Merge remote-tracking branch 'remotes/sebres/1.0-breakdown-safe-actions' with master;

conflicts resolved
author: sebres <info@sebres.de> 2022-01-24 22:30:33 +0100
committer: sebres <info@sebres.de> 2022-01-24 22:31:51 +0100
commit: 7db1c97a3e070e13b9ba48270ad028387306c934 (patch)
tree: 6f7465c5b1145d5a4223e44c263ae7037ffc8d5b
parent: 970573d1cbe16907c2eb352cee44b6825524744a (diff)
parent: ceeba99f25763378c19e5779ddbd0ac7d31caa88 (diff)
download: fail2ban-7db1c97a3e070e13b9ba48270ad028387306c934.tar.gz
15 files changed, 252 insertions, 378 deletions
diff --git a/MANIFEST b/MANIFEST
index c2df1e51..bf46406c 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -24,7 +24,6 @@ config/action.d/hostsdeny.conf
 config/action.d/ipfilter.conf
 config/action.d/ipfw.conf
 config/action.d/iptables-allports.conf
-config/action.d/iptables-common.conf
 config/action.d/iptables.conf
 config/action.d/iptables-ipset-proto4.conf
 config/action.d/iptables-ipset-proto6-allports.conf
diff --git a/config/action.d/iptables-allports.conf b/config/action.d/iptables-allports.conf
index caf9ab81..51c4694d 100644
--- a/config/action.d/iptables-allports.conf
+++ b/config/action.d/iptables-allports.conf
@@ -4,52 +4,12 @@
 # Modified: Yaroslav O. Halchenko <debian@onerussian.com>
 # 			made active on all ports from original iptables.conf
 #
-#
+# Obsolete: superseded by iptables[type=allports]
 
 [INCLUDES]
 
-before = iptables-common.conf
-
+before = iptables.conf
 
 [Definition]
 
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart = <iptables> -N f2b-<name>
-              <iptables> -A f2b-<name> -j <returntype>
-              <iptables> -I <chain> -p <protocol> -j f2b-<name>
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = <iptables> -D <chain> -p <protocol> -j f2b-<name>
-             <actionflush>
-             <iptables> -X f2b-<name>
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
-
-[Init]
-
+type = allports
diff --git a/config/action.d/iptables-common.conf b/config/action.d/iptables-common.conf
deleted file mode 100644
index e016ef2f..00000000
--- a/config/action.d/iptables-common.conf
+++ /dev/null
@@ -1,92 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Daniel Black
-#
-# This is a included configuration file and includes the definitions for the iptables
-# used in all iptables based actions by default.
-#
-# The user can override the defaults in iptables-common.local
-#
-# Modified: Alexander Koeppe <format_c@online.de>, Serg G. Brester <serg.brester@sebres.de>
-#       made config file IPv6 capable (see new section Init?family=inet6)
-
-[INCLUDES]
-
-after = iptables-blocktype.local
-        iptables-common.local
-# iptables-blocktype.local is obsolete
-
-[Definition]
-
-# Option:  actionflush
-# Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
-# Values:  CMD
-#
-actionflush = <iptables> -F f2b-<name>
-
-
-[Init]
-
-# Option:  chain
-# Notes    specifies the iptables chain to which the Fail2Ban rules should be
-#          added
-# Values:  STRING  Default: INPUT
-chain = INPUT
-
-# Default name of the chain
-#
-name = default
-
-# Option:  port
-# Notes.:  specifies port to monitor
-# Values:  [ NUM | STRING ]  Default:
-#
-port = ssh
-
-# Option:  protocol
-# Notes.:  internally used by config reader for interpolations.
-# Values:  [ tcp | udp | icmp | all ] Default: tcp
-#
-protocol = tcp
-
-# Option:  blocktype
-# Note:    This is what the action does with rules. This can be any jump target
-#          as per the iptables man page (section 8). Common values are DROP
-#          REJECT, REJECT --reject-with icmp-port-unreachable
-# Values:  STRING
-blocktype = REJECT --reject-with icmp-port-unreachable
-
-# Option:  returntype
-# Note:    This is the default rule on "actionstart". This should be RETURN
-#          in all (blocking) actions, except REJECT in allowing actions.
-# Values:  STRING
-returntype = RETURN
-
-# Option:  lockingopt
-# Notes.:  Option was introduced to iptables to prevent multiple instances from
-#          running concurrently and causing irratic behavior.  -w was introduced
-#          in iptables 1.4.20, so might be absent on older systems
-#          See https://github.com/fail2ban/fail2ban/issues/1122
-# Values:  STRING
-lockingopt = -w
-
-# Option:  iptables
-# Notes.:  Actual command to be executed, including common to all calls options
-# Values:  STRING
-iptables = iptables <lockingopt>
-
-
-[Init?family=inet6]
-
-# Option:  blocktype (ipv6)
-# Note:    This is what the action does with rules. This can be any jump target
-#          as per the iptables man page (section 8). Common values are DROP
-#          REJECT, REJECT --reject-with icmp6-port-unreachable
-# Values:  STRING
-blocktype = REJECT --reject-with icmp6-port-unreachable
-
-# Option:  iptables (ipv6)
-# Notes.:  Actual command to be executed, including common to all calls options
-# Values:  STRING
-iptables = ip6tables <lockingopt>
-
diff --git a/config/action.d/iptables-ipset-proto4.conf b/config/action.d/iptables-ipset-proto4.conf
index 99ebbf8c..2e2f5779 100644
--- a/config/action.d/iptables-ipset-proto4.conf
+++ b/config/action.d/iptables-ipset-proto4.conf
@@ -19,7 +19,7 @@
 
 [INCLUDES]
 
-before = iptables-common.conf
+before = iptables.conf
 
 [Definition]
 
@@ -28,7 +28,7 @@ before = iptables-common.conf
 # Values:  CMD
 #
 actionstart = ipset --create f2b-<name> iphash
-              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+              <iptables> -I <chain> %(_ipt_chain_rule)s
 
 
 # Option:  actionflush
@@ -61,5 +61,6 @@ actionban = ipset --test f2b-<name> <ip> ||  ipset --add f2b-<name> <ip>
 #
 actionunban = ipset --test f2b-<name> <ip> && ipset --del f2b-<name> <ip>
 
-[Init]
+# Several capabilities used internaly:
 
+rule-jump = -m set --match-set f2b-<name> src -j <blocktype>
diff --git a/config/action.d/iptables-ipset-proto6-allports.conf b/config/action.d/iptables-ipset-proto6-allports.conf
index 67d7947b..1aa7fd6f 100644
--- a/config/action.d/iptables-ipset-proto6-allports.conf
+++ b/config/action.d/iptables-ipset-proto6-allports.conf
@@ -15,73 +15,13 @@
 #
 # Modified: Alexander Koeppe <format_c@online.de>, Serg G. Brester <serg.brester@sebres.de>
 #       made config file IPv6 capable (see new section Init?family=inet6)
+#
+# Obsolete: superseded by iptables-ipset[type=allports]
 
 [INCLUDES]
 
-before = iptables-common.conf
+before = iptables-ipset.conf
 
 [Definition]
 
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart = ipset create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
-              <iptables> -I <chain> -m set --match-set <ipmset> src -j <blocktype>
-
-# Option:  actionflush
-# Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
-# Values:  CMD
-#
-actionflush = ipset flush <ipmset>
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = <iptables> -D <chain> -m set --match-set <ipmset> src -j <blocktype>
-             <actionflush>
-             ipset destroy <ipmset>
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = ipset add <ipmset> <ip> timeout <ipsettime> -exist
-
-# actionprolong = %(actionban)s
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = ipset del <ipmset> <ip> -exist
-
-[Init]
-
-# Option: default-ipsettime
-# Notes:  specifies default timeout in seconds (handled default ipset timeout only)
-# Values:  [ NUM ]  Default: 0 (no timeout, managed by fail2ban by unban)
-default-ipsettime = 0
-
-# Option: ipsettime
-# Notes:  specifies ticket timeout (handled ipset timeout only)
-# Values:  [ NUM ]  Default: 0 (managed by fail2ban by unban)
-ipsettime = 0
-
-# expresion to caclulate timeout from bantime, example:
-# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
-timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
-
-ipmset = f2b-<name>
-familyopt =
-
-
-[Init?family=inet6]
-
-ipmset = f2b-<name>6
-familyopt = family inet6
+type = allports
diff --git a/config/action.d/iptables-ipset-proto6.conf b/config/action.d/iptables-ipset-proto6.conf
index 87601027..ef744984 100644
--- a/config/action.d/iptables-ipset-proto6.conf
+++ b/config/action.d/iptables-ipset-proto6.conf
@@ -15,73 +15,13 @@
 #
 # Modified: Alexander Koeppe <format_c@online.de>, Serg G. Brester <serg.brester@sebres.de>
 #       made config file IPv6 capable (see new section Init?family=inet6)
+#
+# Obsolete: superseded by iptables-ipset[type=multiport]
 
 [INCLUDES]
 
-before = iptables-common.conf
+before = iptables-ipset.conf
 
 [Definition]
 
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart = ipset create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
-              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set <ipmset> src -j <blocktype>
-
-# Option:  actionflush
-# Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
-# Values:  CMD
-#
-actionflush = ipset flush <ipmset>
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set <ipmset> src -j <blocktype>
-             <actionflush>
-             ipset destroy <ipmset>
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = ipset add <ipmset> <ip> timeout <ipsettime> -exist
-
-# actionprolong = %(actionban)s
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = ipset del <ipmset> <ip> -exist
-
-[Init]
-
-# Option: default-ipsettime
-# Notes:  specifies default timeout in seconds (handled default ipset timeout only)
-# Values:  [ NUM ]  Default: 0 (no timeout, managed by fail2ban by unban)
-default-ipsettime = 0
-
-# Option: ipsettime
-# Notes:  specifies ticket timeout (handled ipset timeout only)
-# Values:  [ NUM ]  Default: 0 (managed by fail2ban by unban)
-ipsettime = 0
-
-# expresion to caclulate timeout from bantime, example:
-# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
-timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
-
-ipmset = f2b-<name>
-familyopt =
-
-
-[Init?family=inet6]
-
-ipmset = f2b-<name>6
-familyopt = family inet6
+type = multiport
diff --git a/config/action.d/iptables-ipset.conf b/config/action.d/iptables-ipset.conf
new file mode 100644
index 00000000..82d2b6b7
--- /dev/null
+++ b/config/action.d/iptables-ipset.conf
@@ -0,0 +1,90 @@
+# Fail2Ban configuration file
+#
+# Authors: Sergey G Brester (sebres), Daniel Black, Alexander Koeppe
+#
+# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
+# Use ipset -V to see the protocol and version. Version 4 should use
+# iptables-ipset-proto4.conf.
+#
+# This requires the program ipset which is normally in package called ipset.
+#
+# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
+#
+# If you are running on an older kernel you make need to patch in external
+# modules.
+#
+
+[INCLUDES]
+
+before = iptables.conf
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
+# Values:  CMD
+#
+actionstart = ipset create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
+              <iptables> -I <chain> %(_ipt_chain_rule)s
+
+# Option:  actionflush
+# Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
+# Values:  CMD
+#
+actionflush = ipset flush <ipmset>
+
+# Option:  actionstop
+# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
+# Values:  CMD
+#
+actionstop = <iptables> -D <chain> %(_ipt_chain_rule)s
+             <actionflush>
+             ipset destroy <ipmset>
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = ipset add <ipmset> <ip> timeout <ipsettime> -exist
+
+# actionprolong = %(actionban)s
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = ipset del <ipmset> <ip> -exist
+
+# Several capabilities used internaly:
+
+rule-jump = -m set --match-set <ipmset> src -j <blocktype>
+
+
+[Init]
+
+# Option: default-ipsettime
+# Notes:  specifies default timeout in seconds (handled default ipset timeout only)
+# Values:  [ NUM ]  Default: 0 (no timeout, managed by fail2ban by unban)
+default-ipsettime = 0
+
+# Option: ipsettime
+# Notes:  specifies ticket timeout (handled ipset timeout only)
+# Values:  [ NUM ]  Default: 0 (managed by fail2ban by unban)
+ipsettime = 0
+
+# expresion to caclulate timeout from bantime, example:
+# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
+timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
+
+ipmset = f2b-<name>
+familyopt =
+
+
+[Init?family=inet6]
+
+ipmset = f2b-<name>6
+familyopt = family inet6
diff --git a/config/action.d/iptables-multiport-log.conf b/config/action.d/iptables-multiport-log.conf
index df126dbf..322a7491 100644
--- a/config/action.d/iptables-multiport-log.conf
+++ b/config/action.d/iptables-multiport-log.conf
@@ -11,7 +11,7 @@
 
 [INCLUDES]
 
-before = iptables-common.conf
+before = iptables.conf
 
 [Definition]
 
diff --git a/config/action.d/iptables-multiport.conf b/config/action.d/iptables-multiport.conf
index 41b00c54..008208e0 100644
--- a/config/action.d/iptables-multiport.conf
+++ b/config/action.d/iptables-multiport.conf
@@ -3,50 +3,12 @@
 # Author: Cyril Jaquier
 # Modified by Yaroslav Halchenko for multiport banning
 #
+# Obsolete: superseded by iptables[type=multiport]
 
 [INCLUDES]
 
-before = iptables-common.conf
+before = iptables.conf
 
 [Definition]
 
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart = <iptables> -N f2b-<name>
-              <iptables> -A f2b-<name> -j <returntype>
-              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
-             <actionflush>
-             <iptables> -X f2b-<name>
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
-
-[Init]
-
+type = multiport
diff --git a/config/action.d/iptables-new.conf b/config/action.d/iptables-new.conf
index 39a17099..170cb934 100644
--- a/config/action.d/iptables-new.conf
+++ b/config/action.d/iptables-new.conf
@@ -4,51 +4,12 @@
 # Copied from iptables.conf and modified by Yaroslav Halchenko 
 #  to fulfill the needs of bugreporter dbts#350746.
 #
-#
+# Obsolete: superseded by iptables[pre-rule='-m state --state NEW<sp>']
 
 [INCLUDES]
 
-before = iptables-common.conf
+before = iptables.conf
 
 [Definition]
 
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart = <iptables> -N f2b-<name>
-              <iptables> -A f2b-<name> -j <returntype>
-              <iptables> -I <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = <iptables> -D <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
-             <actionflush>
-             <iptables> -X f2b-<name>
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
-
-[Init]
-
+pre-rule = -m state --state NEW<sp>
+\ No newline at end of file
diff --git a/config/action.d/iptables-xt_recent-echo.conf b/config/action.d/iptables-xt_recent-echo.conf
index 97449222..7e24db7a 100644
--- a/config/action.d/iptables-xt_recent-echo.conf
+++ b/config/action.d/iptables-xt_recent-echo.conf
@@ -7,7 +7,7 @@
 
 [INCLUDES]
 
-before = iptables-common.conf
+before = iptables.conf
 
 [Definition]
 
@@ -52,7 +52,7 @@ actionstop = echo / > /proc/net/xt_recent/<iptname>
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = test -e /proc/net/xt_recent/<iptname>
+actioncheck = { <known/actioncheck>; } && test -e /proc/net/xt_recent/<iptname>
 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf
index 8ed5fdad..7ca9c962 100644
--- a/config/action.d/iptables.conf
+++ b/config/action.d/iptables.conf
@@ -1,14 +1,22 @@
 # Fail2Ban configuration file
 #
-# Author: Cyril Jaquier
-#
+# Authors: Sergey G. Brester (sebres), Cyril Jaquier, Daniel Black, 
+#          Yaroslav O. Halchenko, Alexander Koeppe et al.
 #
 
-[INCLUDES]
+[Definition]
 
-before = iptables-common.conf
+# Option:  type
+# Notes.:  type of the action.
+# Values:  [ oneport | multiport | allports ]  Default: oneport
+#
+type = oneport
 
-[Definition]
+# Option:  actionflush
+# Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
+# Values:  CMD
+#
+actionflush = <iptables> -F f2b-<name>
 
 # Option:  actionstart
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
@@ -16,13 +24,13 @@ before = iptables-common.conf
 #
 actionstart = <iptables> -N f2b-<name>
               <iptables> -A f2b-<name> -j <returntype>
-              <iptables> -I <chain> -p <protocol> --dport <port> -j f2b-<name>
+              <iptables> -I <chain> %(_ipt_chain_rule)s
 
 # Option:  actionstop
 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
 # Values:  CMD
 #
-actionstop = <iptables> -D <chain> -p <protocol> --dport <port> -j f2b-<name>
+actionstop = <iptables> -D <chain> %(_ipt_chain_rule)s
              <actionflush>
              <iptables> -X f2b-<name>
 
@@ -30,7 +38,7 @@ actionstop = <iptables> -D <chain> -p <protocol> --dport <port> -j f2b-<name>
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
+actioncheck = <_ipt_check_rule>
 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@@ -48,5 +56,93 @@ actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
 #
 actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
 
+# Option:  pre-rule
+# Notes.:  prefix parameter(s) inserted to the begin of rule. No default (empty)
+#
+pre-rule =
+
+rule-jump = -j <_ipt_rule_target>
+
+# Several capabilities used internaly:
+
+_ipt_chain_rule = <pre-rule><ipt_<type>/_chain_rule>
+_ipt_check_rule = <iptables> -C <chain> %(_ipt_chain_rule)s
+_ipt_rule_target = f2b-<name>
+
+[ipt_oneport]
+
+_chain_rule = -p <protocol> --dport <port> <rule-jump>
+
+[ipt_multiport]
+
+_chain_rule = -p <protocol> -m multiport --dports <port> <rule-jump>
+
+[ipt_allports]
+
+_chain_rule = -p <protocol> <rule-jump>
+
+
 [Init]
 
+# Option:  chain
+# Notes    specifies the iptables chain to which the Fail2Ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
+
+# Default name of the chain
+#
+name = default
+
+# Option:  port
+# Notes.:  specifies port to monitor
+# Values:  [ NUM | STRING ]  Default:
+#
+port = ssh
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+
+# Option:  blocktype
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the iptables man page (section 8). Common values are DROP
+#          REJECT, REJECT --reject-with icmp-port-unreachable
+# Values:  STRING
+blocktype = REJECT --reject-with icmp-port-unreachable
+
+# Option:  returntype
+# Note:    This is the default rule on "actionstart". This should be RETURN
+#          in all (blocking) actions, except REJECT in allowing actions.
+# Values:  STRING
+returntype = RETURN
+
+# Option:  lockingopt
+# Notes.:  Option was introduced to iptables to prevent multiple instances from
+#          running concurrently and causing irratic behavior.  -w was introduced
+#          in iptables 1.4.20, so might be absent on older systems
+#          See https://github.com/fail2ban/fail2ban/issues/1122
+# Values:  STRING
+lockingopt = -w
+
+# Option:  iptables
+# Notes.:  Actual command to be executed, including common to all calls options
+# Values:  STRING
+iptables = iptables <lockingopt>
+
+
+[Init?family=inet6]
+
+# Option:  blocktype (ipv6)
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the iptables man page (section 8). Common values are DROP
+#          REJECT, REJECT --reject-with icmp6-port-unreachable
+# Values:  STRING
+blocktype = REJECT --reject-with icmp6-port-unreachable
+
+# Option:  iptables (ipv6)
+# Notes.:  Actual command to be executed, including common to all calls options
+# Values:  STRING
+iptables = ip6tables <lockingopt>
diff --git a/config/action.d/symbiosis-blacklist-allports.conf b/config/action.d/symbiosis-blacklist-allports.conf
index 6fb7d0af..7208b293 100644
--- a/config/action.d/symbiosis-blacklist-allports.conf
+++ b/config/action.d/symbiosis-blacklist-allports.conf
@@ -5,7 +5,7 @@
 
 [INCLUDES]
 
-before = iptables-common.conf
+before = iptables.conf
 
 [Definition]
 
@@ -41,6 +41,11 @@ actionban = echo 'all' >| /etc/symbiosis/firewall/blacklist.d/<ip>.auto
 actionunban = rm -f /etc/symbiosis/firewall/blacklist.d/<ip>.auto
               <iptables> -D <chain> -s <ip> -j <blocktype> || :
 
+# [TODO] Flushing is currently not implemented for symbiosis blacklist.d
+#
+actionflush = 
+
+
 [Init]
 
 # Option:  chain
diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py
index 4029c753..37083a06 100644
--- a/fail2ban/tests/clientreadertestcase.py
+++ b/fail2ban/tests/clientreadertestcase.py
@@ -698,7 +698,7 @@ class JailsReaderTestCache(LogCaptureTestCase):
 			cnt = self._getLoggedReadCount(r'filter\.d/common\.conf')
 			self.assertTrue(cnt == 1, "Unexpected count by reading of filter files, cnt = %s" % cnt)
 			# same with action:
-			cnt = self._getLoggedReadCount(r'action\.d/iptables-common\.conf')
+			cnt = self._getLoggedReadCount(r'action\.d/iptables\.conf')
 			self.assertTrue(cnt == 1, "Unexpected count by reading of action files, cnt = %s" % cnt)
 		finally:
 			configparserinc.logLevel = saved_ll
diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py
index 0ea1c757..6aadec14 100644
--- a/fail2ban/tests/servertestcase.py
+++ b/fail2ban/tests/servertestcase.py
@@ -1528,10 +1528,10 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					"`ip6tables -w -X f2b-j-w-iptables-mp`",
 				),
 				'ip4-check': (
-					r"""`iptables -w -n -L INPUT | grep -q 'f2b-j-w-iptables-mp[ \t]'`""",
+					r"""`iptables -w -C INPUT -p tcp -m multiport --dports http,https -j f2b-j-w-iptables-mp`""",
 				),
 				'ip6-check': (
-					r"""`ip6tables -w -n -L INPUT | grep -q 'f2b-j-w-iptables-mp[ \t]'`""",
+					r"""`ip6tables -w -C INPUT -p tcp -m multiport --dports http,https -j f2b-j-w-iptables-mp`""",
 				),
 				'ip4-ban': (
 					r"`iptables -w -I f2b-j-w-iptables-mp 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`",
@@ -1572,10 +1572,10 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					"`ip6tables -w -X f2b-j-w-iptables-ap`",
 				),
 				'ip4-check': (
-					r"""`iptables -w -n -L INPUT | grep -q 'f2b-j-w-iptables-ap[ \t]'`""",
+					r"""`iptables -w -C INPUT -p tcp -j f2b-j-w-iptables-ap`""",
 				),
 				'ip6-check': (
-					r"""`ip6tables -w -n -L INPUT | grep -q 'f2b-j-w-iptables-ap[ \t]'`""",
+					r"""`ip6tables -w -C INPUT -p tcp -j f2b-j-w-iptables-ap`""",
 				),
 				'ip4-ban': (
 					r"`iptables -w -I f2b-j-w-iptables-ap 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`",
@@ -1613,6 +1613,12 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					"`ipset flush f2b-j-w-iptables-ipset6`",
 					"`ipset destroy f2b-j-w-iptables-ipset6`",
 				),
+				'ip4-check': (
+					r"""`iptables -w -C INPUT -p tcp -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable`""",
+				),
+				'ip6-check': (
+					r"""`ip6tables -w -C INPUT -p tcp -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`""",
+				),
 				'ip4-ban': (
 					r"`ipset add f2b-j-w-iptables-ipset 192.0.2.1 timeout 0 -exist`",
 				),
@@ -1631,24 +1637,30 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 				'ip4': (' f2b-j-w-iptables-ipset-ap ',), 'ip6': (' f2b-j-w-iptables-ipset-ap6 ',),
 				'ip4-start': (
 					"`ipset create f2b-j-w-iptables-ipset-ap hash:ip timeout 0 `",
-					"`iptables -w -I INPUT -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`",
+					"`iptables -w -I INPUT -p tcp -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`",
 				), 
 				'ip6-start': (
 					"`ipset create f2b-j-w-iptables-ipset-ap6 hash:ip timeout 0 family inet6`",
-					"`ip6tables -w -I INPUT -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`",
+					"`ip6tables -w -I INPUT -p tcp -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`",
 				),
 				'flush': (
 					"`ipset flush f2b-j-w-iptables-ipset-ap`",
 					"`ipset flush f2b-j-w-iptables-ipset-ap6`",
 				),
 				'stop': (
-					"`iptables -w -D INPUT -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`",
+					"`iptables -w -D INPUT -p tcp -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`",
 					"`ipset flush f2b-j-w-iptables-ipset-ap`",
 					"`ipset destroy f2b-j-w-iptables-ipset-ap`",
-					"`ip6tables -w -D INPUT -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`",
+					"`ip6tables -w -D INPUT -p tcp -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`",
 					"`ipset flush f2b-j-w-iptables-ipset-ap6`",
 					"`ipset destroy f2b-j-w-iptables-ipset-ap6`",
 				),
+				'ip4-check': (
+					r"""`iptables -w -C INPUT -p tcp -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`""",
+				),
+				'ip6-check': (
+					r"""`ip6tables -w -C INPUT -p tcp -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`""",
+				),
 				'ip4-ban': (
 					r"`ipset add f2b-j-w-iptables-ipset-ap 192.0.2.1 timeout 0 -exist`",
 				),
@@ -1662,7 +1674,7 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					r"`ipset del f2b-j-w-iptables-ipset-ap6 2001:db8:: -exist`",
 				),					
 			}),
-			# iptables --
+			# iptables (oneport) --
 			('j-w-iptables', 'iptables[name=%(__name__)s, bantime="10m", port="http", protocol="tcp", chain="<known/chain>"]', {
 				'ip4': ('`iptables ', 'icmp-port-unreachable'), 'ip6': ('`ip6tables ', 'icmp6-port-unreachable'),
 				'ip4-start': (
@@ -1688,10 +1700,10 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					"`ip6tables -w -X f2b-j-w-iptables`",
 				),
 				'ip4-check': (
-					r"""`iptables -w -n -L INPUT | grep -q 'f2b-j-w-iptables[ \t]'`""",
+					r"""`iptables -w -C INPUT -p tcp --dport http -j f2b-j-w-iptables`""",
 				),
 				'ip6-check': (
-					r"""`ip6tables -w -n -L INPUT | grep -q 'f2b-j-w-iptables[ \t]'`""",
+					r"""`ip6tables -w -C INPUT -p tcp --dport http -j f2b-j-w-iptables`""",
 				),
 				'ip4-ban': (
 					r"`iptables -w -I f2b-j-w-iptables 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`",
@@ -1732,10 +1744,10 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					"`ip6tables -w -X f2b-j-w-iptables-new`",
 				),
 				'ip4-check': (
-					r"""`iptables -w -n -L INPUT | grep -q 'f2b-j-w-iptables-new[ \t]'`""",
+					r"""`iptables -w -C INPUT -m state --state NEW -p tcp --dport http -j f2b-j-w-iptables-new`""",
 				),
 				'ip6-check': (
-					r"""`ip6tables -w -n -L INPUT | grep -q 'f2b-j-w-iptables-new[ \t]'`""",
+					r"""`ip6tables -w -C INPUT -m state --state NEW -p tcp --dport http -j f2b-j-w-iptables-new`""",
 				),
 				'ip4-ban': (
 					r"`iptables -w -I f2b-j-w-iptables-new 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`",
@@ -1766,10 +1778,10 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					"`if [ `id -u` -eq 0 ];then ip6tables -w -D INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre6 -j REJECT --reject-with icmp6-port-unreachable;fi`",
 				),
 				'ip4-check': (
-					r"`test -e /proc/net/xt_recent/f2b-j-w-iptables-xtre`",
+					r"`{ iptables -w -C INPUT -p tcp --dport ssh -j f2b-j-w-iptables-xtre; } && test -e /proc/net/xt_recent/f2b-j-w-iptables-xtre`",
 				),
 				'ip6-check': (
-					r"`test -e /proc/net/xt_recent/f2b-j-w-iptables-xtre6`",
+					r"`{ ip6tables -w -C INPUT -p tcp --dport ssh -j f2b-j-w-iptables-xtre; } && test -e /proc/net/xt_recent/f2b-j-w-iptables-xtre6`",
 				),
 				'ip4-ban': (
 					r"`echo +192.0.2.1 > /proc/net/xt_recent/f2b-j-w-iptables-xtre`",
author	sebres <info@sebres.de>	2022-01-24 22:30:33 +0100
committer	sebres <info@sebres.de>	2022-01-24 22:31:51 +0100
commit	7db1c97a3e070e13b9ba48270ad028387306c934 (patch)
tree	6f7465c5b1145d5a4223e44c263ae7037ffc8d5b
parent	970573d1cbe16907c2eb352cee44b6825524744a (diff)
parent	ceeba99f25763378c19e5779ddbd0ac7d31caa88 (diff)
download	fail2ban-7db1c97a3e070e13b9ba48270ad028387306c934.tar.gz