diff options
| author | sebres <serg.brester@sebres.de> | 2022-03-03 15:04:34 +0100 |
|---|---|---|
| committer | sebres <serg.brester@sebres.de> | 2022-03-03 15:04:34 +0100 |
| commit | e2d50f38a6ef2511fee6b49f42b98f6d867625b2 (patch) | |
| tree | a2331f82ba1e51fe155737a94303ac03d4a6785c /fail2ban | |
| parent | 7eac4ac06fb03b8fce9b5d8bd368493482a1efe7 (diff) | |
| download | fail2ban-e2d50f38a6ef2511fee6b49f42b98f6d867625b2.tar.gz | |
amend to #2279: ensure that `<F-MLFGAINED>` match would reset all pending multi-line failures
Diffstat (limited to 'fail2ban')
| -rw-r--r-- | fail2ban/server/filter.py | 2 | ||||
| -rw-r--r-- | fail2ban/tests/fail2banregextestcase.py | 21 |
2 files changed, 23 insertions, 0 deletions
diff --git a/fail2ban/server/filter.py b/fail2ban/server/filter.py index f8417d2d..041773ab 100644 --- a/fail2ban/server/filter.py +++ b/fail2ban/server/filter.py @@ -793,6 +793,8 @@ class Filter(JailThread): # be sure we've correct current state ('nofail' and 'mlfgained' only from last failure) if mlfidGroups.pop('nofail', None): nfflgs |= 4 if mlfidGroups.pop('mlfgained', None): nfflgs |= 4 + # gained resets all pending failures (retaining users to check it later) + if nfflgs & 8: mlfidGroups.pop('mlfpending', None) # if we had no pending failures then clear the matches (they are already provided): if (nfflgs & 4) == 0 and not mlfidGroups.get('mlfpending', 0): mlfidGroups.pop("matches", None) diff --git a/fail2ban/tests/fail2banregextestcase.py b/fail2ban/tests/fail2banregextestcase.py index 1c55e227..00808ddd 100644 --- a/fail2ban/tests/fail2banregextestcase.py +++ b/fail2ban/tests/fail2banregextestcase.py @@ -440,6 +440,27 @@ class Fail2banRegexTest(LogCaptureTestCase): '192.0.2.1, git, '+lines[-1], all=True) + def testOutputNoPendingFailuresAfterGained(self): + unittest.F2B.SkipIfCfgMissing(stock=True) + # connect finished without authorization must generate a failure, because + # connect started will produce pending failure which gets reset by gained + # connect authorized. + self.assertTrue(_test_exec('-o', 'failure from == <ip> ==', + '-c', CONFIG_DIR, '-d', '{NONE}', + 'svc[1] connect started 192.0.2.3\n' + 'svc[1] connect finished 192.0.2.3\n' + 'svc[2] connect started 192.0.2.4\n' + 'svc[2] connect authorized 192.0.2.4\n' + 'svc[2] connect finished 192.0.2.4\n', + 'common[prefregex="^svc\[<F-MLFID>\d+</F-MLFID>\] connect <F-CONTENT>.+</F-CONTENT>$"' + ', failregex="' + '^started\n' + '^<F-NOFAIL><F-MLFFORGET>finished</F-MLFFORGET></F-NOFAIL> <ADDR>\n' + '^<F-MLFGAINED>authorized</F-MLFGAINED> <ADDR>' + '", maxlines=1]' + )) + self.assertLogged('failure from == 192.0.2.3 ==') + self.assertNotLogged('failure from == 192.0.2.4 ==') def testWrongFilterFile(self): # use test log as filter file to cover eror cases... |