From f84e58e769f93ce3a6491b311023018daace0d80 Mon Sep 17 00:00:00 2001
From: Jacques Distler <distler@golem.ph.utexas.edu>
Date: Thu, 17 Aug 2017 09:13:32 -0500
Subject: [PATCH] Tweaks to action.d/pf.conf Document recent changes. Add an
 option to customize the pf block rule (surely, what the user really wants,
 here, is "block quick").

---
 config/action.d/pf.conf          | 18 +++++++++++++++++-
 fail2ban/tests/servertestcase.py |  6 +++---
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/config/action.d/pf.conf b/config/action.d/pf.conf
index 943f016a..c70c8e43 100644
--- a/config/action.d/pf.conf
+++ b/config/action.d/pf.conf
@@ -15,8 +15,17 @@
 #
 # we don't enable PF automatically; to enable run pfctl -e 
 # or add `pf_enable="YES"` to /etc/rc.conf (tested on FreeBSD)
+# also, these rulesets are loaded into (nested) anchors
+# to enable them, add
+#     anchor f2b {
+#        name1
+#        name2
+#        ...
+#     }
+# to your main pf ruleset, where "namei" are the names of the jails
+# which invoke this action
 actionstart = echo "table <<tablename>-<name>> persist counters" | <pfctl> -f- 
-              echo "block proto <protocol> from <<tablename>-<name>> to <actiontype>" | <pfctl> -f-
+              echo "<block> proto <protocol> from <<tablename>-<name>> to <actiontype>" | <pfctl> -f-
 
 # Option:  start_on_demand - to start action on demand
 # Example: `action=pf[actionstart_on_demand=true]`
@@ -75,6 +84,12 @@ pfctl = pfctl -a f2b/<name>
 #
 tablename = f2b
 
+# Option: block
+#
+# The action you want pf to take.
+# Probably, you want "block quick", but adjust as needed.
+block = block quick
+
 # Option:  protocol
 # Notes.:  internally used by config reader for interpolations.
 # Values:  [ tcp | udp | icmp | ipv6-icmp ] Default: tcp
@@ -96,3 +111,4 @@ allports = any
 # Notes.: addition to block access only to specific ports
 # Usage.: use in jail config: "banaction = pf[actiontype=<multiport>]"
 multiport = any port <port>
+
diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py
index 0b454ae4..0b888407 100644
--- a/fail2ban/tests/servertestcase.py
+++ b/fail2ban/tests/servertestcase.py
@@ -1504,7 +1504,7 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					'ip4': (), 'ip6': (),
 					'start': (
 						'`echo "table <f2b-j-w-pf> persist counters" | pfctl -a f2b/j-w-pf -f-`',
-						'`echo "block proto tcp from <f2b-j-w-pf> to any port <port>" | pfctl -a f2b/j-w-pf -f-`',
+						'`echo "block quick proto tcp from <f2b-j-w-pf> to any port <port>" | pfctl -a f2b/j-w-pf -f-`',
 					),
 					'stop': (
 						'`pfctl -a f2b/j-w-pf -sr 2>/dev/null | grep -v f2b-j-w-pf | pfctl -a f2b/j-w-pf -f-`',
@@ -1523,7 +1523,7 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					'ip4': (), 'ip6': (),
 					'start': (
 						'`echo "table <f2b-j-w-pf-mp> persist counters" | pfctl -a f2b/j-w-pf-mp -f-`',
-						'`echo "block proto tcp from <f2b-j-w-pf-mp> to any port http" | pfctl -a f2b/j-w-pf-mp -f-`',
+						'`echo "block quick proto tcp from <f2b-j-w-pf-mp> to any port http" | pfctl -a f2b/j-w-pf-mp -f-`',
 					),
 					'stop': (
 						'`pfctl -a f2b/j-w-pf-mp -sr 2>/dev/null | grep -v f2b-j-w-pf-mp | pfctl -a f2b/j-w-pf-mp -f-`',
@@ -1542,7 +1542,7 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					'ip4': (), 'ip6': (),
 					'ip4-start': (
 						'`echo "table <f2b-j-w-pf-ap> persist counters" | pfctl -a f2b/j-w-pf-ap -f-`',
-						'`echo "block proto tcp from <f2b-j-w-pf-ap> to any" | pfctl -a f2b/j-w-pf-ap -f-`',
+						'`echo "block quick proto tcp from <f2b-j-w-pf-ap> to any" | pfctl -a f2b/j-w-pf-ap -f-`',
 					),
 					'ip6-start': (), # the same as ipv4
 					'stop': (