From 8e3c1b73e907b82a26239b554ec30c55f1242cc9 Mon Sep 17 00:00:00 2001
From: hazg <hazg@mail.ru>
Date: Mon, 21 Oct 2013 13:00:04 +0400
Subject: [PATCH 1/7] ignorecommand

---
 client/filterreader.py |  26 +++----
 client/jailreader.py   |  29 ++++----
 common/protocol.py     |  72 ++++++++++---------
 config/jail.conf       |   3 +
 server/filter.py       |  43 ++++++++---
 server/server.py       | 158 +++++++++++++++++++++--------------------
 server/transmitter.py  |  30 ++++----
 7 files changed, 202 insertions(+), 159 deletions(-)

diff --git a/client/filterreader.py b/client/filterreader.py
index f75190f9..0c81f083 100644
--- a/client/filterreader.py
+++ b/client/filterreader.py
@@ -18,7 +18,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 # Author: Cyril Jaquier
-# 
+#
 
 __author__ = "Cyril Jaquier"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
@@ -31,32 +31,34 @@ from configreader import ConfigReader
 logSys = logging.getLogger("fail2ban.client.config")
 
 class FilterReader(ConfigReader):
-	
+
 	def __init__(self, fileName, name, **kwargs):
 		ConfigReader.__init__(self, **kwargs)
 		self.__file = fileName
 		self.__name = name
-	
+
 	def setFile(self, fileName):
 		self.__file = fileName
-	
+
 	def getFile(self):
 		return self.__file
-	
+
 	def setName(self, name):
 		self.__name = name
-	
+
 	def getName(self):
 		return self.__name
-	
+
 	def read(self):
 		return ConfigReader.read(self, "filter.d/" + self.__file)
-	
+
 	def getOptions(self, pOpts):
 		opts = [["string", "ignoreregex", ""],
-				["string", "failregex", ""]]
+				["string", "failregex", ""],
+				["string", "ignorecommand", ""]
+				]
 		self.__opts = ConfigReader.getOptions(self, "Definition", opts, pOpts)
-	
+
 	def convert(self):
 		stream = list()
 		for opt in self.__opts:
@@ -69,6 +71,6 @@ class FilterReader(ConfigReader):
 				for regex in self.__opts[opt].split('\n'):
 					# Do not send a command if the rule is empty.
 					if regex != '':
-						stream.append(["set", self.__name, "addignoreregex", regex])		
+						stream.append(["set", self.__name, "addignoreregex", regex])
 		return stream
-		
+
diff --git a/client/jailreader.py b/client/jailreader.py
index 7fbac423..7073c0cb 100644
--- a/client/jailreader.py
+++ b/client/jailreader.py
@@ -18,7 +18,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 # Author: Cyril Jaquier
-# 
+#
 
 __author__ = "Cyril Jaquier"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
@@ -34,25 +34,25 @@ from actionreader import ActionReader
 logSys = logging.getLogger("fail2ban.client.config")
 
 class JailReader(ConfigReader):
-	
+
 	actionCRE = re.compile("^((?:\w|-|_|\.)+)(?:\[(.*)\])?$")
-	
+
 	def __init__(self, name, force_enable=False, **kwargs):
 		ConfigReader.__init__(self, **kwargs)
 		self.__name = name
 		self.__filter = None
 		self.__force_enable = force_enable
 		self.__actions = list()
-	
+
 	def setName(self, value):
 		self.__name = value
-	
+
 	def getName(self):
 		return self.__name
-	
+
 	def read(self):
 		return ConfigReader.read(self, "jail")
-	
+
 	def isEnabled(self):
 		return self.__force_enable or self.__opts["enabled"]
 
@@ -81,12 +81,13 @@ class JailReader(ConfigReader):
 				["int", "bantime", 600],
 				["string", "usedns", "warn"],
 				["string", "failregex", None],
+				["string", "ignorecommand", None],
 				["string", "ignoreregex", None],
 				["string", "ignoreip", None],
 				["string", "filter", ""],
 				["string", "action", ""]]
 		self.__opts = ConfigReader.getOptions(self, self.__name, opts)
-		
+
 		if self.isEnabled():
 			# Read filter
 			self.__filter = FilterReader(self.__opts["filter"], self.__name,
@@ -97,7 +98,7 @@ class JailReader(ConfigReader):
 			else:
 				logSys.error("Unable to read the filter")
 				return False
-			
+
 			# Read action
 			for act in self.__opts["action"].split('\n'):
 				try:
@@ -118,7 +119,7 @@ class JailReader(ConfigReader):
 			if not len(self.__actions):
 				logSys.warn("No actions were defined for %s" % self.__name)
 		return True
-	
+
 	def convert(self, allow_no_files=False):
 		"""Convert read before __opts to the commands stream
 
@@ -160,6 +161,8 @@ class JailReader(ConfigReader):
 				stream.append(["set", self.__name, "usedns", self.__opts[opt]])
 			elif opt == "failregex":
 				stream.append(["set", self.__name, "addfailregex", self.__opts[opt]])
+			elif opt == "ignorecommand":
+				stream.append(["set", self.__name, "ignorecommand", self.__opts[opt]])
 			elif opt == "ignoreregex":
 				for regex in self.__opts[opt].split('\n'):
 					# Do not send a command if the rule is empty.
@@ -170,7 +173,7 @@ class JailReader(ConfigReader):
 			stream.extend(action.convert())
 		stream.insert(0, ["add", self.__name, backend])
 		return stream
-	
+
 	#@staticmethod
 	def splitAction(action):
 		m = JailReader.actionCRE.match(action)
@@ -202,12 +205,12 @@ class JailReader(ConfigReader):
 						actions += "<COMMA>"
 					else:
 						actions += c
-			
+
 			# Split using ,
 			actionsSplit = actions.split(',')
 			# Replace the tag <COMMA> with ,
 			actionsSplit = [n.replace("<COMMA>", ',') for n in actionsSplit]
-			
+
 			for param in actionsSplit:
 				p = param.split('=')
 				try:
diff --git a/common/protocol.py b/common/protocol.py
index 9309ce7f..9e5ede7a 100644
--- a/common/protocol.py
+++ b/common/protocol.py
@@ -18,7 +18,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 # Author: Cyril Jaquier
-# 
+#
 
 __author__ = "Cyril Jaquier"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
@@ -31,49 +31,51 @@ import textwrap
 
 protocol = [
 ['', "BASIC", ""],
-["start", "starts the server and the jails"], 
-["reload", "reloads the configuration"], 
-["reload <JAIL>", "reloads the jail <JAIL>"], 
-["stop", "stops all jails and terminate the server"], 
-["status", "gets the current status of the server"], 
-["ping", "tests if the server is alive"], 
-["help", "return this output"], 
+["start", "starts the server and the jails"],
+["reload", "reloads the configuration"],
+["reload <JAIL>", "reloads the jail <JAIL>"],
+["stop", "stops all jails and terminate the server"],
+["status", "gets the current status of the server"],
+["ping", "tests if the server is alive"],
+["help", "return this output"],
 ['', "LOGGING", ""],
-["set loglevel <LEVEL>", "sets logging level to <LEVEL>. 0 is minimal, 4 is debug"], 
-["get loglevel", "gets the logging level"], 
-["set logtarget <TARGET>", "sets logging target to <TARGET>. Can be STDOUT, STDERR, SYSLOG or a file"], 
-["get logtarget", "gets logging target"], 
+["set loglevel <LEVEL>", "sets logging level to <LEVEL>. 0 is minimal, 4 is debug"],
+["get loglevel", "gets the logging level"],
+["set logtarget <TARGET>", "sets logging target to <TARGET>. Can be STDOUT, STDERR, SYSLOG or a file"],
+["get logtarget", "gets logging target"],
 ['', "JAIL CONTROL", ""],
-["add <JAIL> <BACKEND>", "creates <JAIL> using <BACKEND>"], 
-["start <JAIL>", "starts the jail <JAIL>"], 
-["stop <JAIL>", "stops the jail <JAIL>. The jail is removed"], 
+["add <JAIL> <BACKEND>", "creates <JAIL> using <BACKEND>"],
+["start <JAIL>", "starts the jail <JAIL>"],
+["stop <JAIL>", "stops the jail <JAIL>. The jail is removed"],
 ["status <JAIL>", "gets the current status of <JAIL>"],
 ['', "JAIL CONFIGURATION", ""],
-["set <JAIL> idle on|off", "sets the idle state of <JAIL>"], 
-["set <JAIL> addignoreip <IP>", "adds <IP> to the ignore list of <JAIL>"], 
-["set <JAIL> delignoreip <IP>", "removes <IP> from the ignore list of <JAIL>"], 
-["set <JAIL> addlogpath <FILE>", "adds <FILE> to the monitoring list of <JAIL>"], 
+["set <JAIL> ignorecommand <VALUE>", "sets ignorecommand of <JAIL>"],
+["set <JAIL> idle on|off", "sets the idle state of <JAIL>"],
+["set <JAIL> addignoreip <IP>", "adds <IP> to the ignore list of <JAIL>"],
+["set <JAIL> delignoreip <IP>", "removes <IP> from the ignore list of <JAIL>"],
+["set <JAIL> addlogpath <FILE>", "adds <FILE> to the monitoring list of <JAIL>"],
 ["set <JAIL> dellogpath <FILE>", "removes <FILE> from the monitoring list of <JAIL>"],
-["set <JAIL> addfailregex <REGEX>", "adds the regular expression <REGEX> which must match failures for <JAIL>"], 
-["set <JAIL> delfailregex <INDEX>", "removes the regular expression at <INDEX> for failregex"], 
+["set <JAIL> addfailregex <REGEX>", "adds the regular expression <REGEX> which must match failures for <JAIL>"],
+["set <JAIL> delfailregex <INDEX>", "removes the regular expression at <INDEX> for failregex"],
 ["set <JAIL> addignoreregex <REGEX>", "adds the regular expression <REGEX> which should match pattern to exclude for <JAIL>"],
-["set <JAIL> delignoreregex <INDEX>", "removes the regular expression at <INDEX> for ignoreregex"], 
-["set <JAIL> findtime <TIME>", "sets the number of seconds <TIME> for which the filter will look back for <JAIL>"], 
-["set <JAIL> bantime <TIME>", "sets the number of seconds <TIME> a host will be banned for <JAIL>"], 
+["set <JAIL> delignoreregex <INDEX>", "removes the regular expression at <INDEX> for ignoreregex"],
+["set <JAIL> findtime <TIME>", "sets the number of seconds <TIME> for which the filter will look back for <JAIL>"],
+["set <JAIL> bantime <TIME>", "sets the number of seconds <TIME> a host will be banned for <JAIL>"],
 ["set <JAIL> usedns <VALUE>", "sets the usedns mode for <JAIL>"],
-["set <JAIL> banip <IP>", "manually Ban <IP> for <JAIL>"], 
-["set <JAIL> unbanip <IP>", "manually Unban <IP> in <JAIL>"], 
-["set <JAIL> maxretry <RETRY>", "sets the number of failures <RETRY> before banning the host for <JAIL>"], 
-["set <JAIL> addaction <ACT>", "adds a new action named <NAME> for <JAIL>"], 
-["set <JAIL> delaction <ACT>", "removes the action <NAME> from <JAIL>"], 
-["set <JAIL> setcinfo <ACT> <KEY> <VALUE>", "sets <VALUE> for <KEY> of the action <NAME> for <JAIL>"], 
-["set <JAIL> delcinfo <ACT> <KEY>", "removes <KEY> for the action <NAME> for <JAIL>"], 
-["set <JAIL> actionstart <ACT> <CMD>", "sets the start command <CMD> of the action <ACT> for <JAIL>"], 
-["set <JAIL> actionstop <ACT> <CMD>", "sets the stop command <CMD> of the action <ACT> for <JAIL>"], 
-["set <JAIL> actioncheck <ACT> <CMD>", "sets the check command <CMD> of the action <ACT> for <JAIL>"], 
+["set <JAIL> banip <IP>", "manually Ban <IP> for <JAIL>"],
+["set <JAIL> unbanip <IP>", "manually Unban <IP> in <JAIL>"],
+["set <JAIL> maxretry <RETRY>", "sets the number of failures <RETRY> before banning the host for <JAIL>"],
+["set <JAIL> addaction <ACT>", "adds a new action named <NAME> for <JAIL>"],
+["set <JAIL> delaction <ACT>", "removes the action <NAME> from <JAIL>"],
+["set <JAIL> setcinfo <ACT> <KEY> <VALUE>", "sets <VALUE> for <KEY> of the action <NAME> for <JAIL>"],
+["set <JAIL> delcinfo <ACT> <KEY>", "removes <KEY> for the action <NAME> for <JAIL>"],
+["set <JAIL> actionstart <ACT> <CMD>", "sets the start command <CMD> of the action <ACT> for <JAIL>"],
+["set <JAIL> actionstop <ACT> <CMD>", "sets the stop command <CMD> of the action <ACT> for <JAIL>"],
+["set <JAIL> actioncheck <ACT> <CMD>", "sets the check command <CMD> of the action <ACT> for <JAIL>"],
 ["set <JAIL> actionban <ACT> <CMD>", "sets the ban command <CMD> of the action <ACT> for <JAIL>"],
-["set <JAIL> actionunban <ACT> <CMD>", "sets the unban command <CMD> of the action <ACT> for <JAIL>"], 
+["set <JAIL> actionunban <ACT> <CMD>", "sets the unban command <CMD> of the action <ACT> for <JAIL>"],
 ['', "JAIL INFORMATION", ""],
+["get <JAIL> ignorecommand", "gets ignorecommand of <JAIL>"],
 ["get <JAIL> logpath", "gets the list of the monitored files for <JAIL>"],
 ["get <JAIL> ignoreip", "gets the list of ignored IP addresses for <JAIL>"],
 ["get <JAIL> failregex", "gets the list of regular expressions which matches the failures for <JAIL>"],
diff --git a/config/jail.conf b/config/jail.conf
index e6a89cba..92bfa726 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -34,6 +34,9 @@ ignoreip = 127.0.0.1/8
 # "bantime" is the number of seconds that a host is banned.
 bantime  = 600
 
+# External command with space separated output ips to ignore
+# ignorecommand = /path/to/command
+
 # A host is banned if it has generated "maxretry" during the last "findtime"
 # seconds.
 findtime  = 600
diff --git a/server/filter.py b/server/filter.py
index 80433c01..fc6cf5bf 100644
--- a/server/filter.py
+++ b/server/filter.py
@@ -21,8 +21,7 @@ __author__ = "Cyril Jaquier and Fail2Ban Contributors"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko"
 __license__ = "GPL"
 
-import sys
-
+#import sys, os, getopt
 from failmanager import FailManagerEmpty
 from failmanager import FailManager
 from ticket import FailTicket
@@ -43,6 +42,7 @@ logSys = logging.getLogger("fail2ban.filter")
 # that matches a given regular expression. This class is instantiated by
 # a Jail object.
 
+
 class Filter(JailThread):
 
 	##
@@ -67,12 +67,13 @@ class Filter(JailThread):
 		self.__findTime = 6000
 		## The ignore IP list.
 		self.__ignoreIpList = []
+		## External command
+		self.__ignoreCommand = False
 
 		self.dateDetector = DateDetector()
 		self.dateDetector.addDefaultTemplate()
 		logSys.debug("Created %s" % self)
 
-
 	def __repr__(self):
 		return "%s(%r)" % (self.__class__.__name__, self.jail)
 
@@ -91,7 +92,6 @@ class Filter(JailThread):
 			logSys.error(e)
 			raise e
 
-
 	def delFailRegex(self, index):
 		try:
 			del self.__failRegex[index]
@@ -123,7 +123,7 @@ class Filter(JailThread):
 			self.__ignoreRegex.append(regex)
 		except RegexException, e:
 			logSys.error(e)
-			raise e 
+			raise e
 
 	def delIgnoreRegex(self, index):
 		try:
@@ -209,9 +209,24 @@ class Filter(JailThread):
 	# file has been modified and looks for failures.
 	# @return True when the thread exits nicely
 
-	def run(self): # pragma: no cover
+	def run(self):  # pragma: no cover
 		raise Exception("run() is abstract")
 
+
+	##
+	# Set external command, for ignoredips
+	# hazg@mail.ru
+	#
+	def setIgnoreCommand(self, command):
+		self.__ignoreCommand = command
+
+	##
+	# Get external command, for ignoredips
+	# hazg@mail.ru
+	#
+	def getIgnoreCommand(self):
+		return self.__ignoreCommand
+
 	##
 	# Ban an IP - http://blogs.buanzo.com.ar/2009/04/fail2ban-patch-ban-ip-address-manually.html
 	# Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
@@ -224,7 +239,7 @@ class Filter(JailThread):
 			self.failManager.addFailure(FailTicket(ip, unixTime))
 
 		# Perform the banning of the IP now.
-		try: # pragma: no branch - exception is the only way out
+		try:  # pragma: no branch - exception is the only way out
 			while True:
 				ticket = self.failManager.toBan()
 				self.jail.putFailTicket(ticket)
@@ -249,8 +264,11 @@ class Filter(JailThread):
 		self.__ignoreIpList.remove(ip)
 
 	def getIgnoreIP(self):
-		return self.__ignoreIpList
-
+		#logSys.info(self.jail.opts)
+		if self.__ignoreCommand is not False:
+			return self.__ignoreIpList + os.popen(self.__ignoreCommand).read().split(" ")
+		else:
+			return self.__ignoreIpList
 	##
 	# Check if IP address/DNS is in the ignore list.
 	#
@@ -258,12 +276,17 @@ class Filter(JailThread):
 	# mask in the ignore list.
 	# @param ip IP address
 	# @return True if IP address is in ignore list
-
 	def inIgnoreIPList(self, ip):
 		for i in self.__ignoreIpList:
 			# An empty string is always false
 			if i == "":
 				continue
+			# External command with ips to ignore
+			if self.__ignoreCommand is not False:
+				ignored_ips = os.popen(self.__ignoreCommand).read().split(" ")
+				if ip in ignored_ips:
+					continue
+
 			s = i.split('/', 1)
 			# IP address without CIDR mask
 			if len(s) == 1:
diff --git a/server/server.py b/server/server.py
index 773fdf0b..4653e1f2 100644
--- a/server/server.py
+++ b/server/server.py
@@ -18,7 +18,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 # Author: Cyril Jaquier
-# 
+#
 
 __author__ = "Cyril Jaquier"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
@@ -36,7 +36,7 @@ import logging, logging.handlers, sys, os, signal
 logSys = logging.getLogger("fail2ban.server")
 
 class Server:
-	
+
 	def __init__(self, daemon = False):
 		self.__loggingLock = Lock()
 		self.__lock = RLock()
@@ -49,18 +49,18 @@ class Server:
 		# Set logging level
 		self.setLogLevel(3)
 		self.setLogTarget("STDOUT")
-	
+
 	def __sigTERMhandler(self, signum, frame):
 		logSys.debug("Caught signal %d. Exiting" % signum)
 		self.quit()
-	
+
 	def start(self, sock, pidfile, force = False):
 		logSys.info("Starting Fail2ban v" + version.version)
-		
+
 		# Install signal handlers
 		signal.signal(signal.SIGTERM, self.__sigTERMhandler)
 		signal.signal(signal.SIGINT, self.__sigTERMhandler)
-		
+
 		# First set the mask to only allow access to owner
 		os.umask(0077)
 		if self.__daemon: # pragma: no cover
@@ -71,7 +71,7 @@ class Server:
 			else:
 				logSys.error("Could not create daemon")
 				raise ServerInitializationError("Could not create daemon")
-		
+
 		# Creates a PID file.
 		try:
 			logSys.debug("Creating PID file %s" % pidfile)
@@ -80,7 +80,7 @@ class Server:
 			pidFile.close()
 		except IOError, e:
 			logSys.error("Unable to create PID file: %s" % e)
-		
+
 		# Start the communication
 		logSys.debug("Starting communication")
 		try:
@@ -94,7 +94,7 @@ class Server:
 		except OSError, e:
 			logSys.error("Unable to remove PID file: %s" % e)
 		logSys.info("Exiting Fail2ban")
-	
+
 	def quit(self):
 		# Stop communication first because if jail's unban action
 		# tries to communicate via fail2ban-client we get a lockup
@@ -114,13 +114,13 @@ class Server:
 		finally:
 			self.__loggingLock.release()
 
-	
+
 	def addJail(self, name, backend):
 		self.__jails.add(name, backend)
-		
+
 	def delJail(self, name):
 		self.__jails.remove(name)
-	
+
 	def startJail(self, name):
 		try:
 			self.__lock.acquire()
@@ -128,7 +128,7 @@ class Server:
 				self.__jails.get(name).start()
 		finally:
 			self.__lock.release()
-	
+
 	def stopJail(self, name):
 		logSys.debug("Stopping jail %s" % name)
 		try:
@@ -138,7 +138,7 @@ class Server:
 				self.delJail(name)
 		finally:
 			self.__lock.release()
-	
+
 	def stopAllJail(self):
 		logSys.info("Stopping all jails")
 		try:
@@ -147,134 +147,140 @@ class Server:
 				self.stopJail(jail)
 		finally:
 			self.__lock.release()
-	
+
 	def isAlive(self, name):
 		return self.__jails.get(name).isAlive()
-	
+
 	def setIdleJail(self, name, value):
 		self.__jails.get(name).setIdle(value)
 		return True
 
 	def getIdleJail(self, name):
 		return self.__jails.get(name).getIdle()
-	
+
 	# Filter
 	def addIgnoreIP(self, name, ip):
 		self.__jails.getFilter(name).addIgnoreIP(ip)
-	
+
 	def delIgnoreIP(self, name, ip):
 		self.__jails.getFilter(name).delIgnoreIP(ip)
-	
+
 	def getIgnoreIP(self, name):
 		return self.__jails.getFilter(name).getIgnoreIP()
-	
+
 	def addLogPath(self, name, fileName):
 		self.__jails.getFilter(name).addLogPath(fileName)
-	
+
 	def delLogPath(self, name, fileName):
 		self.__jails.getFilter(name).delLogPath(fileName)
-	
+
 	def getLogPath(self, name):
 		return [m.getFileName()
 				for m in self.__jails.getFilter(name).getLogPath()]
-	
+
 	def setFindTime(self, name, value):
 		self.__jails.getFilter(name).setFindTime(value)
-	
+
 	def getFindTime(self, name):
 		return self.__jails.getFilter(name).getFindTime()
 
 	def addFailRegex(self, name, value):
 		self.__jails.getFilter(name).addFailRegex(value)
-	
+
+	def setIgnoreCommand(self, name, value):
+		self.__jails.getFilter(name).setIgnoreCommand(value)
+	def getIgnoreCommand(self, name):
+		self.__jails.getFilter(name).getIgnoreCommand()
+
+
 	def delFailRegex(self, name, index):
 		self.__jails.getFilter(name).delFailRegex(index)
-	
+
 	def getFailRegex(self, name):
 		return self.__jails.getFilter(name).getFailRegex()
-	
+
 	def addIgnoreRegex(self, name, value):
 		self.__jails.getFilter(name).addIgnoreRegex(value)
-	
+
 	def delIgnoreRegex(self, name, index):
 		self.__jails.getFilter(name).delIgnoreRegex(index)
-	
+
 	def getIgnoreRegex(self, name):
 		return self.__jails.getFilter(name).getIgnoreRegex()
-	
+
 	def setUseDns(self, name, value):
 		self.__jails.getFilter(name).setUseDns(value)
-	
+
 	def getUseDns(self, name):
 		return self.__jails.getFilter(name).getUseDns()
-	
+
 	def setMaxRetry(self, name, value):
 		self.__jails.getFilter(name).setMaxRetry(value)
-	
+
 	def getMaxRetry(self, name):
 		return self.__jails.getFilter(name).getMaxRetry()
-	
+
 	# Action
 	def addAction(self, name, value):
 		self.__jails.getAction(name).addAction(value)
-	
+
 	def getLastAction(self, name):
 		return self.__jails.getAction(name).getLastAction()
-	
+
 	def delAction(self, name, value):
 		self.__jails.getAction(name).delAction(value)
-	
+
 	def setCInfo(self, name, action, key, value):
 		self.__jails.getAction(name).getAction(action).setCInfo(key, value)
-	
+
 	def getCInfo(self, name, action, key):
 		return self.__jails.getAction(name).getAction(action).getCInfo(key)
-	
+
 	def delCInfo(self, name, action, key):
 		self.__jails.getAction(name).getAction(action).delCInfo(key)
-	
+
 	def setBanTime(self, name, value):
 		self.__jails.getAction(name).setBanTime(value)
-	
+
 	def setBanIP(self, name, value):
 		return self.__jails.getFilter(name).addBannedIP(value)
-		
+
 	def setUnbanIP(self, name, value):
 		return self.__jails.getAction(name).removeBannedIP(value)
-		
+
 	def getBanTime(self, name):
 		return self.__jails.getAction(name).getBanTime()
-	
+
 	def setActionStart(self, name, action, value):
 		self.__jails.getAction(name).getAction(action).setActionStart(value)
-	
+
 	def getActionStart(self, name, action):
 		return self.__jails.getAction(name).getAction(action).getActionStart()
-		
+
 	def setActionStop(self, name, action, value):
 		self.__jails.getAction(name).getAction(action).setActionStop(value)
-	
+
 	def getActionStop(self, name, action):
 		return self.__jails.getAction(name).getAction(action).getActionStop()
-	
+
 	def setActionCheck(self, name, action, value):
 		self.__jails.getAction(name).getAction(action).setActionCheck(value)
-	
+
 	def getActionCheck(self, name, action):
 		return self.__jails.getAction(name).getAction(action).getActionCheck()
-	
+
 	def setActionBan(self, name, action, value):
 		self.__jails.getAction(name).getAction(action).setActionBan(value)
-	
+
 	def getActionBan(self, name, action):
 		return self.__jails.getAction(name).getAction(action).getActionBan()
-	
+
 	def setActionUnban(self, name, action, value):
 		self.__jails.getAction(name).getAction(action).setActionUnban(value)
-	
+
 	def getActionUnban(self, name, action):
 		return self.__jails.getAction(name).getAction(action).getActionUnban()
-		
+
 	# Status
 	def status(self):
 		try:
@@ -285,17 +291,17 @@ class Server:
 			length = len(jailList)
 			if not length == 0:
 				jailList = jailList[:length-2]
-			ret = [("Number of jail", self.__jails.size()), 
+			ret = [("Number of jail", self.__jails.size()),
 				   ("Jail list", jailList)]
 			return ret
 		finally:
 			self.__lock.release()
-	
+
 	def statusJail(self, name):
 		return self.__jails.get(name).getStatus()
-	
+
 	# Logging
-	
+
 	##
 	# Set the logging level.
 	#
@@ -306,7 +312,7 @@ class Server:
 	# 3 = INFO
 	# 4 = DEBUG
 	# @param value the level
-	
+
 	def setLogLevel(self, value):
 		try:
 			self.__loggingLock.acquire()
@@ -323,26 +329,26 @@ class Server:
 			logging.getLogger("fail2ban").setLevel(logLevel)
 		finally:
 			self.__loggingLock.release()
-	
+
 	##
 	# Get the logging level.
 	#
 	# @see setLogLevel
 	# @return the log level
-	
+
 	def getLogLevel(self):
 		try:
 			self.__loggingLock.acquire()
 			return self.__logLevel
 		finally:
 			self.__loggingLock.release()
-	
+
 	##
 	# Sets the logging target.
 	#
 	# target can be a file, SYSLOG, STDOUT or STDERR.
 	# @param target the logging target
-	
+
 	def setLogTarget(self, target):
 		try:
 			self.__loggingLock.acquire()
@@ -352,7 +358,7 @@ class Server:
 				# Syslog daemons already add date to the message.
 				formatter = logging.Formatter("%(name)-16s: %(levelname)-6s %(message)s")
 				facility = logging.handlers.SysLogHandler.LOG_DAEMON
-				hdlr = logging.handlers.SysLogHandler("/dev/log", 
+				hdlr = logging.handlers.SysLogHandler("/dev/log",
 													  facility = facility)
 			elif target == "STDOUT":
 				hdlr = logging.StreamHandler(sys.stdout)
@@ -394,21 +400,21 @@ class Server:
 			return True
 		finally:
 			self.__loggingLock.release()
-	
+
 	def getLogTarget(self):
 		try:
 			self.__loggingLock.acquire()
 			return self.__logTarget
 		finally:
 			self.__loggingLock.release()
-	
+
 	def __createDaemon(self): # pragma: no cover
 		""" Detach a process from the controlling terminal and run it in the
 			background as a daemon.
-		
+
 			http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/278731
 		"""
-	
+
 		try:
 			# Fork a child process so the parent can exit.  This will return control
 			# to the command line or shell.  This is required so that the new process
@@ -419,9 +425,9 @@ class Server:
 			pid = os.fork()
 		except OSError, e:
 			return((e.errno, e.strerror))	 # ERROR (return a tuple)
-		
+
 		if pid == 0:	   # The first child.
-	
+
 			# Next we call os.setsid() to become the session leader of this new
 			# session.  The process also becomes the process group leader of the
 			# new process group.  Since a controlling terminal is associated with a
@@ -430,11 +436,11 @@ class Server:
 			# fail, since we're guaranteed that the child is not a process group
 			# leader.
 			os.setsid()
-		
+
 			# When the first child terminates, all processes in the second child
 			# are sent a SIGHUP, so it's ignored.
 			signal.signal(signal.SIGHUP, signal.SIG_IGN)
-		
+
 			try:
 				# Fork a second child to prevent zombies.  Since the first child is
 				# a session leader without a controlling terminal, it's possible for
@@ -444,7 +450,7 @@ class Server:
 				pid = os.fork()		# Fork a second child.
 			except OSError, e:
 				return((e.errno, e.strerror))  # ERROR (return a tuple)
-		
+
 			if (pid == 0):	  # The second child.
 				# Ensure that the daemon doesn't keep any directory in use.  Failure
 				# to do this could make a filesystem unmountable.
@@ -453,7 +459,7 @@ class Server:
 				os._exit(0)	  # Exit parent (the first child) of the second child.
 		else:
 			os._exit(0)		 # Exit parent of the first child.
-		
+
 		# Close all open files.  Try the system configuration variable, SC_OPEN_MAX,
 		# for the maximum number of open files to close.  If it doesn't exist, use
 		# the default value (configurable).
@@ -461,13 +467,13 @@ class Server:
 			maxfd = os.sysconf("SC_OPEN_MAX")
 		except (AttributeError, ValueError):
 			maxfd = 256	   # default maximum
-	
+
 		for fd in range(0, maxfd):
 			try:
 				os.close(fd)
 			except OSError:   # ERROR (ignore)
 				pass
-	
+
 		# Redirect the standard file descriptors to /dev/null.
 		os.open("/dev/null", os.O_RDONLY)	# standard input (0)
 		os.open("/dev/null", os.O_RDWR)		# standard output (1)
diff --git a/server/transmitter.py b/server/transmitter.py
index deaf9adf..d84c8157 100644
--- a/server/transmitter.py
+++ b/server/transmitter.py
@@ -18,7 +18,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 # Author: Cyril Jaquier
-# 
+#
 
 __author__ = "Cyril Jaquier"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
@@ -30,21 +30,21 @@ import logging, time
 logSys = logging.getLogger("fail2ban.comm")
 
 class Transmitter:
-	
+
 	##
 	# Constructor.
 	#
 	# @param The server reference
-	
+
 	def __init__(self, server):
 		self.__server = server
-		
+
 	##
 	# Proceeds a command.
 	#
 	# Proceeds an incoming command.
 	# @param command The incoming command
-	
+
 	def proceed(self, command):
 		# Deserialize object
 		logSys.debug("Command: " + `command`)
@@ -56,12 +56,12 @@ class Transmitter:
 						% (command, e))
 			ack = 1, e
 		return ack
-	
+
 	##
 	# Handle an command.
 	#
-	# 
-	
+	#
+
 	def __commandHandler(self, command):
 		if command[0] == "ping":
 			return "pong"
@@ -97,9 +97,9 @@ class Transmitter:
 		elif command[0] == "get":
 			return self.__commandGet(command[1:])
 		elif command[0] == "status":
-			return self.status(command[1:])			
+			return self.status(command[1:])
 		raise Exception("Invalid command")
-	
+
 	def __commandSet(self, command):
 		name = command[0]
 		# Logging
@@ -152,6 +152,10 @@ class Transmitter:
 			value = command[2]
 			self.__server.addIgnoreRegex(name, value)
 			return self.__server.getIgnoreRegex(name)
+		elif command[1] == "ignorecommand":
+			value = command[2]
+			self.__server.setIgnoreCommand(name, value)
+			return self.__server.getIgnoreCommand(name)
 		elif command[1] == "delignoreregex":
 			value = int(command[2])
 			self.__server.delIgnoreRegex(name, value)
@@ -224,7 +228,7 @@ class Transmitter:
 			self.__server.setActionUnban(name, act, value)
 			return self.__server.getActionUnban(name, act)
 		raise Exception("Invalid command (no set action or not yet implemented)")
-	
+
 	def __commandGet(self, command):
 		name = command[0]
 		# Logging
@@ -272,7 +276,7 @@ class Transmitter:
 			key = command[3]
 			return self.__server.getCInfo(name, act, key)
 		raise Exception("Invalid command (no get action or not yet implemented)")
-	
+
 	def status(self, command):
 		if len(command) == 0:
 			return self.__server.status()
@@ -280,4 +284,4 @@ class Transmitter:
 			name = command[0]
 			return self.__server.statusJail(name)
 		raise Exception("Invalid command (no status)")
-	
+

From 0c7487af244e65f04f324f7328b8d89d63659624 Mon Sep 17 00:00:00 2001
From: hazg <hazg@mail.ru>
Date: Mon, 21 Oct 2013 13:06:19 +0400
Subject: [PATCH 2/7] logic fix

---
 server/filter.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/filter.py b/server/filter.py
index fc6cf5bf..3c41f9a3 100644
--- a/server/filter.py
+++ b/server/filter.py
@@ -285,7 +285,7 @@ class Filter(JailThread):
 			if self.__ignoreCommand is not False:
 				ignored_ips = os.popen(self.__ignoreCommand).read().split(" ")
 				if ip in ignored_ips:
-					continue
+					return True
 
 			s = i.split('/', 1)
 			# IP address without CIDR mask

From 6cfce7345a4453fb5b1544d4e84ac02d28716173 Mon Sep 17 00:00:00 2001
From: hazg <hazg@mail.ru>
Date: Mon, 21 Oct 2013 15:22:40 +0400
Subject: [PATCH 3/7] __commandGet fix

---
 server/transmitter.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/server/transmitter.py b/server/transmitter.py
index d84c8157..becee358 100644
--- a/server/transmitter.py
+++ b/server/transmitter.py
@@ -241,6 +241,8 @@ class Transmitter:
 			return self.__server.getLogPath(name)
 		elif command[1] == "ignoreip":
 			return self.__server.getIgnoreIP(name)
+		elif command[1] == "ignorecommand":
+			return self.__server.getIgnoreCommand(name)
 		elif command[1] == "failregex":
 			return self.__server.getFailRegex(name)
 		elif command[1] == "ignoreregex":

From 3114fed8d11365ce4b33563ff046badb2eabf3d8 Mon Sep 17 00:00:00 2001
From: hazg <hazg@mail.ru>
Date: Mon, 21 Oct 2013 15:32:34 +0400
Subject: [PATCH 4/7] fixes

---
 server/filter.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/server/filter.py b/server/filter.py
index 3c41f9a3..738bee36 100644
--- a/server/filter.py
+++ b/server/filter.py
@@ -215,15 +215,15 @@ class Filter(JailThread):
 
 	##
 	# Set external command, for ignoredips
-	# hazg@mail.ru
 	#
+
 	def setIgnoreCommand(self, command):
 		self.__ignoreCommand = command
 
 	##
 	# Get external command, for ignoredips
-	# hazg@mail.ru
 	#
+
 	def getIgnoreCommand(self):
 		return self.__ignoreCommand
 
@@ -264,11 +264,11 @@ class Filter(JailThread):
 		self.__ignoreIpList.remove(ip)
 
 	def getIgnoreIP(self):
-		#logSys.info(self.jail.opts)
 		if self.__ignoreCommand is not False:
 			return self.__ignoreIpList + os.popen(self.__ignoreCommand).read().split(" ")
 		else:
 			return self.__ignoreIpList
+
 	##
 	# Check if IP address/DNS is in the ignore list.
 	#
@@ -276,6 +276,7 @@ class Filter(JailThread):
 	# mask in the ignore list.
 	# @param ip IP address
 	# @return True if IP address is in ignore list
+
 	def inIgnoreIPList(self, ip):
 		for i in self.__ignoreIpList:
 			# An empty string is always false

From 7bbfe5c67cac6dfcd44c4028bd01e49bafbce0a8 Mon Sep 17 00:00:00 2001
From: "bes.internal" <bes.internal@gmail.com>
Date: Tue, 22 Oct 2013 18:26:47 +0300
Subject: [PATCH 5/7] Revert to upstream

---
 client/filterreader.py |  26 ++++---
 client/jailreader.py   |  29 ++++----
 common/protocol.py     |  72 +++++++++----------
 config/jail.conf       |   3 -
 server/filter.py       |  40 +++--------
 server/server.py       | 158 ++++++++++++++++++++---------------------
 server/transmitter.py  |  32 ++++-----
 7 files changed, 157 insertions(+), 203 deletions(-)

diff --git a/client/filterreader.py b/client/filterreader.py
index 0c81f083..f75190f9 100644
--- a/client/filterreader.py
+++ b/client/filterreader.py
@@ -18,7 +18,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 # Author: Cyril Jaquier
-#
+# 
 
 __author__ = "Cyril Jaquier"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
@@ -31,34 +31,32 @@ from configreader import ConfigReader
 logSys = logging.getLogger("fail2ban.client.config")
 
 class FilterReader(ConfigReader):
-
+	
 	def __init__(self, fileName, name, **kwargs):
 		ConfigReader.__init__(self, **kwargs)
 		self.__file = fileName
 		self.__name = name
-
+	
 	def setFile(self, fileName):
 		self.__file = fileName
-
+	
 	def getFile(self):
 		return self.__file
-
+	
 	def setName(self, name):
 		self.__name = name
-
+	
 	def getName(self):
 		return self.__name
-
+	
 	def read(self):
 		return ConfigReader.read(self, "filter.d/" + self.__file)
-
+	
 	def getOptions(self, pOpts):
 		opts = [["string", "ignoreregex", ""],
-				["string", "failregex", ""],
-				["string", "ignorecommand", ""]
-				]
+				["string", "failregex", ""]]
 		self.__opts = ConfigReader.getOptions(self, "Definition", opts, pOpts)
-
+	
 	def convert(self):
 		stream = list()
 		for opt in self.__opts:
@@ -71,6 +69,6 @@ class FilterReader(ConfigReader):
 				for regex in self.__opts[opt].split('\n'):
 					# Do not send a command if the rule is empty.
 					if regex != '':
-						stream.append(["set", self.__name, "addignoreregex", regex])
+						stream.append(["set", self.__name, "addignoreregex", regex])		
 		return stream
-
+		
diff --git a/client/jailreader.py b/client/jailreader.py
index 7073c0cb..7fbac423 100644
--- a/client/jailreader.py
+++ b/client/jailreader.py
@@ -18,7 +18,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 # Author: Cyril Jaquier
-#
+# 
 
 __author__ = "Cyril Jaquier"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
@@ -34,25 +34,25 @@ from actionreader import ActionReader
 logSys = logging.getLogger("fail2ban.client.config")
 
 class JailReader(ConfigReader):
-
+	
 	actionCRE = re.compile("^((?:\w|-|_|\.)+)(?:\[(.*)\])?$")
-
+	
 	def __init__(self, name, force_enable=False, **kwargs):
 		ConfigReader.__init__(self, **kwargs)
 		self.__name = name
 		self.__filter = None
 		self.__force_enable = force_enable
 		self.__actions = list()
-
+	
 	def setName(self, value):
 		self.__name = value
-
+	
 	def getName(self):
 		return self.__name
-
+	
 	def read(self):
 		return ConfigReader.read(self, "jail")
-
+	
 	def isEnabled(self):
 		return self.__force_enable or self.__opts["enabled"]
 
@@ -81,13 +81,12 @@ class JailReader(ConfigReader):
 				["int", "bantime", 600],
 				["string", "usedns", "warn"],
 				["string", "failregex", None],
-				["string", "ignorecommand", None],
 				["string", "ignoreregex", None],
 				["string", "ignoreip", None],
 				["string", "filter", ""],
 				["string", "action", ""]]
 		self.__opts = ConfigReader.getOptions(self, self.__name, opts)
-
+		
 		if self.isEnabled():
 			# Read filter
 			self.__filter = FilterReader(self.__opts["filter"], self.__name,
@@ -98,7 +97,7 @@ class JailReader(ConfigReader):
 			else:
 				logSys.error("Unable to read the filter")
 				return False
-
+			
 			# Read action
 			for act in self.__opts["action"].split('\n'):
 				try:
@@ -119,7 +118,7 @@ class JailReader(ConfigReader):
 			if not len(self.__actions):
 				logSys.warn("No actions were defined for %s" % self.__name)
 		return True
-
+	
 	def convert(self, allow_no_files=False):
 		"""Convert read before __opts to the commands stream
 
@@ -161,8 +160,6 @@ class JailReader(ConfigReader):
 				stream.append(["set", self.__name, "usedns", self.__opts[opt]])
 			elif opt == "failregex":
 				stream.append(["set", self.__name, "addfailregex", self.__opts[opt]])
-			elif opt == "ignorecommand":
-				stream.append(["set", self.__name, "ignorecommand", self.__opts[opt]])
 			elif opt == "ignoreregex":
 				for regex in self.__opts[opt].split('\n'):
 					# Do not send a command if the rule is empty.
@@ -173,7 +170,7 @@ class JailReader(ConfigReader):
 			stream.extend(action.convert())
 		stream.insert(0, ["add", self.__name, backend])
 		return stream
-
+	
 	#@staticmethod
 	def splitAction(action):
 		m = JailReader.actionCRE.match(action)
@@ -205,12 +202,12 @@ class JailReader(ConfigReader):
 						actions += "<COMMA>"
 					else:
 						actions += c
-
+			
 			# Split using ,
 			actionsSplit = actions.split(',')
 			# Replace the tag <COMMA> with ,
 			actionsSplit = [n.replace("<COMMA>", ',') for n in actionsSplit]
-
+			
 			for param in actionsSplit:
 				p = param.split('=')
 				try:
diff --git a/common/protocol.py b/common/protocol.py
index 9e5ede7a..9309ce7f 100644
--- a/common/protocol.py
+++ b/common/protocol.py
@@ -18,7 +18,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 # Author: Cyril Jaquier
-#
+# 
 
 __author__ = "Cyril Jaquier"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
@@ -31,51 +31,49 @@ import textwrap
 
 protocol = [
 ['', "BASIC", ""],
-["start", "starts the server and the jails"],
-["reload", "reloads the configuration"],
-["reload <JAIL>", "reloads the jail <JAIL>"],
-["stop", "stops all jails and terminate the server"],
-["status", "gets the current status of the server"],
-["ping", "tests if the server is alive"],
-["help", "return this output"],
+["start", "starts the server and the jails"], 
+["reload", "reloads the configuration"], 
+["reload <JAIL>", "reloads the jail <JAIL>"], 
+["stop", "stops all jails and terminate the server"], 
+["status", "gets the current status of the server"], 
+["ping", "tests if the server is alive"], 
+["help", "return this output"], 
 ['', "LOGGING", ""],
-["set loglevel <LEVEL>", "sets logging level to <LEVEL>. 0 is minimal, 4 is debug"],
-["get loglevel", "gets the logging level"],
-["set logtarget <TARGET>", "sets logging target to <TARGET>. Can be STDOUT, STDERR, SYSLOG or a file"],
-["get logtarget", "gets logging target"],
+["set loglevel <LEVEL>", "sets logging level to <LEVEL>. 0 is minimal, 4 is debug"], 
+["get loglevel", "gets the logging level"], 
+["set logtarget <TARGET>", "sets logging target to <TARGET>. Can be STDOUT, STDERR, SYSLOG or a file"], 
+["get logtarget", "gets logging target"], 
 ['', "JAIL CONTROL", ""],
-["add <JAIL> <BACKEND>", "creates <JAIL> using <BACKEND>"],
-["start <JAIL>", "starts the jail <JAIL>"],
-["stop <JAIL>", "stops the jail <JAIL>. The jail is removed"],
+["add <JAIL> <BACKEND>", "creates <JAIL> using <BACKEND>"], 
+["start <JAIL>", "starts the jail <JAIL>"], 
+["stop <JAIL>", "stops the jail <JAIL>. The jail is removed"], 
 ["status <JAIL>", "gets the current status of <JAIL>"],
 ['', "JAIL CONFIGURATION", ""],
-["set <JAIL> ignorecommand <VALUE>", "sets ignorecommand of <JAIL>"],
-["set <JAIL> idle on|off", "sets the idle state of <JAIL>"],
-["set <JAIL> addignoreip <IP>", "adds <IP> to the ignore list of <JAIL>"],
-["set <JAIL> delignoreip <IP>", "removes <IP> from the ignore list of <JAIL>"],
-["set <JAIL> addlogpath <FILE>", "adds <FILE> to the monitoring list of <JAIL>"],
+["set <JAIL> idle on|off", "sets the idle state of <JAIL>"], 
+["set <JAIL> addignoreip <IP>", "adds <IP> to the ignore list of <JAIL>"], 
+["set <JAIL> delignoreip <IP>", "removes <IP> from the ignore list of <JAIL>"], 
+["set <JAIL> addlogpath <FILE>", "adds <FILE> to the monitoring list of <JAIL>"], 
 ["set <JAIL> dellogpath <FILE>", "removes <FILE> from the monitoring list of <JAIL>"],
-["set <JAIL> addfailregex <REGEX>", "adds the regular expression <REGEX> which must match failures for <JAIL>"],
-["set <JAIL> delfailregex <INDEX>", "removes the regular expression at <INDEX> for failregex"],
+["set <JAIL> addfailregex <REGEX>", "adds the regular expression <REGEX> which must match failures for <JAIL>"], 
+["set <JAIL> delfailregex <INDEX>", "removes the regular expression at <INDEX> for failregex"], 
 ["set <JAIL> addignoreregex <REGEX>", "adds the regular expression <REGEX> which should match pattern to exclude for <JAIL>"],
-["set <JAIL> delignoreregex <INDEX>", "removes the regular expression at <INDEX> for ignoreregex"],
-["set <JAIL> findtime <TIME>", "sets the number of seconds <TIME> for which the filter will look back for <JAIL>"],
-["set <JAIL> bantime <TIME>", "sets the number of seconds <TIME> a host will be banned for <JAIL>"],
+["set <JAIL> delignoreregex <INDEX>", "removes the regular expression at <INDEX> for ignoreregex"], 
+["set <JAIL> findtime <TIME>", "sets the number of seconds <TIME> for which the filter will look back for <JAIL>"], 
+["set <JAIL> bantime <TIME>", "sets the number of seconds <TIME> a host will be banned for <JAIL>"], 
 ["set <JAIL> usedns <VALUE>", "sets the usedns mode for <JAIL>"],
-["set <JAIL> banip <IP>", "manually Ban <IP> for <JAIL>"],
-["set <JAIL> unbanip <IP>", "manually Unban <IP> in <JAIL>"],
-["set <JAIL> maxretry <RETRY>", "sets the number of failures <RETRY> before banning the host for <JAIL>"],
-["set <JAIL> addaction <ACT>", "adds a new action named <NAME> for <JAIL>"],
-["set <JAIL> delaction <ACT>", "removes the action <NAME> from <JAIL>"],
-["set <JAIL> setcinfo <ACT> <KEY> <VALUE>", "sets <VALUE> for <KEY> of the action <NAME> for <JAIL>"],
-["set <JAIL> delcinfo <ACT> <KEY>", "removes <KEY> for the action <NAME> for <JAIL>"],
-["set <JAIL> actionstart <ACT> <CMD>", "sets the start command <CMD> of the action <ACT> for <JAIL>"],
-["set <JAIL> actionstop <ACT> <CMD>", "sets the stop command <CMD> of the action <ACT> for <JAIL>"],
-["set <JAIL> actioncheck <ACT> <CMD>", "sets the check command <CMD> of the action <ACT> for <JAIL>"],
+["set <JAIL> banip <IP>", "manually Ban <IP> for <JAIL>"], 
+["set <JAIL> unbanip <IP>", "manually Unban <IP> in <JAIL>"], 
+["set <JAIL> maxretry <RETRY>", "sets the number of failures <RETRY> before banning the host for <JAIL>"], 
+["set <JAIL> addaction <ACT>", "adds a new action named <NAME> for <JAIL>"], 
+["set <JAIL> delaction <ACT>", "removes the action <NAME> from <JAIL>"], 
+["set <JAIL> setcinfo <ACT> <KEY> <VALUE>", "sets <VALUE> for <KEY> of the action <NAME> for <JAIL>"], 
+["set <JAIL> delcinfo <ACT> <KEY>", "removes <KEY> for the action <NAME> for <JAIL>"], 
+["set <JAIL> actionstart <ACT> <CMD>", "sets the start command <CMD> of the action <ACT> for <JAIL>"], 
+["set <JAIL> actionstop <ACT> <CMD>", "sets the stop command <CMD> of the action <ACT> for <JAIL>"], 
+["set <JAIL> actioncheck <ACT> <CMD>", "sets the check command <CMD> of the action <ACT> for <JAIL>"], 
 ["set <JAIL> actionban <ACT> <CMD>", "sets the ban command <CMD> of the action <ACT> for <JAIL>"],
-["set <JAIL> actionunban <ACT> <CMD>", "sets the unban command <CMD> of the action <ACT> for <JAIL>"],
+["set <JAIL> actionunban <ACT> <CMD>", "sets the unban command <CMD> of the action <ACT> for <JAIL>"], 
 ['', "JAIL INFORMATION", ""],
-["get <JAIL> ignorecommand", "gets ignorecommand of <JAIL>"],
 ["get <JAIL> logpath", "gets the list of the monitored files for <JAIL>"],
 ["get <JAIL> ignoreip", "gets the list of ignored IP addresses for <JAIL>"],
 ["get <JAIL> failregex", "gets the list of regular expressions which matches the failures for <JAIL>"],
diff --git a/config/jail.conf b/config/jail.conf
index 92bfa726..e6a89cba 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -34,9 +34,6 @@ ignoreip = 127.0.0.1/8
 # "bantime" is the number of seconds that a host is banned.
 bantime  = 600
 
-# External command with space separated output ips to ignore
-# ignorecommand = /path/to/command
-
 # A host is banned if it has generated "maxretry" during the last "findtime"
 # seconds.
 findtime  = 600
diff --git a/server/filter.py b/server/filter.py
index 738bee36..80433c01 100644
--- a/server/filter.py
+++ b/server/filter.py
@@ -21,7 +21,8 @@ __author__ = "Cyril Jaquier and Fail2Ban Contributors"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko"
 __license__ = "GPL"
 
-#import sys, os, getopt
+import sys
+
 from failmanager import FailManagerEmpty
 from failmanager import FailManager
 from ticket import FailTicket
@@ -42,7 +43,6 @@ logSys = logging.getLogger("fail2ban.filter")
 # that matches a given regular expression. This class is instantiated by
 # a Jail object.
 
-
 class Filter(JailThread):
 
 	##
@@ -67,13 +67,12 @@ class Filter(JailThread):
 		self.__findTime = 6000
 		## The ignore IP list.
 		self.__ignoreIpList = []
-		## External command
-		self.__ignoreCommand = False
 
 		self.dateDetector = DateDetector()
 		self.dateDetector.addDefaultTemplate()
 		logSys.debug("Created %s" % self)
 
+
 	def __repr__(self):
 		return "%s(%r)" % (self.__class__.__name__, self.jail)
 
@@ -92,6 +91,7 @@ class Filter(JailThread):
 			logSys.error(e)
 			raise e
 
+
 	def delFailRegex(self, index):
 		try:
 			del self.__failRegex[index]
@@ -123,7 +123,7 @@ class Filter(JailThread):
 			self.__ignoreRegex.append(regex)
 		except RegexException, e:
 			logSys.error(e)
-			raise e
+			raise e 
 
 	def delIgnoreRegex(self, index):
 		try:
@@ -209,24 +209,9 @@ class Filter(JailThread):
 	# file has been modified and looks for failures.
 	# @return True when the thread exits nicely
 
-	def run(self):  # pragma: no cover
+	def run(self): # pragma: no cover
 		raise Exception("run() is abstract")
 
-
-	##
-	# Set external command, for ignoredips
-	#
-
-	def setIgnoreCommand(self, command):
-		self.__ignoreCommand = command
-
-	##
-	# Get external command, for ignoredips
-	#
-
-	def getIgnoreCommand(self):
-		return self.__ignoreCommand
-
 	##
 	# Ban an IP - http://blogs.buanzo.com.ar/2009/04/fail2ban-patch-ban-ip-address-manually.html
 	# Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
@@ -239,7 +224,7 @@ class Filter(JailThread):
 			self.failManager.addFailure(FailTicket(ip, unixTime))
 
 		# Perform the banning of the IP now.
-		try:  # pragma: no branch - exception is the only way out
+		try: # pragma: no branch - exception is the only way out
 			while True:
 				ticket = self.failManager.toBan()
 				self.jail.putFailTicket(ticket)
@@ -264,10 +249,7 @@ class Filter(JailThread):
 		self.__ignoreIpList.remove(ip)
 
 	def getIgnoreIP(self):
-		if self.__ignoreCommand is not False:
-			return self.__ignoreIpList + os.popen(self.__ignoreCommand).read().split(" ")
-		else:
-			return self.__ignoreIpList
+		return self.__ignoreIpList
 
 	##
 	# Check if IP address/DNS is in the ignore list.
@@ -282,12 +264,6 @@ class Filter(JailThread):
 			# An empty string is always false
 			if i == "":
 				continue
-			# External command with ips to ignore
-			if self.__ignoreCommand is not False:
-				ignored_ips = os.popen(self.__ignoreCommand).read().split(" ")
-				if ip in ignored_ips:
-					return True
-
 			s = i.split('/', 1)
 			# IP address without CIDR mask
 			if len(s) == 1:
diff --git a/server/server.py b/server/server.py
index 4653e1f2..773fdf0b 100644
--- a/server/server.py
+++ b/server/server.py
@@ -18,7 +18,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 # Author: Cyril Jaquier
-#
+# 
 
 __author__ = "Cyril Jaquier"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
@@ -36,7 +36,7 @@ import logging, logging.handlers, sys, os, signal
 logSys = logging.getLogger("fail2ban.server")
 
 class Server:
-
+	
 	def __init__(self, daemon = False):
 		self.__loggingLock = Lock()
 		self.__lock = RLock()
@@ -49,18 +49,18 @@ class Server:
 		# Set logging level
 		self.setLogLevel(3)
 		self.setLogTarget("STDOUT")
-
+	
 	def __sigTERMhandler(self, signum, frame):
 		logSys.debug("Caught signal %d. Exiting" % signum)
 		self.quit()
-
+	
 	def start(self, sock, pidfile, force = False):
 		logSys.info("Starting Fail2ban v" + version.version)
-
+		
 		# Install signal handlers
 		signal.signal(signal.SIGTERM, self.__sigTERMhandler)
 		signal.signal(signal.SIGINT, self.__sigTERMhandler)
-
+		
 		# First set the mask to only allow access to owner
 		os.umask(0077)
 		if self.__daemon: # pragma: no cover
@@ -71,7 +71,7 @@ class Server:
 			else:
 				logSys.error("Could not create daemon")
 				raise ServerInitializationError("Could not create daemon")
-
+		
 		# Creates a PID file.
 		try:
 			logSys.debug("Creating PID file %s" % pidfile)
@@ -80,7 +80,7 @@ class Server:
 			pidFile.close()
 		except IOError, e:
 			logSys.error("Unable to create PID file: %s" % e)
-
+		
 		# Start the communication
 		logSys.debug("Starting communication")
 		try:
@@ -94,7 +94,7 @@ class Server:
 		except OSError, e:
 			logSys.error("Unable to remove PID file: %s" % e)
 		logSys.info("Exiting Fail2ban")
-
+	
 	def quit(self):
 		# Stop communication first because if jail's unban action
 		# tries to communicate via fail2ban-client we get a lockup
@@ -114,13 +114,13 @@ class Server:
 		finally:
 			self.__loggingLock.release()
 
-
+	
 	def addJail(self, name, backend):
 		self.__jails.add(name, backend)
-
+		
 	def delJail(self, name):
 		self.__jails.remove(name)
-
+	
 	def startJail(self, name):
 		try:
 			self.__lock.acquire()
@@ -128,7 +128,7 @@ class Server:
 				self.__jails.get(name).start()
 		finally:
 			self.__lock.release()
-
+	
 	def stopJail(self, name):
 		logSys.debug("Stopping jail %s" % name)
 		try:
@@ -138,7 +138,7 @@ class Server:
 				self.delJail(name)
 		finally:
 			self.__lock.release()
-
+	
 	def stopAllJail(self):
 		logSys.info("Stopping all jails")
 		try:
@@ -147,140 +147,134 @@ class Server:
 				self.stopJail(jail)
 		finally:
 			self.__lock.release()
-
+	
 	def isAlive(self, name):
 		return self.__jails.get(name).isAlive()
-
+	
 	def setIdleJail(self, name, value):
 		self.__jails.get(name).setIdle(value)
 		return True
 
 	def getIdleJail(self, name):
 		return self.__jails.get(name).getIdle()
-
+	
 	# Filter
 	def addIgnoreIP(self, name, ip):
 		self.__jails.getFilter(name).addIgnoreIP(ip)
-
+	
 	def delIgnoreIP(self, name, ip):
 		self.__jails.getFilter(name).delIgnoreIP(ip)
-
+	
 	def getIgnoreIP(self, name):
 		return self.__jails.getFilter(name).getIgnoreIP()
-
+	
 	def addLogPath(self, name, fileName):
 		self.__jails.getFilter(name).addLogPath(fileName)
-
+	
 	def delLogPath(self, name, fileName):
 		self.__jails.getFilter(name).delLogPath(fileName)
-
+	
 	def getLogPath(self, name):
 		return [m.getFileName()
 				for m in self.__jails.getFilter(name).getLogPath()]
-
+	
 	def setFindTime(self, name, value):
 		self.__jails.getFilter(name).setFindTime(value)
-
+	
 	def getFindTime(self, name):
 		return self.__jails.getFilter(name).getFindTime()
 
 	def addFailRegex(self, name, value):
 		self.__jails.getFilter(name).addFailRegex(value)
-
-	def setIgnoreCommand(self, name, value):
-		self.__jails.getFilter(name).setIgnoreCommand(value)
-	def getIgnoreCommand(self, name):
-		self.__jails.getFilter(name).getIgnoreCommand()
-
-
+	
 	def delFailRegex(self, name, index):
 		self.__jails.getFilter(name).delFailRegex(index)
-
+	
 	def getFailRegex(self, name):
 		return self.__jails.getFilter(name).getFailRegex()
-
+	
 	def addIgnoreRegex(self, name, value):
 		self.__jails.getFilter(name).addIgnoreRegex(value)
-
+	
 	def delIgnoreRegex(self, name, index):
 		self.__jails.getFilter(name).delIgnoreRegex(index)
-
+	
 	def getIgnoreRegex(self, name):
 		return self.__jails.getFilter(name).getIgnoreRegex()
-
+	
 	def setUseDns(self, name, value):
 		self.__jails.getFilter(name).setUseDns(value)
-
+	
 	def getUseDns(self, name):
 		return self.__jails.getFilter(name).getUseDns()
-
+	
 	def setMaxRetry(self, name, value):
 		self.__jails.getFilter(name).setMaxRetry(value)
-
+	
 	def getMaxRetry(self, name):
 		return self.__jails.getFilter(name).getMaxRetry()
-
+	
 	# Action
 	def addAction(self, name, value):
 		self.__jails.getAction(name).addAction(value)
-
+	
 	def getLastAction(self, name):
 		return self.__jails.getAction(name).getLastAction()
-
+	
 	def delAction(self, name, value):
 		self.__jails.getAction(name).delAction(value)
-
+	
 	def setCInfo(self, name, action, key, value):
 		self.__jails.getAction(name).getAction(action).setCInfo(key, value)
-
+	
 	def getCInfo(self, name, action, key):
 		return self.__jails.getAction(name).getAction(action).getCInfo(key)
-
+	
 	def delCInfo(self, name, action, key):
 		self.__jails.getAction(name).getAction(action).delCInfo(key)
-
+	
 	def setBanTime(self, name, value):
 		self.__jails.getAction(name).setBanTime(value)
-
+	
 	def setBanIP(self, name, value):
 		return self.__jails.getFilter(name).addBannedIP(value)
-
+		
 	def setUnbanIP(self, name, value):
 		return self.__jails.getAction(name).removeBannedIP(value)
-
+		
 	def getBanTime(self, name):
 		return self.__jails.getAction(name).getBanTime()
-
+	
 	def setActionStart(self, name, action, value):
 		self.__jails.getAction(name).getAction(action).setActionStart(value)
-
+	
 	def getActionStart(self, name, action):
 		return self.__jails.getAction(name).getAction(action).getActionStart()
-
+		
 	def setActionStop(self, name, action, value):
 		self.__jails.getAction(name).getAction(action).setActionStop(value)
-
+	
 	def getActionStop(self, name, action):
 		return self.__jails.getAction(name).getAction(action).getActionStop()
-
+	
 	def setActionCheck(self, name, action, value):
 		self.__jails.getAction(name).getAction(action).setActionCheck(value)
-
+	
 	def getActionCheck(self, name, action):
 		return self.__jails.getAction(name).getAction(action).getActionCheck()
-
+	
 	def setActionBan(self, name, action, value):
 		self.__jails.getAction(name).getAction(action).setActionBan(value)
-
+	
 	def getActionBan(self, name, action):
 		return self.__jails.getAction(name).getAction(action).getActionBan()
-
+	
 	def setActionUnban(self, name, action, value):
 		self.__jails.getAction(name).getAction(action).setActionUnban(value)
-
+	
 	def getActionUnban(self, name, action):
 		return self.__jails.getAction(name).getAction(action).getActionUnban()
-
+		
 	# Status
 	def status(self):
 		try:
@@ -291,17 +285,17 @@ class Server:
 			length = len(jailList)
 			if not length == 0:
 				jailList = jailList[:length-2]
-			ret = [("Number of jail", self.__jails.size()),
+			ret = [("Number of jail", self.__jails.size()), 
 				   ("Jail list", jailList)]
 			return ret
 		finally:
 			self.__lock.release()
-
+	
 	def statusJail(self, name):
 		return self.__jails.get(name).getStatus()
-
+	
 	# Logging
-
+	
 	##
 	# Set the logging level.
 	#
@@ -312,7 +306,7 @@ class Server:
 	# 3 = INFO
 	# 4 = DEBUG
 	# @param value the level
-
+	
 	def setLogLevel(self, value):
 		try:
 			self.__loggingLock.acquire()
@@ -329,26 +323,26 @@ class Server:
 			logging.getLogger("fail2ban").setLevel(logLevel)
 		finally:
 			self.__loggingLock.release()
-
+	
 	##
 	# Get the logging level.
 	#
 	# @see setLogLevel
 	# @return the log level
-
+	
 	def getLogLevel(self):
 		try:
 			self.__loggingLock.acquire()
 			return self.__logLevel
 		finally:
 			self.__loggingLock.release()
-
+	
 	##
 	# Sets the logging target.
 	#
 	# target can be a file, SYSLOG, STDOUT or STDERR.
 	# @param target the logging target
-
+	
 	def setLogTarget(self, target):
 		try:
 			self.__loggingLock.acquire()
@@ -358,7 +352,7 @@ class Server:
 				# Syslog daemons already add date to the message.
 				formatter = logging.Formatter("%(name)-16s: %(levelname)-6s %(message)s")
 				facility = logging.handlers.SysLogHandler.LOG_DAEMON
-				hdlr = logging.handlers.SysLogHandler("/dev/log",
+				hdlr = logging.handlers.SysLogHandler("/dev/log", 
 													  facility = facility)
 			elif target == "STDOUT":
 				hdlr = logging.StreamHandler(sys.stdout)
@@ -400,21 +394,21 @@ class Server:
 			return True
 		finally:
 			self.__loggingLock.release()
-
+	
 	def getLogTarget(self):
 		try:
 			self.__loggingLock.acquire()
 			return self.__logTarget
 		finally:
 			self.__loggingLock.release()
-
+	
 	def __createDaemon(self): # pragma: no cover
 		""" Detach a process from the controlling terminal and run it in the
 			background as a daemon.
-
+		
 			http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/278731
 		"""
-
+	
 		try:
 			# Fork a child process so the parent can exit.  This will return control
 			# to the command line or shell.  This is required so that the new process
@@ -425,9 +419,9 @@ class Server:
 			pid = os.fork()
 		except OSError, e:
 			return((e.errno, e.strerror))	 # ERROR (return a tuple)
-
+		
 		if pid == 0:	   # The first child.
-
+	
 			# Next we call os.setsid() to become the session leader of this new
 			# session.  The process also becomes the process group leader of the
 			# new process group.  Since a controlling terminal is associated with a
@@ -436,11 +430,11 @@ class Server:
 			# fail, since we're guaranteed that the child is not a process group
 			# leader.
 			os.setsid()
-
+		
 			# When the first child terminates, all processes in the second child
 			# are sent a SIGHUP, so it's ignored.
 			signal.signal(signal.SIGHUP, signal.SIG_IGN)
-
+		
 			try:
 				# Fork a second child to prevent zombies.  Since the first child is
 				# a session leader without a controlling terminal, it's possible for
@@ -450,7 +444,7 @@ class Server:
 				pid = os.fork()		# Fork a second child.
 			except OSError, e:
 				return((e.errno, e.strerror))  # ERROR (return a tuple)
-
+		
 			if (pid == 0):	  # The second child.
 				# Ensure that the daemon doesn't keep any directory in use.  Failure
 				# to do this could make a filesystem unmountable.
@@ -459,7 +453,7 @@ class Server:
 				os._exit(0)	  # Exit parent (the first child) of the second child.
 		else:
 			os._exit(0)		 # Exit parent of the first child.
-
+		
 		# Close all open files.  Try the system configuration variable, SC_OPEN_MAX,
 		# for the maximum number of open files to close.  If it doesn't exist, use
 		# the default value (configurable).
@@ -467,13 +461,13 @@ class Server:
 			maxfd = os.sysconf("SC_OPEN_MAX")
 		except (AttributeError, ValueError):
 			maxfd = 256	   # default maximum
-
+	
 		for fd in range(0, maxfd):
 			try:
 				os.close(fd)
 			except OSError:   # ERROR (ignore)
 				pass
-
+	
 		# Redirect the standard file descriptors to /dev/null.
 		os.open("/dev/null", os.O_RDONLY)	# standard input (0)
 		os.open("/dev/null", os.O_RDWR)		# standard output (1)
diff --git a/server/transmitter.py b/server/transmitter.py
index becee358..deaf9adf 100644
--- a/server/transmitter.py
+++ b/server/transmitter.py
@@ -18,7 +18,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 # Author: Cyril Jaquier
-#
+# 
 
 __author__ = "Cyril Jaquier"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
@@ -30,21 +30,21 @@ import logging, time
 logSys = logging.getLogger("fail2ban.comm")
 
 class Transmitter:
-
+	
 	##
 	# Constructor.
 	#
 	# @param The server reference
-
+	
 	def __init__(self, server):
 		self.__server = server
-
+		
 	##
 	# Proceeds a command.
 	#
 	# Proceeds an incoming command.
 	# @param command The incoming command
-
+	
 	def proceed(self, command):
 		# Deserialize object
 		logSys.debug("Command: " + `command`)
@@ -56,12 +56,12 @@ class Transmitter:
 						% (command, e))
 			ack = 1, e
 		return ack
-
+	
 	##
 	# Handle an command.
 	#
-	#
-
+	# 
+	
 	def __commandHandler(self, command):
 		if command[0] == "ping":
 			return "pong"
@@ -97,9 +97,9 @@ class Transmitter:
 		elif command[0] == "get":
 			return self.__commandGet(command[1:])
 		elif command[0] == "status":
-			return self.status(command[1:])
+			return self.status(command[1:])			
 		raise Exception("Invalid command")
-
+	
 	def __commandSet(self, command):
 		name = command[0]
 		# Logging
@@ -152,10 +152,6 @@ class Transmitter:
 			value = command[2]
 			self.__server.addIgnoreRegex(name, value)
 			return self.__server.getIgnoreRegex(name)
-		elif command[1] == "ignorecommand":
-			value = command[2]
-			self.__server.setIgnoreCommand(name, value)
-			return self.__server.getIgnoreCommand(name)
 		elif command[1] == "delignoreregex":
 			value = int(command[2])
 			self.__server.delIgnoreRegex(name, value)
@@ -228,7 +224,7 @@ class Transmitter:
 			self.__server.setActionUnban(name, act, value)
 			return self.__server.getActionUnban(name, act)
 		raise Exception("Invalid command (no set action or not yet implemented)")
-
+	
 	def __commandGet(self, command):
 		name = command[0]
 		# Logging
@@ -241,8 +237,6 @@ class Transmitter:
 			return self.__server.getLogPath(name)
 		elif command[1] == "ignoreip":
 			return self.__server.getIgnoreIP(name)
-		elif command[1] == "ignorecommand":
-			return self.__server.getIgnoreCommand(name)
 		elif command[1] == "failregex":
 			return self.__server.getFailRegex(name)
 		elif command[1] == "ignoreregex":
@@ -278,7 +272,7 @@ class Transmitter:
 			key = command[3]
 			return self.__server.getCInfo(name, act, key)
 		raise Exception("Invalid command (no get action or not yet implemented)")
-
+	
 	def status(self, command):
 		if len(command) == 0:
 			return self.__server.status()
@@ -286,4 +280,4 @@ class Transmitter:
 			name = command[0]
 			return self.__server.statusJail(name)
 		raise Exception("Invalid command (no status)")
-
+	

From ebd89ec077ada1c70580b445ca613dc460c1583c Mon Sep 17 00:00:00 2001
From: "bes.internal" <bes.internal@gmail.com>
Date: Mon, 21 Oct 2013 16:15:13 +0300
Subject: [PATCH 6/7] New ignorecommand that is added to the ignoreip list from
 output of an external program

ignorecommand update man and fix protocol help

ENH: run ignore command only after internal list has been examined. Change interface on ignorecommand to take IP as environment variable and return true if it is to be banned

ENH: ignore IP command to take tagged command

DOC: man pages for ingorecommand

TST: add test cases for ignorecommand
---
 client/filterreader.py           |  4 +++-
 client/jailreader.py             |  3 +++
 common/protocol.py               |  2 ++
 config/jail.conf                 |  5 +++++
 man/fail2ban-client.1            |  6 ++++++
 man/jail.conf.5                  |  5 +++++
 server/filter.py                 | 25 ++++++++++++++++++++++++-
 server/server.py                 |  6 ++++++
 server/transmitter.py            |  6 ++++++
 testcases/files/ignorecommand.py |  5 +++++
 testcases/filtertestcase.py      |  6 +++++-
 11 files changed, 70 insertions(+), 3 deletions(-)
 create mode 100755 testcases/files/ignorecommand.py

diff --git a/client/filterreader.py b/client/filterreader.py
index f75190f9..20af1533 100644
--- a/client/filterreader.py
+++ b/client/filterreader.py
@@ -54,7 +54,9 @@ class FilterReader(ConfigReader):
 	
 	def getOptions(self, pOpts):
 		opts = [["string", "ignoreregex", ""],
-				["string", "failregex", ""]]
+				["string", "failregex", ""],
+				["string", "ignorecommand", ""]
+				]
 		self.__opts = ConfigReader.getOptions(self, "Definition", opts, pOpts)
 	
 	def convert(self):
diff --git a/client/jailreader.py b/client/jailreader.py
index 6f78275b..fb92d806 100644
--- a/client/jailreader.py
+++ b/client/jailreader.py
@@ -80,6 +80,7 @@ class JailReader(ConfigReader):
 				["string", "usedns", "warn"],
 				["string", "failregex", None],
 				["string", "ignoreregex", None],
+				["string", "ignorecommand", None],
 				["string", "ignoreip", None],
 				["string", "filter", ""],
 				["string", "action", ""]]
@@ -164,6 +165,8 @@ class JailReader(ConfigReader):
 				stream.append(["set", self.__name, "usedns", self.__opts[opt]])
 			elif opt == "failregex":
 				stream.append(["set", self.__name, "addfailregex", self.__opts[opt]])
+			elif opt == "ignorecommand":
+				stream.append(["set", self.__name, "ignorecommand", self.__opts[opt]])
 			elif opt == "ignoreregex":
 				for regex in self.__opts[opt].split('\n'):
 					# Do not send a command if the rule is empty.
diff --git a/common/protocol.py b/common/protocol.py
index 278ccd53..b3055124 100644
--- a/common/protocol.py
+++ b/common/protocol.py
@@ -57,6 +57,7 @@ protocol = [
 ["set <JAIL> dellogpath <FILE>", "removes <FILE> from the monitoring list of <JAIL>"],
 ["set <JAIL> addfailregex <REGEX>", "adds the regular expression <REGEX> which must match failures for <JAIL>"], 
 ["set <JAIL> delfailregex <INDEX>", "removes the regular expression at <INDEX> for failregex"], 
+["set <JAIL> ignorecommand <VALUE>", "sets ignorecommand of <JAIL>"],
 ["set <JAIL> addignoreregex <REGEX>", "adds the regular expression <REGEX> which should match pattern to exclude for <JAIL>"],
 ["set <JAIL> delignoreregex <INDEX>", "removes the regular expression at <INDEX> for ignoreregex"], 
 ["set <JAIL> findtime <TIME>", "sets the number of seconds <TIME> for which the filter will look back for <JAIL>"], 
@@ -77,6 +78,7 @@ protocol = [
 ['', "JAIL INFORMATION", ""],
 ["get <JAIL> logpath", "gets the list of the monitored files for <JAIL>"],
 ["get <JAIL> ignoreip", "gets the list of ignored IP addresses for <JAIL>"],
+["get <JAIL> ignorecommand", "gets ignorecommand of <JAIL>"],
 ["get <JAIL> failregex", "gets the list of regular expressions which matches the failures for <JAIL>"],
 ["get <JAIL> ignoreregex", "gets the list of regular expressions which matches patterns to ignore for <JAIL>"],
 ["get <JAIL> findtime", "gets the time for which the filter will look back for failures for <JAIL>"],
diff --git a/config/jail.conf b/config/jail.conf
index 3b8220e5..1de88793 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -31,6 +31,11 @@
 # defined using space separator.
 ignoreip = 127.0.0.1/8
 
+# External command that will take an tagged arguments to ignore, e.g. <ip>,
+# and return true if the IP is to be ignored. False otherwise.
+#
+# ignorecommand = /path/to/command <ip>
+
 # "bantime" is the number of seconds that a host is banned.
 bantime  = 600
 
diff --git a/man/fail2ban-client.1 b/man/fail2ban-client.1
index c5ccb803..62ae0edd 100644
--- a/man/fail2ban-client.1
+++ b/man/fail2ban-client.1
@@ -128,6 +128,9 @@ for <JAIL>
 removes the regular expression at
 <INDEX> for failregex
 .TP
+\fBset <JAIL> ignorecommand <VALUE>\fR
+sets ignorecommand of <JAIL>
+.TP
 \fBset <JAIL> addignoreregex <REGEX>\fR
 adds the regular expression
 <REGEX> which should match pattern
@@ -206,6 +209,9 @@ files for <JAIL>
 gets the list of ignored IP
 addresses for <JAIL>
 .TP
+\fBget <JAIL> ignorecommand\fR
+gets ignorecommand of <JAIL>
+.TP
 \fBget <JAIL> failregex\fR
 gets the list of regular
 expressions which matches the
diff --git a/man/jail.conf.5 b/man/jail.conf.5
index 6c114c56..4d964341 100644
--- a/man/jail.conf.5
+++ b/man/jail.conf.5
@@ -70,6 +70,11 @@ The following options are applicable to all jails. Their meaning is described in
 \fBaction\fR 
 .TP
 \fBignoreip\fR 
+A space separated list of IPs not to ban.
+.TP
+\fBignorecommand\fR
+A command that is executed to determine if the current ban's actionban is to be executed. This command will return true if the current ban should be ignored. A false return value will result in the ban's actionban executed.
+Like ACTION FILES, tags like <ip> are can be included in the ignore command value and will be substitued before execution. Currently only <ip> is supported however more will be added later.
 .TP
 \fBbantime\fR
 .TP
diff --git a/server/filter.py b/server/filter.py
index b92289ef..840c5316 100644
--- a/server/filter.py
+++ b/server/filter.py
@@ -30,8 +30,9 @@ from jailthread import JailThread
 from datedetector import DateDetector
 from mytime import MyTime
 from failregex import FailRegex, Regex, RegexException
+from action import Action
 
-import logging, re, os, fcntl, time
+import logging, re, os, fcntl, time, shlex, subprocess
 
 # Gets the instance of the logger.
 logSys = logging.getLogger("fail2ban.filter")
@@ -67,6 +68,8 @@ class Filter(JailThread):
 		self.__findTime = 6000
 		## The ignore IP list.
 		self.__ignoreIpList = []
+		## External command
+		self.__ignoreCommand = False
 
 		self.dateDetector = DateDetector()
 		self.dateDetector.addDefaultTemplate()
@@ -212,6 +215,20 @@ class Filter(JailThread):
 	def run(self): # pragma: no cover
 		raise Exception("run() is abstract")
 
+	##
+	# Set external command, for ignoredips
+	#
+
+	def setIgnoreCommand(self, command):
+		self.__ignoreCommand = command
+
+	##
+	# Get external command, for ignoredips
+	#
+
+	def getIgnoreCommand(self):
+		return self.__ignoreCommand
+
 	##
 	# Ban an IP - http://blogs.buanzo.com.ar/2009/04/fail2ban-patch-ban-ip-address-manually.html
 	# Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
@@ -284,6 +301,12 @@ class Filter(JailThread):
 					continue
 			if a == b:
 				return True
+
+		if self.__ignoreCommand:
+			command = Action.replaceTag(self.__ignoreCommand, { 'ip': ip } )
+			logSys.debug('ignore command: ' + command)
+			return Action.executeCmd(command)
+
 		return False
 
 
diff --git a/server/server.py b/server/server.py
index 736e9e10..cdaba070 100644
--- a/server/server.py
+++ b/server/server.py
@@ -184,6 +184,12 @@ class Server:
 	def getFindTime(self, name):
 		return self.__jails.getFilter(name).getFindTime()
 
+	def setIgnoreCommand(self, name, value):
+		self.__jails.getFilter(name).setIgnoreCommand(value)
+
+	def getIgnoreCommand(self, name):
+		return self.__jails.getFilter(name).getIgnoreCommand()
+
 	def addFailRegex(self, name, value):
 		self.__jails.getFilter(name).addFailRegex(value)
 	
diff --git a/server/transmitter.py b/server/transmitter.py
index cf65dada..e1dd6d58 100644
--- a/server/transmitter.py
+++ b/server/transmitter.py
@@ -142,6 +142,10 @@ class Transmitter:
 			value = command[2]
 			self.__server.delLogPath(name, value)
 			return self.__server.getLogPath(name)
+		elif command[1] == "ignorecommand":
+			value = command[2]
+			self.__server.setIgnoreCommand(name, value)
+			return self.__server.getIgnoreCommand(name)
 		elif command[1] == "addfailregex":
 			value = command[2]
 			self.__server.addFailRegex(name, value)
@@ -239,6 +243,8 @@ class Transmitter:
 			return self.__server.getLogPath(name)
 		elif command[1] == "ignoreip":
 			return self.__server.getIgnoreIP(name)
+		elif command[1] == "ignorecommand":
+			return self.__server.getIgnoreCommand(name)
 		elif command[1] == "failregex":
 			return self.__server.getFailRegex(name)
 		elif command[1] == "ignoreregex":
diff --git a/testcases/files/ignorecommand.py b/testcases/files/ignorecommand.py
new file mode 100755
index 00000000..dd6b5aab
--- /dev/null
+++ b/testcases/files/ignorecommand.py
@@ -0,0 +1,5 @@
+#!/usr/bin/python
+import sys
+if sys.argv[1] == "10.0.0.1":
+	exit(0)
+exit(1)
diff --git a/testcases/filtertestcase.py b/testcases/filtertestcase.py
index 90f0f28a..30397d67 100644
--- a/testcases/filtertestcase.py
+++ b/testcases/filtertestcase.py
@@ -171,7 +171,6 @@ class IgnoreIP(LogCaptureTestCase):
 		ipList = "127.0.0.1", "192.168.0.1", "255.255.255.255", "99.99.99.99"
 		for ip in ipList:
 			self.filter.addIgnoreIP(ip)
-
 			self.assertTrue(self.filter.inIgnoreIPList(ip))
 
 	def testIgnoreIPNOK(self):
@@ -201,6 +200,11 @@ class IgnoreIP(LogCaptureTestCase):
 		self.assertFalse(self._is_logged('Ignore 192.168.1.32'))
 		self.assertTrue(self._is_logged('Requested to manually ban an ignored IP 192.168.1.32. User knows best. Proceeding to ban it.'))
 
+	def testIgnoreCommand(self):
+		self.filter.setIgnoreCommand("testcases/files/ignorecommand.py <ip>")
+		self.assertTrue(self.filter.inIgnoreIPList("10.0.0.1"))
+		self.assertFalse(self.filter.inIgnoreIPList("10.0.0.0"))
+
 
 class IgnoreIPDNS(IgnoreIP):
 

From 55d76ac373c8cc0117cbea11557d5aaea0bad4ee Mon Sep 17 00:00:00 2001
From: "bes.internal" <bes.internal@gmail.com>
Date: Wed, 25 Dec 2013 00:58:00 +0300
Subject: [PATCH 7/7] TST: add test for IgnoreCommand at server

---
 testcases/servertestcase.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/testcases/servertestcase.py b/testcases/servertestcase.py
index e6137d2f..9a4dff11 100644
--- a/testcases/servertestcase.py
+++ b/testcases/servertestcase.py
@@ -337,6 +337,9 @@ class Transmitter(TransmitterBase):
 			self.transm.proceed(["set", self.jailName, "delignoreip", value]),
 			(0, [value]))
 
+	def testJailIgnoreCommand(self):
+		self.setGetTest("ignorecommand", "bin ", jail=self.jailName)
+
 	def testJailRegex(self):
 		self.jailAddDelRegexTest("failregex",
 			[