diff --git a/config/action.d/hostsdeny.conf b/config/action.d/hostsdeny.conf index 4277fed8..2a93c82b 100644 --- a/config/action.d/hostsdeny.conf +++ b/config/action.d/hostsdeny.conf @@ -31,7 +31,7 @@ actioncheck = # Tags: See jail.conf(5) man page # Values: CMD # -actionban = printf %%b ": <_ip_value>\n" >> +actionban = printf %%b ": \n" >> # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -39,7 +39,7 @@ actionban = printf %%b ": <_ip_value>\n" >> # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = IP=$(echo "<_ip_value>" | sed 's/[][\.]/\\\0/g') && sed -i "/^: $IP$/d" +actionunban = IP=$(echo "" | sed 's/[][\.]/\\\0/g') && sed -i "/^: $IP$/d" [Init] @@ -56,7 +56,7 @@ file = /etc/hosts.deny daemon_list = ALL # internal variable IP (to differentiate the IPv4 and IPv6 syntax, where it is enclosed in brackets): -_ip_value = +ip_value = [Init?family=inet6] -_ip_value = [] +ip_value = [] diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py index c207311d..c9719bf7 100644 --- a/fail2ban/tests/servertestcase.py +++ b/fail2ban/tests/servertestcase.py @@ -1186,6 +1186,22 @@ class ServerConfigReaderTests(LogCaptureTestCase): # 'start', 'stop' - should be found (logged) on action start/stop, # etc. testJailsActions = ( + # hostsdeny -- + ('j-hostsdeny', 'hostsdeny[name=%(__name__)s, actionstop="rm ", file="/tmp/fail2ban.dummy"]', { + 'ip4': ('family: inet4',), 'ip6': ('family: inet6',), + 'ip4-ban': ( + r'''`printf %b "ALL: 192.0.2.1\n" >> /tmp/fail2ban.dummy`''', + ), + 'ip4-unban': ( + r'''`IP=$(echo "192.0.2.1" | sed 's/[][\.]/\\\0/g') && sed -i "/^ALL: $IP$/d" /tmp/fail2ban.dummy`''', + ), + 'ip6-ban': ( + r'''`printf %b "ALL: [2001:db8::]\n" >> /tmp/fail2ban.dummy`''', + ), + 'ip6-unban': ( + r'''`IP=$(echo "[2001:db8::]" | sed 's/[][\.]/\\\0/g') && sed -i "/^ALL: $IP$/d" /tmp/fail2ban.dummy`''', + ), + }), # dummy -- ('j-dummy', 'dummy[name=%(__name__)s, init="==", target="/tmp/fail2ban.dummy"]', { 'ip4': ('family: inet4',), 'ip6': ('family: inet6',), @@ -1198,8 +1214,6 @@ class ServerConfigReaderTests(LogCaptureTestCase): 'stop': ( '`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- stopped"`', ), - 'ip4-check': (), - 'ip6-check': (), 'ip4-ban': ( '`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- banned 192.0.2.1 (family: inet4)"`', ), @@ -1324,8 +1338,6 @@ class ServerConfigReaderTests(LogCaptureTestCase): "`ipset flush f2b-j-w-iptables-ipset6`", "`ipset destroy f2b-j-w-iptables-ipset6`", ), - 'ip4-check': (), - 'ip6-check': (), 'ip4-ban': ( r"`ipset add f2b-j-w-iptables-ipset 192.0.2.1 timeout 600 -exist`", ), @@ -1362,8 +1374,6 @@ class ServerConfigReaderTests(LogCaptureTestCase): "`ipset flush f2b-j-w-iptables-ipset-ap6`", "`ipset destroy f2b-j-w-iptables-ipset-ap6`", ), - 'ip4-check': (), - 'ip6-check': (), 'ip4-ban': ( r"`ipset add f2b-j-w-iptables-ipset-ap 192.0.2.1 timeout 600 -exist`", ), @@ -1671,8 +1681,6 @@ class ServerConfigReaderTests(LogCaptureTestCase): "`ipset flush f2b-j-w-fwcmd-ipset6`", "`ipset destroy f2b-j-w-fwcmd-ipset6`", ), - 'ip4-check': (), - 'ip6-check': (), 'ip4-ban': ( r"`ipset add f2b-j-w-fwcmd-ipset 192.0.2.1 timeout 600 -exist`", ), @@ -1709,8 +1717,6 @@ class ServerConfigReaderTests(LogCaptureTestCase): "`ipset flush f2b-j-w-fwcmd-ipset-ap6`", "`ipset destroy f2b-j-w-fwcmd-ipset-ap6`", ), - 'ip4-check': (), - 'ip6-check': (), 'ip4-ban': ( r"`ipset add f2b-j-w-fwcmd-ipset-ap 192.0.2.1 timeout 600 -exist`", ), @@ -1762,7 +1768,7 @@ class ServerConfigReaderTests(LogCaptureTestCase): action.start() if tests.get('start'): self.assertLogged(*tests['start'], all=True) - else: + elif tests.get('ip4-start') and tests.get('ip6-start'): self.assertNotLogged(*tests['ip4-start']+tests['ip6-start'], all=True) ainfo = { 'ip4': _actions.Actions.ActionInfo(tickets['ip4'], jails[jail]), @@ -1773,24 +1779,24 @@ class ServerConfigReaderTests(LogCaptureTestCase): action.ban(ainfo['ip4']) if tests.get('ip4-start'): self.assertLogged(*tests['ip4-start'], all=True) if tests.get('ip6-start'): self.assertNotLogged(*tests['ip6-start'], all=True) - self.assertLogged(*tests['ip4-check']+tests['ip4-ban'], all=True) + self.assertLogged(*tests.get('ip4-check',())+tests['ip4-ban'], all=True) self.assertNotLogged(*tests['ip6'], all=True) # test unban ip4 : self.pruneLog('# === unban ipv4 ===') action.unban(ainfo['ip4']) - self.assertLogged(*tests['ip4-check']+tests['ip4-unban'], all=True) + self.assertLogged(*tests.get('ip4-check',())+tests['ip4-unban'], all=True) self.assertNotLogged(*tests['ip6'], all=True) # test ban ip6 : self.pruneLog('# === ban ipv6 ===') action.ban(ainfo['ip6']) if tests.get('ip6-start'): self.assertLogged(*tests['ip6-start'], all=True) if tests.get('ip4-start'): self.assertNotLogged(*tests['ip4-start'], all=True) - self.assertLogged(*tests['ip6-check']+tests['ip6-ban'], all=True) + self.assertLogged(*tests.get('ip6-check',())+tests['ip6-ban'], all=True) self.assertNotLogged(*tests['ip4'], all=True) # test unban ip6 : self.pruneLog('# === unban ipv6 ===') action.unban(ainfo['ip6']) - self.assertLogged(*tests['ip6-check']+tests['ip6-unban'], all=True) + self.assertLogged(*tests.get('ip6-check',())+tests['ip6-unban'], all=True) self.assertNotLogged(*tests['ip4'], all=True) # test flush for actions should supported this: if tests.get('flush'): @@ -1800,7 +1806,7 @@ class ServerConfigReaderTests(LogCaptureTestCase): # test stop : self.pruneLog('# === stop ===') action.stop() - self.assertLogged(*tests['stop'], all=True) + if tests.get('stop'): self.assertLogged(*tests['stop'], all=True) def _executeMailCmd(self, realCmd, timeout=60): # replace pipe to mail with pipe to cat: