summaryrefslogtreecommitdiff
path: root/config/action.d/firewallcmd-ipset.conf
diff options
context:
space:
mode:
Diffstat (limited to 'config/action.d/firewallcmd-ipset.conf')
-rw-r--r--config/action.d/firewallcmd-ipset.conf63
1 files changed, 52 insertions, 11 deletions
diff --git a/config/action.d/firewallcmd-ipset.conf b/config/action.d/firewallcmd-ipset.conf
index a1065224..c36ba694 100644
--- a/config/action.d/firewallcmd-ipset.conf
+++ b/config/action.d/firewallcmd-ipset.conf
@@ -18,20 +18,45 @@ before = firewallcmd-common.conf
[Definition]
-actionstart = ipset create <ipmset> hash:ip timeout <default-timeout><familyopt>
+actionstart = <ipstype_<ipsettype>/actionstart>
firewall-cmd --direct --add-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
-actionflush = ipset flush <ipmset>
+actionflush = <ipstype_<ipsettype>/actionflush>
actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
<actionflush>
- ipset destroy <ipmset>
+ <ipstype_<ipsettype>/actionstop>
+
+actionban = <ipstype_<ipsettype>/actionban>
+
+# actionprolong = %(actionban)s
+
+actionunban = <ipstype_<ipsettype>/actionunban>
+
+[ipstype_ipset]
+
+actionstart = ipset -exist create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
+
+actionflush = ipset flush <ipmset>
-actionban = ipset add <ipmset> <ip> timeout <bantime> -exist
+actionstop = ipset destroy <ipmset>
-actionprolong = %(actionban)s
+actionban = ipset -exist add <ipmset> <ip> timeout <ipsettime>
-actionunban = ipset del <ipmset> <ip> -exist
+actionunban = ipset -exist del <ipmset> <ip>
+
+[ipstype_firewalld]
+
+actionstart = firewall-cmd --direct --new-ipset=<ipmset> --type=hash:ip --option=timeout=<default-ipsettime> <firewalld_familyopt>
+
+# TODO: there doesn't seem to be an explicit way to invoke the ipset flush function using firewall-cmd
+actionflush =
+
+actionstop = firewall-cmd --direct --delete-ipset=<ipmset>
+
+actionban = firewall-cmd --ipset=<ipmset> --add-entry=<ip>
+
+actionunban = firewall-cmd --ipset=<ipmset> --remove-entry=<ip>
[Init]
@@ -42,11 +67,25 @@ actionunban = ipset del <ipmset> <ip> -exist
#
chain = INPUT_direct
-# Option: default-timeout
+# Option: default-ipsettime
# Notes: specifies default timeout in seconds (handled default ipset timeout only)
-# Values: [ NUM ] Default: 600
+# Values: [ NUM ] Default: 0 (no timeout, managed by fail2ban by unban)
+default-ipsettime = 0
+
+# Option: ipsettime
+# Notes: specifies ticket timeout (handled ipset timeout only)
+# Values: [ NUM ] Default: 0 (managed by fail2ban by unban)
+ipsettime = 0
+
+# expresion to caclulate timeout from bantime, example:
+# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
+timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
-default-timeout = 600
+# Option: ipsettype
+# Notes.: defines type of ipset used for match-set (firewalld or ipset)
+# Values: firewalld or ipset
+# Default: ipset
+ipsettype = ipset
# Option: actiontype
# Notes.: defines additions to the blocking rule
@@ -67,14 +106,16 @@ multiport = -p <protocol> -m multiport --dports <port>
ipmset = f2b-<name>
familyopt =
+firewalld_familyopt =
[Init?family=inet6]
ipmset = f2b-<name>6
-familyopt = <sp>family inet6
+familyopt = family inet6
+firewalld_familyopt = --option=family=inet6
# DEV NOTES:
#
-# Author: Edgar Hoch and Daniel Black
+# Author: Edgar Hoch, Daniel Black, Sergey Brester and Mihail Politaev
# firewallcmd-new / iptables-ipset-proto6 combined for maximium goodness
View Lorry Controller Status