mirror of https://github.com/fail2ban/fail2ban
amend to (gh-2067) / b34ae5999e0d8ee1af8939527305c13152844b3d: fix parameter in config (dynamic parameters stating with '_' are protected and don't allowed in command-actions);
the interpolation of hostsdeny is test-covered now; closes gh-2114.pull/2133/head
sebres
parent
22e9ccb387
commit
bba7a6c5cf
|
|
@ -31,7 +31,7 @@ actioncheck =
|
||||||
# Tags: See jail.conf(5) man page
|
# Tags: See jail.conf(5) man page
|
||||||
# Values: CMD
|
# Values: CMD
|
||||||
#
|
#
|
||||||
actionban = printf %%b "<daemon_list>: <_ip_value>\n" >> <file>
|
actionban = printf %%b "<daemon_list>: <ip_value>\n" >> <file>
|
||||||
|
|
||||||
# Option: actionunban
|
# Option: actionunban
|
||||||
# Notes.: command executed when unbanning an IP. Take care that the
|
# Notes.: command executed when unbanning an IP. Take care that the
|
||||||
|
|
@ -39,7 +39,7 @@ actionban = printf %%b "<daemon_list>: <_ip_value>\n" >> <file>
|
||||||
# Tags: See jail.conf(5) man page
|
# Tags: See jail.conf(5) man page
|
||||||
# Values: CMD
|
# Values: CMD
|
||||||
#
|
#
|
||||||
actionunban = IP=$(echo "<_ip_value>" | sed 's/[][\.]/\\\0/g') && sed -i "/^<daemon_list>: $IP$/d" <file>
|
actionunban = IP=$(echo "<ip_value>" | sed 's/[][\.]/\\\0/g') && sed -i "/^<daemon_list>: $IP$/d" <file>
|
||||||
|
|
||||||
[Init]
|
[Init]
|
||||||
|
|
||||||
|
|
@ -56,7 +56,7 @@ file = /etc/hosts.deny
|
||||||
daemon_list = ALL
|
daemon_list = ALL
|
||||||
|
|
||||||
# internal variable IP (to differentiate the IPv4 and IPv6 syntax, where it is enclosed in brackets):
|
# internal variable IP (to differentiate the IPv4 and IPv6 syntax, where it is enclosed in brackets):
|
||||||
_ip_value = <ip>
|
ip_value = <ip>
|
||||||
|
|
||||||
[Init?family=inet6]
|
[Init?family=inet6]
|
||||||
_ip_value = [<ip>]
|
ip_value = [<ip>]
|
||||||
|
|
|
||||||
|
|
@ -1186,6 +1186,22 @@ class ServerConfigReaderTests(LogCaptureTestCase):
|
||||||
# 'start', 'stop' - should be found (logged) on action start/stop,
|
# 'start', 'stop' - should be found (logged) on action start/stop,
|
||||||
# etc.
|
# etc.
|
||||||
testJailsActions = (
|
testJailsActions = (
|
||||||
|
# hostsdeny --
|
||||||
|
('j-hostsdeny', 'hostsdeny[name=%(__name__)s, actionstop="rm <file>", file="/tmp/fail2ban.dummy"]', {
|
||||||
|
'ip4': ('family: inet4',), 'ip6': ('family: inet6',),
|
||||||
|
'ip4-ban': (
|
||||||
|
r'''`printf %b "ALL: 192.0.2.1\n" >> /tmp/fail2ban.dummy`''',
|
||||||
|
),
|
||||||
|
'ip4-unban': (
|
||||||
|
r'''`IP=$(echo "192.0.2.1" | sed 's/[][\.]/\\\0/g') && sed -i "/^ALL: $IP$/d" /tmp/fail2ban.dummy`''',
|
||||||
|
),
|
||||||
|
'ip6-ban': (
|
||||||
|
r'''`printf %b "ALL: [2001:db8::]\n" >> /tmp/fail2ban.dummy`''',
|
||||||
|
),
|
||||||
|
'ip6-unban': (
|
||||||
|
r'''`IP=$(echo "[2001:db8::]" | sed 's/[][\.]/\\\0/g') && sed -i "/^ALL: $IP$/d" /tmp/fail2ban.dummy`''',
|
||||||
|
),
|
||||||
|
}),
|
||||||
# dummy --
|
# dummy --
|
||||||
('j-dummy', 'dummy[name=%(__name__)s, init="==", target="/tmp/fail2ban.dummy"]', {
|
('j-dummy', 'dummy[name=%(__name__)s, init="==", target="/tmp/fail2ban.dummy"]', {
|
||||||
'ip4': ('family: inet4',), 'ip6': ('family: inet6',),
|
'ip4': ('family: inet4',), 'ip6': ('family: inet6',),
|
||||||
|
|
@ -1198,8 +1214,6 @@ class ServerConfigReaderTests(LogCaptureTestCase):
|
||||||
'stop': (
|
'stop': (
|
||||||
'`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- stopped"`',
|
'`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- stopped"`',
|
||||||
),
|
),
|
||||||
'ip4-check': (),
|
|
||||||
'ip6-check': (),
|
|
||||||
'ip4-ban': (
|
'ip4-ban': (
|
||||||
'`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- banned 192.0.2.1 (family: inet4)"`',
|
'`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- banned 192.0.2.1 (family: inet4)"`',
|
||||||
),
|
),
|
||||||
|
|
@ -1324,8 +1338,6 @@ class ServerConfigReaderTests(LogCaptureTestCase):
|
||||||
"`ipset flush f2b-j-w-iptables-ipset6`",
|
"`ipset flush f2b-j-w-iptables-ipset6`",
|
||||||
"`ipset destroy f2b-j-w-iptables-ipset6`",
|
"`ipset destroy f2b-j-w-iptables-ipset6`",
|
||||||
),
|
),
|
||||||
'ip4-check': (),
|
|
||||||
'ip6-check': (),
|
|
||||||
'ip4-ban': (
|
'ip4-ban': (
|
||||||
r"`ipset add f2b-j-w-iptables-ipset 192.0.2.1 timeout 600 -exist`",
|
r"`ipset add f2b-j-w-iptables-ipset 192.0.2.1 timeout 600 -exist`",
|
||||||
),
|
),
|
||||||
|
|
@ -1362,8 +1374,6 @@ class ServerConfigReaderTests(LogCaptureTestCase):
|
||||||
"`ipset flush f2b-j-w-iptables-ipset-ap6`",
|
"`ipset flush f2b-j-w-iptables-ipset-ap6`",
|
||||||
"`ipset destroy f2b-j-w-iptables-ipset-ap6`",
|
"`ipset destroy f2b-j-w-iptables-ipset-ap6`",
|
||||||
),
|
),
|
||||||
'ip4-check': (),
|
|
||||||
'ip6-check': (),
|
|
||||||
'ip4-ban': (
|
'ip4-ban': (
|
||||||
r"`ipset add f2b-j-w-iptables-ipset-ap 192.0.2.1 timeout 600 -exist`",
|
r"`ipset add f2b-j-w-iptables-ipset-ap 192.0.2.1 timeout 600 -exist`",
|
||||||
),
|
),
|
||||||
|
|
@ -1671,8 +1681,6 @@ class ServerConfigReaderTests(LogCaptureTestCase):
|
||||||
"`ipset flush f2b-j-w-fwcmd-ipset6`",
|
"`ipset flush f2b-j-w-fwcmd-ipset6`",
|
||||||
"`ipset destroy f2b-j-w-fwcmd-ipset6`",
|
"`ipset destroy f2b-j-w-fwcmd-ipset6`",
|
||||||
),
|
),
|
||||||
'ip4-check': (),
|
|
||||||
'ip6-check': (),
|
|
||||||
'ip4-ban': (
|
'ip4-ban': (
|
||||||
r"`ipset add f2b-j-w-fwcmd-ipset 192.0.2.1 timeout 600 -exist`",
|
r"`ipset add f2b-j-w-fwcmd-ipset 192.0.2.1 timeout 600 -exist`",
|
||||||
),
|
),
|
||||||
|
|
@ -1709,8 +1717,6 @@ class ServerConfigReaderTests(LogCaptureTestCase):
|
||||||
"`ipset flush f2b-j-w-fwcmd-ipset-ap6`",
|
"`ipset flush f2b-j-w-fwcmd-ipset-ap6`",
|
||||||
"`ipset destroy f2b-j-w-fwcmd-ipset-ap6`",
|
"`ipset destroy f2b-j-w-fwcmd-ipset-ap6`",
|
||||||
),
|
),
|
||||||
'ip4-check': (),
|
|
||||||
'ip6-check': (),
|
|
||||||
'ip4-ban': (
|
'ip4-ban': (
|
||||||
r"`ipset add f2b-j-w-fwcmd-ipset-ap 192.0.2.1 timeout 600 -exist`",
|
r"`ipset add f2b-j-w-fwcmd-ipset-ap 192.0.2.1 timeout 600 -exist`",
|
||||||
),
|
),
|
||||||
|
|
@ -1762,7 +1768,7 @@ class ServerConfigReaderTests(LogCaptureTestCase):
|
||||||
action.start()
|
action.start()
|
||||||
if tests.get('start'):
|
if tests.get('start'):
|
||||||
self.assertLogged(*tests['start'], all=True)
|
self.assertLogged(*tests['start'], all=True)
|
||||||
else:
|
elif tests.get('ip4-start') and tests.get('ip6-start'):
|
||||||
self.assertNotLogged(*tests['ip4-start']+tests['ip6-start'], all=True)
|
self.assertNotLogged(*tests['ip4-start']+tests['ip6-start'], all=True)
|
||||||
ainfo = {
|
ainfo = {
|
||||||
'ip4': _actions.Actions.ActionInfo(tickets['ip4'], jails[jail]),
|
'ip4': _actions.Actions.ActionInfo(tickets['ip4'], jails[jail]),
|
||||||
|
|
@ -1773,24 +1779,24 @@ class ServerConfigReaderTests(LogCaptureTestCase):
|
||||||
action.ban(ainfo['ip4'])
|
action.ban(ainfo['ip4'])
|
||||||
if tests.get('ip4-start'): self.assertLogged(*tests['ip4-start'], all=True)
|
if tests.get('ip4-start'): self.assertLogged(*tests['ip4-start'], all=True)
|
||||||
if tests.get('ip6-start'): self.assertNotLogged(*tests['ip6-start'], all=True)
|
if tests.get('ip6-start'): self.assertNotLogged(*tests['ip6-start'], all=True)
|
||||||
self.assertLogged(*tests['ip4-check']+tests['ip4-ban'], all=True)
|
self.assertLogged(*tests.get('ip4-check',())+tests['ip4-ban'], all=True)
|
||||||
self.assertNotLogged(*tests['ip6'], all=True)
|
self.assertNotLogged(*tests['ip6'], all=True)
|
||||||
# test unban ip4 :
|
# test unban ip4 :
|
||||||
self.pruneLog('# === unban ipv4 ===')
|
self.pruneLog('# === unban ipv4 ===')
|
||||||
action.unban(ainfo['ip4'])
|
action.unban(ainfo['ip4'])
|
||||||
self.assertLogged(*tests['ip4-check']+tests['ip4-unban'], all=True)
|
self.assertLogged(*tests.get('ip4-check',())+tests['ip4-unban'], all=True)
|
||||||
self.assertNotLogged(*tests['ip6'], all=True)
|
self.assertNotLogged(*tests['ip6'], all=True)
|
||||||
# test ban ip6 :
|
# test ban ip6 :
|
||||||
self.pruneLog('# === ban ipv6 ===')
|
self.pruneLog('# === ban ipv6 ===')
|
||||||
action.ban(ainfo['ip6'])
|
action.ban(ainfo['ip6'])
|
||||||
if tests.get('ip6-start'): self.assertLogged(*tests['ip6-start'], all=True)
|
if tests.get('ip6-start'): self.assertLogged(*tests['ip6-start'], all=True)
|
||||||
if tests.get('ip4-start'): self.assertNotLogged(*tests['ip4-start'], all=True)
|
if tests.get('ip4-start'): self.assertNotLogged(*tests['ip4-start'], all=True)
|
||||||
self.assertLogged(*tests['ip6-check']+tests['ip6-ban'], all=True)
|
self.assertLogged(*tests.get('ip6-check',())+tests['ip6-ban'], all=True)
|
||||||
self.assertNotLogged(*tests['ip4'], all=True)
|
self.assertNotLogged(*tests['ip4'], all=True)
|
||||||
# test unban ip6 :
|
# test unban ip6 :
|
||||||
self.pruneLog('# === unban ipv6 ===')
|
self.pruneLog('# === unban ipv6 ===')
|
||||||
action.unban(ainfo['ip6'])
|
action.unban(ainfo['ip6'])
|
||||||
self.assertLogged(*tests['ip6-check']+tests['ip6-unban'], all=True)
|
self.assertLogged(*tests.get('ip6-check',())+tests['ip6-unban'], all=True)
|
||||||
self.assertNotLogged(*tests['ip4'], all=True)
|
self.assertNotLogged(*tests['ip4'], all=True)
|
||||||
# test flush for actions should supported this:
|
# test flush for actions should supported this:
|
||||||
if tests.get('flush'):
|
if tests.get('flush'):
|
||||||
|
|
@ -1800,7 +1806,7 @@ class ServerConfigReaderTests(LogCaptureTestCase):
|
||||||
# test stop :
|
# test stop :
|
||||||
self.pruneLog('# === stop ===')
|
self.pruneLog('# === stop ===')
|
||||||
action.stop()
|
action.stop()
|
||||||
self.assertLogged(*tests['stop'], all=True)
|
if tests.get('stop'): self.assertLogged(*tests['stop'], all=True)
|
||||||
|
|
||||||
def _executeMailCmd(self, realCmd, timeout=60):
|
def _executeMailCmd(self, realCmd, timeout=60):
|
||||||
# replace pipe to mail with pipe to cat:
|
# replace pipe to mail with pipe to cat:
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue