mirror of https://github.com/fail2ban/fail2ban
action.d/*-ipset.conf: workaround sporadic failures by stop if destroying ipset too fast (sleep a bit in error case and repeat);
closes gh-3624pull/3883/head
sebres
parent
0bf1106d72
commit
eb4731d8b1
|
|
@ -39,7 +39,7 @@ actionstart = ipset -exist create <ipmset> <ipsettype> timeout <default-ipsettim
|
|||
|
||||
actionflush = ipset flush <ipmset>
|
||||
|
||||
actionstop = ipset destroy <ipmset>
|
||||
actionstop = ipset destroy <ipmset> 2>/dev/null || { sleep 1; ipset destroy <ipmset>; }
|
||||
|
||||
actionban = ipset -exist add <ipmset> <ip> timeout <ipsettime>
|
||||
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ actionflush = ipset flush <ipmset>
|
|||
#
|
||||
actionstop = <_ipt_del_rules>
|
||||
<actionflush>
|
||||
ipset destroy <ipmset>
|
||||
ipset destroy <ipmset> 2>/dev/null || { sleep 1; ipset destroy <ipmset>; }
|
||||
|
||||
# Option: actionban
|
||||
# Notes.: command executed when banning an IP. Take care that the
|
||||
|
|
|
|||
|
|
@ -1596,10 +1596,10 @@ class ServerConfigReaderTests(LogCaptureTestCase):
|
|||
'stop': (
|
||||
"`iptables -w -D INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable`",
|
||||
"`ipset flush f2b-j-w-iptables-ipset`",
|
||||
"`ipset destroy f2b-j-w-iptables-ipset`",
|
||||
"`ipset destroy f2b-j-w-iptables-ipset 2>/dev/null || { sleep 1; ipset destroy f2b-j-w-iptables-ipset; }`",
|
||||
"`ip6tables -w -D INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`",
|
||||
"`ipset flush f2b-j-w-iptables-ipset6`",
|
||||
"`ipset destroy f2b-j-w-iptables-ipset6`",
|
||||
"`ipset destroy f2b-j-w-iptables-ipset6 2>/dev/null || { sleep 1; ipset destroy f2b-j-w-iptables-ipset6; }`",
|
||||
),
|
||||
'ip4-check': (
|
||||
r"""`iptables -w -C INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable`""",
|
||||
|
|
@ -1645,10 +1645,10 @@ class ServerConfigReaderTests(LogCaptureTestCase):
|
|||
'stop': (
|
||||
"`iptables -w -D INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`",
|
||||
"`ipset flush f2b-j-w-iptables-ipset-ap`",
|
||||
"`ipset destroy f2b-j-w-iptables-ipset-ap`",
|
||||
"`ipset destroy f2b-j-w-iptables-ipset-ap 2>/dev/null || { sleep 1; ipset destroy f2b-j-w-iptables-ipset-ap; }`",
|
||||
"`ip6tables -w -D INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`",
|
||||
"`ipset flush f2b-j-w-iptables-ipset-ap6`",
|
||||
"`ipset destroy f2b-j-w-iptables-ipset-ap6`",
|
||||
"`ipset destroy f2b-j-w-iptables-ipset-ap6 2>/dev/null || { sleep 1; ipset destroy f2b-j-w-iptables-ipset-ap6; }`",
|
||||
),
|
||||
'ip4-check': (
|
||||
r"""`iptables -w -C INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`""",
|
||||
|
|
@ -1976,10 +1976,10 @@ class ServerConfigReaderTests(LogCaptureTestCase):
|
|||
'stop': (
|
||||
"`firewall-cmd --direct --remove-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports http -m set --match-set f2b-j-w-fwcmd-ipset src -j REJECT --reject-with icmp-port-unreachable`",
|
||||
"`ipset flush f2b-j-w-fwcmd-ipset`",
|
||||
"`ipset destroy f2b-j-w-fwcmd-ipset`",
|
||||
"`ipset destroy f2b-j-w-fwcmd-ipset 2>/dev/null || { sleep 1; ipset destroy f2b-j-w-fwcmd-ipset; }`",
|
||||
"`firewall-cmd --direct --remove-rule ipv6 filter INPUT_direct 0 -p tcp -m multiport --dports http -m set --match-set f2b-j-w-fwcmd-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`",
|
||||
"`ipset flush f2b-j-w-fwcmd-ipset6`",
|
||||
"`ipset destroy f2b-j-w-fwcmd-ipset6`",
|
||||
"`ipset destroy f2b-j-w-fwcmd-ipset6 2>/dev/null || { sleep 1; ipset destroy f2b-j-w-fwcmd-ipset6; }`",
|
||||
),
|
||||
'ip4-ban': (
|
||||
r"`ipset -exist add f2b-j-w-fwcmd-ipset 192.0.2.1 timeout 0`",
|
||||
|
|
@ -2012,10 +2012,10 @@ class ServerConfigReaderTests(LogCaptureTestCase):
|
|||
'stop': (
|
||||
"`firewall-cmd --direct --remove-rule ipv4 filter INPUT_direct 0 -p tcp -m set --match-set f2b-j-w-fwcmd-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`",
|
||||
"`ipset flush f2b-j-w-fwcmd-ipset-ap`",
|
||||
"`ipset destroy f2b-j-w-fwcmd-ipset-ap`",
|
||||
"`ipset destroy f2b-j-w-fwcmd-ipset-ap 2>/dev/null || { sleep 1; ipset destroy f2b-j-w-fwcmd-ipset-ap; }`",
|
||||
"`firewall-cmd --direct --remove-rule ipv6 filter INPUT_direct 0 -p tcp -m set --match-set f2b-j-w-fwcmd-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`",
|
||||
"`ipset flush f2b-j-w-fwcmd-ipset-ap6`",
|
||||
"`ipset destroy f2b-j-w-fwcmd-ipset-ap6`",
|
||||
"`ipset destroy f2b-j-w-fwcmd-ipset-ap6 2>/dev/null || { sleep 1; ipset destroy f2b-j-w-fwcmd-ipset-ap6; }`",
|
||||
),
|
||||
'ip4-ban': (
|
||||
r"`ipset -exist add f2b-j-w-fwcmd-ipset-ap 192.0.2.1 timeout 0`",
|
||||
|
|
|
|||
Loading…
Reference in New Issue