[packages/fail2ban] - added ipv6 support based on https://github.com/fail2ban/fail2ban/pull/88
baggins
baggins at pld-linux.org
Mon Jan 6 21:03:15 CET 2014
commit 896749cfb4183d7576c079733ca78ef778c1d47a
Author: Jan Rękorajski <baggins at pld-linux.org>
Date: Mon Jan 6 18:49:39 2014 +0100
- added ipv6 support based on https://github.com/fail2ban/fail2ban/pull/88
fail2ban.spec | 4 +-
ipv6.patch | 634 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 637 insertions(+), 1 deletion(-)
---
diff --git a/fail2ban.spec b/fail2ban.spec
index de60bf9..93d6c7f 100644
--- a/fail2ban.spec
+++ b/fail2ban.spec
@@ -2,13 +2,14 @@ Summary: Ban IPs that make too many password failures
Summary(pl.UTF-8): Blokowanie IP powodujących zbyt dużo prób logowań z błędnym hasłem
Name: fail2ban
Version: 0.8.11
-Release: 2
+Release: 2.3
License: GPL
Group: Daemons
Source0: http://download.sourceforge.net/fail2ban/%{name}-%{version}.tar.gz
# Source0-md5: 2182a21c7efd885f373ffc941d11914d
Source1: %{name}.init
Source2: %{name}.tmpfiles
+Patch0: ipv6.patch
URL: http://fail2ban.sourceforge.net/
BuildRequires: python-devel
BuildRequires: python-modules
@@ -35,6 +36,7 @@ z sshd czy plikami logów serwera WWW Apache.
%prep
%setup -q
+%patch0 -p1
rm setup.cfg
%build
diff --git a/ipv6.patch b/ipv6.patch
new file mode 100644
index 0000000..1abc27e
--- /dev/null
+++ b/ipv6.patch
@@ -0,0 +1,634 @@
+diff -urN fail2ban-0.8.11.orig/config/action.d/iptables-allports.conf fail2ban-0.8.11/config/action.d/iptables-allports.conf
+--- fail2ban-0.8.11.orig/config/action.d/iptables-allports.conf 2013-11-12 22:06:54.000000000 +0100
++++ fail2ban-0.8.11/config/action.d/iptables-allports.conf 2014-01-06 11:20:42.599243574 +0100
+@@ -2,7 +2,8 @@
+ #
+ # Author: Cyril Jaquier
+ # Modified: Yaroslav O. Halchenko <debian at onerussian.com>
+-# made active on all ports from original iptables.conf
++# made active on all ports from original fail2ban-iptables.conf
++# Modified by Paul J aka Thanat0s for ipv6 support
+ #
+ #
+
+@@ -17,23 +18,23 @@
+ # Notes.: command executed once at the start of Fail2Ban.
+ # Values: CMD
+ #
+-actionstart = iptables -N fail2ban-<name>
+- iptables -A fail2ban-<name> -j RETURN
+- iptables -I <chain> -p <protocol> -j fail2ban-<name>
++actionstart = fail2ban-iptables -N fail2ban-<name>
++ fail2ban-iptables -A fail2ban-<name> -j RETURN
++ fail2ban-iptables -I <chain> -p <protocol> -j fail2ban-<name>
+
+ # Option: actionstop
+ # Notes.: command executed once at the end of Fail2Ban
+ # Values: CMD
+ #
+-actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
+- iptables -F fail2ban-<name>
+- iptables -X fail2ban-<name>
++actionstop = fail2ban-iptables -D <chain> -p <protocol> -j fail2ban-<name>
++ fail2ban-iptables -F fail2ban-<name>
++ fail2ban-iptables -X fail2ban-<name>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+ # Values: CMD
+ #
+-actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
++actioncheck = fail2ban-iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
+
+ # Option: actionban
+ # Notes.: command executed when banning an IP. Take care that the
+@@ -41,7 +42,7 @@
+ # Tags: See jail.conf(5) man page
+ # Values: CMD
+ #
+-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
++actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
+@@ -49,7 +50,7 @@
+ # Tags: See jail.conf(5) man page
+ # Values: CMD
+ #
+-actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
++actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j <blocktype>
+
+ [Init]
+
+@@ -64,7 +65,7 @@
+ protocol = tcp
+
+ # Option: chain
+-# Notes specifies the iptables chain to which the fail2ban rules should be
++# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be
+ # added
+ # Values: STRING Default: INPUT
+ chain = INPUT
+diff -urN fail2ban-0.8.11.orig/config/action.d/iptables-blocktype.conf fail2ban-0.8.11/config/action.d/iptables-blocktype.conf
+--- fail2ban-0.8.11.orig/config/action.d/iptables-blocktype.conf 2013-11-12 22:06:54.000000000 +0100
++++ fail2ban-0.8.11/config/action.d/iptables-blocktype.conf 2014-01-06 15:50:20.525793123 +0100
+@@ -18,5 +18,5 @@
+ # as per the iptables man page (section 8). Common values are DROP
+ # REJECT, REJECT --reject-with icmp-port-unreachable
+ # Values: STRING
+-blocktype = REJECT --reject-with icmp-port-unreachable
++blocktype = REJECT
+
+diff -urN fail2ban-0.8.11.orig/config/action.d/iptables.conf fail2ban-0.8.11/config/action.d/iptables.conf
+--- fail2ban-0.8.11.orig/config/action.d/iptables.conf 2013-11-12 22:06:54.000000000 +0100
++++ fail2ban-0.8.11/config/action.d/iptables.conf 2014-01-06 11:29:00.235906639 +0100
+@@ -1,6 +1,7 @@
+ # Fail2Ban configuration file
+ #
+ # Author: Cyril Jaquier
++# Modified by Paul J aka Thanat0s for ipv6 support
+ #
+ #
+
+@@ -14,23 +15,23 @@
+ # Notes.: command executed once at the start of Fail2Ban.
+ # Values: CMD
+ #
+-actionstart = iptables -N fail2ban-<name>
+- iptables -A fail2ban-<name> -j RETURN
+- iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
++actionstart = fail2ban-iptables -N fail2ban-<name>
++ fail2ban-iptables -A fail2ban-<name> -j RETURN
++ fail2ban-iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
+
+ # Option: actionstop
+ # Notes.: command executed once at the end of Fail2Ban
+ # Values: CMD
+ #
+-actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
+- iptables -F fail2ban-<name>
+- iptables -X fail2ban-<name>
++actionstop = fail2ban-iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
++ fail2ban-iptables -F fail2ban-<name>
++ fail2ban-iptables -X fail2ban-<name>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+ # Values: CMD
+ #
+-actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
++actioncheck = fail2ban-iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
+
+ # Option: actionban
+ # Notes.: command executed when banning an IP. Take care that the
+@@ -38,7 +39,7 @@
+ # Tags: See jail.conf(5) man page
+ # Values: CMD
+ #
+-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
++actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
+@@ -46,7 +47,7 @@
+ # Tags: See jail.conf(5) man page
+ # Values: CMD
+ #
+-actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
++actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j <blocktype>
+
+ [Init]
+
+@@ -67,7 +68,7 @@
+ protocol = tcp
+
+ # Option: chain
+-# Notes specifies the iptables chain to which the fail2ban rules should be
++# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be
+ # added
+ # Values: STRING Default: INPUT
+ chain = INPUT
+diff -urN fail2ban-0.8.11.orig/config/action.d/iptables-ipset-proto4.conf fail2ban-0.8.11/config/action.d/iptables-ipset-proto4.conf
+--- fail2ban-0.8.11.orig/config/action.d/iptables-ipset-proto4.conf 2013-11-12 22:06:54.000000000 +0100
++++ fail2ban-0.8.11/config/action.d/iptables-ipset-proto4.conf 2014-01-06 11:38:22.515902568 +0100
+@@ -28,13 +28,13 @@
+ # Values: CMD
+ #
+ actionstart = ipset --create fail2ban-<name> iphash
+- iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
++ fail2ban-iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
+
+ # Option: actionstop
+ # Notes.: command executed once at the end of Fail2Ban
+ # Values: CMD
+ #
+-actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
++actionstop = fail2ban-iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
+ ipset --flush fail2ban-<name>
+ ipset --destroy fail2ban-<name>
+
+diff -urN fail2ban-0.8.11.orig/config/action.d/iptables-ipset-proto6-allports.conf fail2ban-0.8.11/config/action.d/iptables-ipset-proto6-allports.conf
+--- fail2ban-0.8.11.orig/config/action.d/iptables-ipset-proto6-allports.conf 2013-11-12 22:06:54.000000000 +0100
++++ fail2ban-0.8.11/config/action.d/iptables-ipset-proto6-allports.conf 2014-01-06 11:39:21.855902139 +0100
+@@ -25,13 +25,13 @@
+ # Values: CMD
+ #
+ actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
+- iptables -I INPUT -m set --match-set fail2ban-<name> src -j <blocktype>
++ fail2ban-iptables -I INPUT -m set --match-set fail2ban-<name> src -j <blocktype>
+
+ # Option: actionstop
+ # Notes.: command executed once at the end of Fail2Ban
+ # Values: CMD
+ #
+-actionstop = iptables -D INPUT -m set --match-set fail2ban-<name> src -j <blocktype>
++actionstop = fail2ban-iptables -D INPUT -m set --match-set fail2ban-<name> src -j <blocktype>
+ ipset flush fail2ban-<name>
+ ipset destroy fail2ban-<name>
+
+diff -urN fail2ban-0.8.11.orig/config/action.d/iptables-ipset-proto6.conf fail2ban-0.8.11/config/action.d/iptables-ipset-proto6.conf
+--- fail2ban-0.8.11.orig/config/action.d/iptables-ipset-proto6.conf 2013-11-12 22:06:54.000000000 +0100
++++ fail2ban-0.8.11/config/action.d/iptables-ipset-proto6.conf 2014-01-06 11:38:58.449235641 +0100
+@@ -25,13 +25,13 @@
+ # Values: CMD
+ #
+ actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
+- iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
++ fail2ban-iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
+
+ # Option: actionstop
+ # Notes.: command executed once at the end of Fail2Ban
+ # Values: CMD
+ #
+-actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
++actionstop = fail2ban-iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
+ ipset flush fail2ban-<name>
+ ipset destroy fail2ban-<name>
+
+diff -urN fail2ban-0.8.11.orig/config/action.d/iptables-multiport.conf fail2ban-0.8.11/config/action.d/iptables-multiport.conf
+--- fail2ban-0.8.11.orig/config/action.d/iptables-multiport.conf 2013-11-12 22:06:54.000000000 +0100
++++ fail2ban-0.8.11/config/action.d/iptables-multiport.conf 2014-01-06 11:25:24.019241537 +0100
+@@ -2,6 +2,7 @@
+ #
+ # Author: Cyril Jaquier
+ # Modified by Yaroslav Halchenko for multiport banning
++# Modified by Paul J aka Thanat0s for ipv6 support
+ #
+
+ [INCLUDES]
+@@ -14,23 +15,23 @@
+ # Notes.: command executed once at the start of Fail2Ban.
+ # Values: CMD
+ #
+-actionstart = iptables -N fail2ban-<name>
+- iptables -A fail2ban-<name> -j RETURN
+- iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
++actionstart = fail2ban-iptables -N fail2ban-<name>
++ fail2ban-iptables -A fail2ban-<name> -j RETURN
++ fail2ban-iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+
+ # Option: actionstop
+ # Notes.: command executed once at the end of Fail2Ban
+ # Values: CMD
+ #
+-actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+- iptables -F fail2ban-<name>
+- iptables -X fail2ban-<name>
++actionstop = fail2ban-iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
++ fail2ban-iptables -F fail2ban-<name>
++ fail2ban-iptables -X fail2ban-<name>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+ # Values: CMD
+ #
+-actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
++actioncheck = fail2ban-iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
+
+ # Option: actionban
+ # Notes.: command executed when banning an IP. Take care that the
+@@ -38,7 +39,7 @@
+ # Tags: See jail.conf(5) man page
+ # Values: CMD
+ #
+-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
++actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
+@@ -46,7 +47,7 @@
+ # Tags: See jail.conf(5) man page
+ # Values: CMD
+ #
+-actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
++actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j <blocktype>
+
+ [Init]
+
+@@ -67,7 +68,7 @@
+ protocol = tcp
+
+ # Option: chain
+-# Notes specifies the iptables chain to which the fail2ban rules should be
++# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be
+ # added
+ # Values: STRING Default: INPUT
+ chain = INPUT
+diff -urN fail2ban-0.8.11.orig/config/action.d/iptables-multiport-log.conf fail2ban-0.8.11/config/action.d/iptables-multiport-log.conf
+--- fail2ban-0.8.11.orig/config/action.d/iptables-multiport-log.conf 2013-11-12 22:06:54.000000000 +0100
++++ fail2ban-0.8.11/config/action.d/iptables-multiport-log.conf 2014-01-06 11:23:13.682575814 +0100
+@@ -2,6 +2,7 @@
+ #
+ # Author: Guido Bozzetto
+ # Modified: Cyril Jaquier
++# Modified by Paul J aka Thanat0s for ipv6 support
+ #
+ # make "fail2ban-<name>" chain to match drop IP
+ # make "fail2ban-<name>-log" chain to log and drop
+@@ -19,28 +20,28 @@
+ # Notes.: command executed once at the start of Fail2Ban.
+ # Values: CMD
+ #
+-actionstart = iptables -N fail2ban-<name>
+- iptables -A fail2ban-<name> -j RETURN
+- iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+- iptables -N fail2ban-<name>-log
+- iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
+- iptables -A fail2ban-<name>-log -j <blocktype>
++actionstart = fail2ban-iptables -N fail2ban-<name>
++ fail2ban-iptables -A fail2ban-<name> -j RETURN
++ fail2ban-iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
++ fail2ban-iptables -N fail2ban-<name>-log
++ fail2ban-iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
++ fail2ban-iptables -A fail2ban-<name>-log -j <blocktype>
+
+ # Option: actionstop
+ # Notes.: command executed once at the end of Fail2Ban
+ # Values: CMD
+ #
+-actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+- iptables -F fail2ban-<name>
+- iptables -F fail2ban-<name>-log
+- iptables -X fail2ban-<name>
+- iptables -X fail2ban-<name>-log
++actionstop = fail2ban-iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
++ fail2ban-iptables -F fail2ban-<name>
++ fail2ban-iptables -F fail2ban-<name>-log
++ fail2ban-iptables -X fail2ban-<name>
++ fail2ban-iptables -X fail2ban-<name>-log
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+ # Values: CMD
+ #
+-actioncheck = iptables -n -L fail2ban-<name>-log >/dev/null
++actioncheck = fail2ban-iptables -n -L fail2ban-<name>-log >/dev/null
+
+ # Option: actionban
+ # Notes.: command executed when banning an IP. Take care that the
+@@ -48,7 +49,7 @@
+ # Tags: See jail.conf(5) man page
+ # Values: CMD
+ #
+-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
++actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
+@@ -56,7 +57,7 @@
+ # Tags: See jail.conf(5) man page
+ # Values: CMD
+ #
+-actionunban = iptables -D fail2ban-<name> -s <ip> -j fail2ban-<name>-log
++actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j fail2ban-<name>-log
+
+ [Init]
+
+@@ -77,7 +78,7 @@
+ protocol = tcp
+
+ # Option: chain
+-# Notes specifies the iptables chain to which the fail2ban rules should be
++# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be
+ # added
+ # Values: STRING Default: INPUT
+ chain = INPUT
+diff -urN fail2ban-0.8.11.orig/config/action.d/iptables-new.conf fail2ban-0.8.11/config/action.d/iptables-new.conf
+--- fail2ban-0.8.11.orig/config/action.d/iptables-new.conf 2013-11-12 22:06:54.000000000 +0100
++++ fail2ban-0.8.11/config/action.d/iptables-new.conf 2014-01-06 11:27:19.569240701 +0100
+@@ -1,8 +1,9 @@
+ # Fail2Ban configuration file
+ #
+ # Author: Cyril Jaquier
+-# Copied from iptables.conf and modified by Yaroslav Halchenko
++# Copied from fail2ban-iptables.conf and modified by Yaroslav Halchenko
+ # to fullfill the needs of bugreporter dbts#350746.
++# Modified by Paul J aka Thanat0s for ipv6 support
+ #
+ #
+
+@@ -17,23 +18,23 @@
+ # Notes.: command executed once at the start of Fail2Ban.
+ # Values: CMD
+ #
+-actionstart = iptables -N fail2ban-<name>
+- iptables -A fail2ban-<name> -j RETURN
+- iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
++actionstart = fail2ban-iptables -N fail2ban-<name>
++ fail2ban-iptables -A fail2ban-<name> -j RETURN
++ fail2ban-iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+
+ # Option: actionstop
+ # Notes.: command executed once at the end of Fail2Ban
+ # Values: CMD
+ #
+-actionstop = iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+- iptables -F fail2ban-<name>
+- iptables -X fail2ban-<name>
++actionstop = fail2ban-iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
++ fail2ban-iptables -F fail2ban-<name>
++ fail2ban-iptables -X fail2ban-<name>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+ # Values: CMD
+ #
+-actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
++actioncheck = fail2ban-iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
+
+ # Option: actionban
+ # Notes.: command executed when banning an IP. Take care that the
+@@ -41,7 +42,7 @@
+ # Tags: See jail.conf(5) man page
+ # Values: CMD
+ #
+-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
++actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
+@@ -49,7 +50,7 @@
+ # Tags: See jail.conf(5) man page
+ # Values: CMD
+ #
+-actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
++actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j <blocktype>
+
+ [Init]
+
+@@ -70,7 +71,7 @@
+ protocol = tcp
+
+ # Option: chain
+-# Notes specifies the iptables chain to which the fail2ban rules should be
++# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be
+ # added
+ # Values: STRING Default: INPUT
+ chain = INPUT
+diff -urN fail2ban-0.8.11.orig/config/action.d/iptables-xt_recent-echo.conf fail2ban-0.8.11/config/action.d/iptables-xt_recent-echo.conf
+--- fail2ban-0.8.11.orig/config/action.d/iptables-xt_recent-echo.conf 2013-11-12 22:06:54.000000000 +0100
++++ fail2ban-0.8.11/config/action.d/iptables-xt_recent-echo.conf 2014-01-06 11:40:07.539235142 +0100
+@@ -33,7 +33,7 @@
+ # own rules. The 3600 second timeout is independent and acts as a
+ # safeguard in case the fail2ban process dies unexpectedly. The
+ # shorter of the two timeouts actually matters.
+-actionstart = iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j <blocktype>
++actionstart = fail2ban-iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j <blocktype>
+
+ # Option: actionstop
+ # Notes.: command executed once at the end of Fail2Ban
+diff -urN fail2ban-0.8.11.orig/config/fail2ban.conf fail2ban-0.8.11/config/fail2ban.conf
+--- fail2ban-0.8.11.orig/config/fail2ban.conf 2013-11-12 22:06:54.000000000 +0100
++++ fail2ban-0.8.11/config/fail2ban.conf 2014-01-06 11:31:27.709238905 +0100
+@@ -47,3 +47,10 @@
+ #
+ pidfile = /var/run/fail2ban/fail2ban.pid
+
++# Option: ipv6
++# Notes.: Activate IPv6 support
++# Warning : only with iptables action supported
++# Values: BOOLEAN Default: disabled
++#
++ipv6 = enabled
++
+diff -urN fail2ban-0.8.11.orig/fail2ban-iptables fail2ban-0.8.11/fail2ban-iptables
+--- fail2ban-0.8.11.orig/fail2ban-iptables 1970-01-01 01:00:00.000000000 +0100
++++ fail2ban-0.8.11/fail2ban-iptables 2014-01-06 11:32:30.559238449 +0100
+@@ -0,0 +1,50 @@
++#!/usr/bin/python
++# This file is part of Fail2Ban.
++#
++# Fail2Ban is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 2 of the License, or
++# (at your option) any later version.
++#
++# Fail2Ban is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with Fail2Ban; if not, write to the Free Software
++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
++
++
++# Iptable wrapper, call the right iptables depending of the ip proposed
++# Author: Paul J Aka "Thanat0s"
++
++import sys, re, subprocess
++
++# Main procedure
++def main(argv):
++ concat_argv = ' '.join(argv)
++ regv4 = re.compile('([0-9]{1,3}\.){3}[0-9]{1,3}')
++ if regv4.search(concat_argv):
++ # we are facing to a ipv4
++ ret = subprocess.call(['iptables'] + argv)
++ sys.exit(ret)
++ else:
++ # if not, maybe it's a ipv6
++ regv6 = re.compile('::[A-Fa-f0-9]{1,4}|(:[A-Fa-f0-9]{1,4}){2,}')
++ if regv6.search(concat_argv):
++ ret6 = subprocess.call(['ip6tables'] + argv)
++ sys.exit(ret6)
++ else:
++ # if it's not a ipv6 either, we call both iptables
++ ret = subprocess.call(['iptables'] + argv)
++ ret6 = subprocess.call(['ip6tables'] + argv)
++ # return worst error code
++ if ret > ret6:
++ sys.exit(ret)
++ else:
++ sys.exit(ret6)
++
++# Main call, pass all variables
++if __name__ == "__main__":
++ main(sys.argv[1:])
+diff -urN fail2ban-0.8.11.orig/server/failregex.py fail2ban-0.8.11/server/failregex.py
+--- fail2ban-0.8.11.orig/server/failregex.py 2013-11-12 22:06:54.000000000 +0100
++++ fail2ban-0.8.11/server/failregex.py 2014-01-06 11:12:39.602580405 +0100
+@@ -41,7 +41,7 @@
+ self._matchCache = None
+ # Perform shortcuts expansions.
+ # Replace "<HOST>" with default regular expression for host.
+- regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_]*\w)")
++ regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_:]*\w)")
+ if regex.lstrip() == '':
+ raise RegexException("Cannot add empty regex")
+ try:
+diff -urN fail2ban-0.8.11.orig/server/filter.py fail2ban-0.8.11/server/filter.py
+--- fail2ban-0.8.11.orig/server/filter.py 2013-11-12 22:06:54.000000000 +0100
++++ fail2ban-0.8.11/server/filter.py 2014-01-06 12:25:40.509215356 +0100
+@@ -267,7 +267,10 @@
+ s = i.split('/', 1)
+ # IP address without CIDR mask
+ if len(s) == 1:
+- s.insert(1, '32')
++ if re.match(":", s[0]):
++ s.insert(1, '128')
++ else:
++ s.insert(1, '32')
+ s[1] = long(s[1])
+ try:
+ a = DNSUtils.cidr(s[0], s[1])
+@@ -623,6 +626,7 @@
+ class DNSUtils:
+
+ IP_CRE = re.compile("^(?:\d{1,3}\.){3}\d{1,3}$")
++ IP_CRE6 = re.compile("^(?:[0-9:A-Fa-f]{3,})$")
+
+ #@staticmethod
+ def dnsToIp(dns):
+@@ -646,19 +650,31 @@
+ if match:
+ return match
+ else:
+- return None
++ match = DNSUtils.IP_CRE6.match(text)
++ if match:
++ """ Right Here, we faced to a ipv6
++ """
++ return match
++ else:
++ return None
+ searchIP = staticmethod(searchIP)
+
+ #@staticmethod
+ def isValidIP(string):
+- """ Return true if str is a valid IP
+- """
++ # Return true if str is a valid IP
+ s = string.split('/', 1)
++ # try to convert to ipv4
+ try:
+ socket.inet_aton(s[0])
+ return True
+ except socket.error:
+- return False
++ # if it had failed try to convert ipv6
++ try:
++ socket.inet_pton(socket.AF_INET6, s[0])
++ return True
++ except socket.error:
++ # not a valid address in both stacks
++ return False
+ isValidIP = staticmethod(isValidIP)
+
+ #@staticmethod
+@@ -687,11 +703,14 @@
+
+ #@staticmethod
+ def cidr(i, n):
+- """ Convert an IP address string with a CIDR mask into a 32-bit
+- integer.
++ """ Convert an IP address string with a CIDR mask into an integer.
+ """
+- # 32-bit IPv4 address mask
+- MASK = 0xFFFFFFFFL
++ if re.match(":", i):
++ # 128-bit IPv6 address mask
++ MASK = ((1 << 128) - 1)
++ else:
++ # 32-bit IPv4 address mask
++ MASK = 0xFFFFFFFFL
+ return ~(MASK >> n) & MASK & DNSUtils.addr2bin(i)
+ cidr = staticmethod(cidr)
+
+@@ -699,12 +718,21 @@
+ def addr2bin(string):
+ """ Convert a string IPv4 address into an unsigned integer.
+ """
+- return struct.unpack("!L", socket.inet_aton(string))[0]
++ try:
++ return struct.unpack("!L", socket.inet_aton(string))[0]
++ except socket.error:
++ hi, lo = struct.unpack('!QQ', socket.inet_pton(socket.AF_INET6, string))
++ return (hi << 64) | lo
+ addr2bin = staticmethod(addr2bin)
+
+ #@staticmethod
+ def bin2addr(addr):
+ """ Convert a numeric IPv4 address into string n.n.n.n form.
+ """
+- return socket.inet_ntoa(struct.pack("!L", addr))
++ try:
++ return socket.inet_ntoa(struct.pack("!L", addr))
++ except socket.error:
++ hi = addr >> 64
++ lo = addr & ((1 << 64) - 1)
++ return socket.inet_ntop(socket.AF_INET6, struct.pack('!QQ', hi, lo))
+ bin2addr = staticmethod(bin2addr)
+diff -urN fail2ban-0.8.11.orig/setup.py fail2ban-0.8.11/setup.py
+--- fail2ban-0.8.11.orig/setup.py 2013-11-12 22:06:54.000000000 +0100
++++ fail2ban-0.8.11/setup.py 2014-01-06 11:15:41.519245754 +0100
+@@ -48,7 +48,8 @@
+ scripts = [
+ 'fail2ban-client',
+ 'fail2ban-server',
+- 'fail2ban-regex'
++ 'fail2ban-regex',
++ 'fail2ban-iptables'
+ ],
+ packages = [
+ 'common',
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/fail2ban.git/commitdiff/47c24e99b565dd110b23ae0681d14a78b86c19b6
More information about the pld-cvs-commit
mailing list