +++++-
 testcases/servertestcase.py | 10 ++++++++++
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/fail2ban-testcases b/fail2ban-testcases
index 5ad7494e..0bd70259 100755
--- a/fail2ban-testcases
+++ b/fail2ban-testcases
@@ -140,6 +140,7 @@ else: # pragma: no cover
 # Server
 #tests.addTest(unittest.makeSuite(servertestcase.StartStop))
 tests.addTest(unittest.makeSuite(servertestcase.Transmitter))
+tests.addTest(unittest.makeSuite(servertestcase.JailTests))
 tests.addTest(unittest.makeSuite(actiontestcase.ExecuteAction))
 # FailManager
 tests.addTest(unittest.makeSuite(failmanagertestcase.AddFailure))
diff --git a/server/jail.py b/server/jail.py
index dee64e7f..5e60ec7f 100644
--- a/server/jail.py
+++ b/server/jail.py
@@ -38,7 +38,7 @@ class Jail:
 	_BACKENDS = ['pyinotify', 'gamin', 'polling']
 
 	def __init__(self, name, backend = "auto"):
-		self.__name = name
+		self.setName(name)
 		self.__queue = Queue.Queue()
 		self.__filter = None
 		logSys.info("Creating new jail '%s'" % self.__name)
@@ -102,6 +102,10 @@ class Jail:
 		self.__filter = FilterPyinotify(self)
 	
 	def setName(self, name):
+		if len(name) >= 20:
+			logSys.warning("Jail name %r might be too long and some commands "
+							"might not function correctly. Please shorten"
+							% name)
 		self.__name = name
 	
 	def getName(self):
diff --git a/testcases/servertestcase.py b/testcases/servertestcase.py
index ff3f2e88..0a5593e3 100644
--- a/testcases/servertestcase.py
+++ b/testcases/servertestcase.py
@@ -26,6 +26,7 @@ __license__ = "GPL"
 
 import unittest, socket, time, tempfile, os
 from server.server import Server
+from server.jail import Jail
 from common.exceptions import UnknownJailException
 
 class StartStop(unittest.TestCase):
@@ -507,3 +508,12 @@ class TransmitterLogging(TransmitterBase):
 		self.setGetTest("loglevel", "-1", -1)
 		self.setGetTest("loglevel", "0", 0)
 		self.setGetTestNOK("loglevel", "Bird")
+
+
+class JailTests(unittest.TestCase):
+
+	def testLongName(self):
+		# Just a smoke test for now
+		longname = "veryveryverylongname"
+		jail = Jail(longname)
+		self.assertEqual(jail.getName(), longname)

From 21474884e0d02902f147d3ccc67af3607c5e739d Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun, 12 May 2013 22:55:02 -0400
Subject: [PATCH 41/46] ENH: now we know that logging handlers closing was
 still buggy in 2.6.2

---
 server/server.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/server/server.py b/server/server.py
index a8cf1c2f..773fdf0b 100644
--- a/server/server.py
+++ b/server/server.py
@@ -377,10 +377,11 @@ class Server:
 					handler.flush()
 					handler.close()
 				except (ValueError, KeyError): # pragma: no cover
-					if sys.version_info >= (2,6):
-						raise
-					# is known to be thrown after logging was shutdown once
+					# Is known to be thrown after logging was shutdown once
 					# with older Pythons -- seems to be safe to ignore there
+					# At least it was still failing on 2.6.2-0ubuntu1 (jaunty)
+					if sys.version_info >= (2,6,3):
+						raise
 			# tell the handler to use this format
 			hdlr.setFormatter(formatter)
 			logging.getLogger("fail2ban").addHandler(hdlr)

From f345c4d7dc4c3261d0b1bb04b92356b438b48320 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun, 12 May 2013 23:22:50 -0400
Subject: [PATCH 42/46] ENH: include explicit list of new files which should
 not be there upon "install --root"

that is to figure out what gets there on failing travis tests:

e.g. https://travis-ci.org/fail2ban/fail2ban/jobs/7112324
---
 testcases/misctestcase.py | 28 ++++++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/testcases/misctestcase.py b/testcases/misctestcase.py
index 4a6b4241..c63d4cae 100644
--- a/testcases/misctestcase.py
+++ b/testcases/misctestcase.py
@@ -50,6 +50,15 @@ class HelpersTest(unittest.TestCase):
 			# might be fragile due to ' vs "
 			self.assertEqual(args, "('Very bad', None)")
 
+# based on
+# http://stackoverflow.com/questions/2186525/use-a-glob-to-find-files-recursively-in-python
+def recursive_glob(treeroot, pattern):
+	import fnmatch, os
+	results = []
+	for base, dirs, files in os.walk(treeroot):
+		goodfiles = fnmatch.filter(dirs + files, pattern)
+		results.extend(os.path.join(base, f) for f in goodfiles)
+	return results
 
 class SetupTest(unittest.TestCase):
 
@@ -70,8 +79,23 @@ class SetupTest(unittest.TestCase):
 		def addpath(l):
 			return [os.path.join(tmp, x) for x in l]
 
-		self.assertEqual(sorted(glob('%s/*' % tmp)),
-						 addpath(['etc', 'usr', 'var']))
+		def strippath(l):
+			return [x[len(tmp)+1:] for x in l]
+
+		got = strippath(sorted(glob('%s/*' % tmp)))
+		need = ['etc', 'usr', 'var']
+
+		if got != need:
+			files = {}
+			for missing in set(got).difference(need):
+				missing_full = os.path.join(tmp, missing)
+				files[missing] = os.path.exists(missing_full) \
+					and strippath(recursive_glob(missing_full, '*')) or None
+
+			self.assertEqual(
+				got, need,
+				msg="Got: %s Needed: %s under %s. Files under new paths: %s"
+				% (got, need, tmp, files))
 
 		# Assure presence of some files we expect to see in the installation
 		for f in ('etc/fail2ban/fail2ban.conf',

From 1b301d723d4b2b8e66ca083d62645d60ec5d264e Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun, 12 May 2013 23:27:32 -0400
Subject: [PATCH 43/46] ENH: also print the failing traceback line in case of
 failure

Also to troubleshoot
https://travis-ci.org/fail2ban/fail2ban/jobs/7112324
---
 testcases/misctestcase.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/testcases/misctestcase.py b/testcases/misctestcase.py
index c63d4cae..d63f8afc 100644
--- a/testcases/misctestcase.py
+++ b/testcases/misctestcase.py
@@ -133,8 +133,8 @@ class TestsUtilsTest(unittest.TestCase):
 				print deep_function(3)
 			except ValueError:
 				s = tb()
-			self.assertFalse('>' in s)  # There is only "fail2ban-testcases" in this case, no true traceback
-			self.assertTrue(':' in s)
+			self.assertFalse('>' in s, msg="'>' present in %r" % s)  # There is only "fail2ban-testcases" in this case, no true traceback
+			self.assertTrue(':' in s, msg="no ':' in %r" % s)
 
 
 	def testFormatterWithTraceBack(self):

From 6aed705f3dd3567256666304c72e2eecedf5f0a3 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun, 12 May 2013 23:42:01 -0400
Subject: [PATCH 44/46] BF: (travis) if tests ran under coverage -- there is a
 traceback parts to report (thus > would be present)

---
 testcases/misctestcase.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/testcases/misctestcase.py b/testcases/misctestcase.py
index d63f8afc..84eafa01 100644
--- a/testcases/misctestcase.py
+++ b/testcases/misctestcase.py
@@ -133,7 +133,13 @@ class TestsUtilsTest(unittest.TestCase):
 				print deep_function(3)
 			except ValueError:
 				s = tb()
-			self.assertFalse('>' in s, msg="'>' present in %r" % s)  # There is only "fail2ban-testcases" in this case, no true traceback
+
+			# if we run it through 'coverage' (e.g. on travis) then we
+			# would get a traceback
+			if 'coverage' in s:
+				self.assertTrue('>' in s, msg="no '>' in %r" % s)
+			else:
+				self.assertFalse('>' in s, msg="'>' present in %r" % s)  # There is only "fail2ban-testcases" in this case, no true traceback
 			self.assertTrue(':' in s, msg="no ':' in %r" % s)
 
 

From 04bf9eceb64059afce466dc5b78bfe1c33a9c25b Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun, 12 May 2013 23:42:57 -0400
Subject: [PATCH 45/46] BF: (travis) relax the test for needed to be presented
 installed directories -- allow new

on travis scripts install into user's home by default
---
 testcases/misctestcase.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/testcases/misctestcase.py b/testcases/misctestcase.py
index 84eafa01..08c8fc30 100644
--- a/testcases/misctestcase.py
+++ b/testcases/misctestcase.py
@@ -85,7 +85,11 @@ class SetupTest(unittest.TestCase):
 		got = strippath(sorted(glob('%s/*' % tmp)))
 		need = ['etc', 'usr', 'var']
 
-		if got != need:
+		# if anything is missing
+		if set(need).difference(got):
+			#  below code was actually to print out not missing but
+			#  rather files in 'excess'.  Left in place in case we
+			#  decide to revert to such more strict test
 			files = {}
 			for missing in set(got).difference(need):
 				missing_full = os.path.join(tmp, missing)

From a7f41af67182c9baae351f9261b5a149ebb5af9b Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Mon, 13 May 2013 11:00:44 -0400
Subject: [PATCH 46/46] All the (version) updates for the release of 0.8.9

---
 ChangeLog             | 4 ++--
 README.md             | 6 +++---
 common/version.py     | 6 +++---
 man/fail2ban-client.1 | 7 +++++--
 man/fail2ban-regex.1  | 4 ++--
 man/fail2ban-server.1 | 4 ++--
 6 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index b8d39b3a..e3ed79a7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,10 +4,10 @@
                        |_| \__,_|_|_/___|_.__/\__,_|_||_|
 
 ================================================================================
-Fail2Ban (version 0.8.9)                                              2013/04/XX
+Fail2Ban (version 0.8.9)                                              2013/05/13
 ================================================================================
 
-ver. 0.8.9 (2013/05/XX) - wanna-be-stable
+ver. 0.8.9 (2013/05/13) - wanna-be-stable
 ----------
 
 Originally targeted as a bugfix release, it incorporated many new
diff --git a/README.md b/README.md
index 65183b92..91deaf19 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
                         / _|__ _(_) |_  ) |__  __ _ _ _  
                        |  _/ _` | | |/ /| '_ \/ _` | ' \ 
                        |_| \__,_|_|_/___|_.__/\__,_|_||_|
-                       v0.8.8                  2012/07/31
+                       v0.8.9                  2013/05/13
 
 ## Fail2Ban: ban hosts that cause multiple authentication errors 
 
@@ -30,8 +30,8 @@ Optional:
 
 To install, just do:
 
-    tar xvfj fail2ban-0.8.8.tar.bz2
-    cd fail2ban-0.8.8
+    tar xvfj fail2ban-0.8.9.tar.bz2
+    cd fail2ban-0.8.9
     python setup.py install
 
 This will install Fail2Ban into /usr/share/fail2ban. The executable scripts are
diff --git a/common/version.py b/common/version.py
index df3b97c3..e6f948cd 100644
--- a/common/version.py
+++ b/common/version.py
@@ -18,10 +18,10 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 # Author: Cyril Jaquier
-# 
+#
 
 __author__ = "Cyril Jaquier, Yaroslav Halchenko"
-__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2012 Yaroslav Halchenko"
+__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko"
 __license__ = "GPL"
 
-version = "0.8.8"
+version = "0.8.9"
diff --git a/man/fail2ban-client.1 b/man/fail2ban-client.1
index 431e690f..d7d620bc 100644
--- a/man/fail2ban-client.1
+++ b/man/fail2ban-client.1
@@ -1,12 +1,12 @@
 .\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.40.10.
-.TH FAIL2BAN-CLIENT "1" "March 2013" "fail2ban-client v0.8.8" "User Commands"
+.TH FAIL2BAN-CLIENT "1" "May 2013" "fail2ban-client v0.8.9" "User Commands"
 .SH NAME
 fail2ban-client \- configure and control the server
 .SH SYNOPSIS
 .B fail2ban-client
 [\fIOPTIONS\fR] \fI<COMMAND>\fR
 .SH DESCRIPTION
-Fail2Ban v0.8.8 reads log file that contains password failure report
+Fail2Ban v0.8.9 reads log file that contains password failure report
 and bans the corresponding IP addresses using firewall rules.
 .SH OPTIONS
 .TP
@@ -62,6 +62,9 @@ server
 .TP
 \fBping\fR
 tests if the server is alive
+.TP
+\fBhelp\fR
+return this output
 .IP
 LOGGING
 .TP
diff --git a/man/fail2ban-regex.1 b/man/fail2ban-regex.1
index 09b9d6b0..a42d96d5 100644
--- a/man/fail2ban-regex.1
+++ b/man/fail2ban-regex.1
@@ -1,12 +1,12 @@
 .\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.40.10.
-.TH FAIL2BAN-REGEX "1" "March 2013" "fail2ban-regex v0.8.8" "User Commands"
+.TH FAIL2BAN-REGEX "1" "May 2013" "fail2ban-regex v0.8.9" "User Commands"
 .SH NAME
 fail2ban-regex \- test Fail2ban "failregex" option
 .SH SYNOPSIS
 .B fail2ban-regex
 [\fIOPTIONS\fR] \fI<LOG> <REGEX> \fR[\fIIGNOREREGEX\fR]
 .SH DESCRIPTION
-Fail2Ban v0.8.8 reads log file that contains password failure report
+Fail2Ban v0.8.9 reads log file that contains password failure report
 and bans the corresponding IP addresses using firewall rules.
 .PP
 This tools can test regular expressions for "fail2ban".
diff --git a/man/fail2ban-server.1 b/man/fail2ban-server.1
index 3f6b013f..43e9d6d4 100644
--- a/man/fail2ban-server.1
+++ b/man/fail2ban-server.1
@@ -1,12 +1,12 @@
 .\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.40.10.
-.TH FAIL2BAN-SERVER "1" "March 2013" "fail2ban-server v0.8.8" "User Commands"
+.TH FAIL2BAN-SERVER "1" "May 2013" "fail2ban-server v0.8.9" "User Commands"
 .SH NAME
 fail2ban-server \- start the server
 .SH SYNOPSIS
 .B fail2ban-server
 [\fIOPTIONS\fR]
 .SH DESCRIPTION
-Fail2Ban v0.8.8 reads log file that contains password failure report
+Fail2Ban v0.8.9 reads log file that contains password failure report
 and bans the corresponding IP addresses using firewall rules.
 .PP
 Only use this command for debugging purpose. Start the server with