git: d0fcbc6c271f - main - security/py-fail2ban: Add ipfilter ippool action

Reply: Cy Schubert : "Re: git: d0fcbc6c271f - main - security/py-fail2ban: Add ipfilter ippool action"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Cy Schubert <cy_at_FreeBSD.org>
Date: Tue, 04 Oct 2022 15:13:02 UTC
The branch main has been updated by cy:

URL: https://cgit.FreeBSD.org/ports/commit/?id=d0fcbc6c271fe89343642260f36bb5842177f75d

commit d0fcbc6c271fe89343642260f36bb5842177f75d
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2022-10-04 14:55:17 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2022-10-04 15:06:21 +0000

    security/py-fail2ban: Add ipfilter ippool action
    
    Rather than add a block rule for each banned IP, add a blanket block rule
    that references an ipfilter ippool named fail2ban. Maintain the IPs in
    the ippool reducing the need to search a large list of rules. An ipfilter
    tree pool is used.
---
 security/py-fail2ban/Makefile                      |  2 +-
 .../files/patch-config_action.d_ippool.conf        | 58 ++++++++++++++++++++++
 2 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/security/py-fail2ban/Makefile b/security/py-fail2ban/Makefile
index f292316824ee..77cada9444c0 100644
--- a/security/py-fail2ban/Makefile
+++ b/security/py-fail2ban/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	fail2ban
 DISTVERSION=	1.0.1
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	security python
 PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
 
diff --git a/security/py-fail2ban/files/patch-config_action.d_ippool.conf b/security/py-fail2ban/files/patch-config_action.d_ippool.conf
new file mode 100644
index 000000000000..74857fd6caac
--- /dev/null
+++ b/security/py-fail2ban/files/patch-config_action.d_ippool.conf
@@ -0,0 +1,58 @@
+--- config/action.d/ippool.conf.orig	2022-10-04 07:49:51.467484000 -0700
++++ config/action.d/ippool.conf	2022-10-04 07:49:54.523077000 -0700
+@@ -0,0 +1,55 @@
++# Fail2Ban configuration file
++#
++# FreeBSD ipfilter (ippool command) ban/unban
++#
++# Author: Cy Schubert <cy@FreeBSD.org>
++#
++#
++
++[Definition]
++
++# Option:  actionstart
++# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
++# Values:  CMD
++#
++# enable IPF if not already enabled and initialize fail2ban pool
++actionstart = /sbin/ipf -E
++              /sbin/ippool -A -t tree -m fail2ban
++              echo block in log quick from pool/fail2ban to any | /sbin/ipf -f -
++
++# Option:  actionstop
++# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
++# Values:  CMD
++#
++# don't disable IPF with "/sbin/ipf -D", there may be other filters in use
++actionstop = echo block in log quick from pool/fail2ban to any | /sbin/ipf -r -f -
++             /sbin/ippool -R -t tree -m fail2ban
++
++
++# Option:  actioncheck
++# Notes.:  command executed once before each actionban command
++# Values:  CMD
++#
++actioncheck =
++
++
++# Option:  actionban
++# Notes.:  command executed when banning an IP. Take care that the
++#          command is executed with Fail2Ban user rights.
++# Tags:    See jail.conf(5) man page
++# Values:  CMD
++#
++actionban = ippool -a -t tree -m fail2ban <ip>/32
++
++
++# Option:  actionunban
++# Notes.:  command executed when unbanning an IP. Take care that the
++#          command is executed with Fail2Ban user rights.
++# Tags:    See jail.conf(5) man page
++# Values:  CMD
++#
++# note -r option used to remove matching rule
++# actionunban = ippool -r -t tree -m fail2ban <ip>/32
++
++[Init]
++