From nobody Tue Oct 04 15:13:02 2022 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Mhh672Cn0z4f3tC; Tue, 4 Oct 2022 15:13:03 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Mhh671f2cz3rxM; Tue, 4 Oct 2022 15:13:03 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1664896383; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8gWTSwh9gpSsuRQFXnyLUtkJ83xcuaamnGmURfDTDjM=; b=lpkh4Ik3alR3vZuty0pAQ13orSCRRTbsZ2Bnw9DLZ0AnO66Dw5aEKDtiqs7ZMrSsubA04X mRjR/gW0/hAHBQfreyZ2Ir3k+3EgrHWxudmr+dRud/CXzv/HbNoIHn5PvEW6zo+F1UJECR 6lDSvA6qR2poxPKSEtLckI45c7BcOH231Fiio67PDHC86A6PeWC2L98CIT3hpOf68EGbjF U3wrR3oS9oZHtp39DA3jZ/cI+W1IEPGcCs9CWnJsuMB24F8wIw1VSOQrD2cJ5TQSfRoi/Z 7o4ufGgC0hKRA1iCpnuWUsqgPyqzvmo4yaGvRlHRD0VZsqBShl1C6iTkP6KAnA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Mhh670NdxzbwK; Tue, 4 Oct 2022 15:13:03 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 294FD2ru059512; Tue, 4 Oct 2022 15:13:02 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 294FD2Tb059511; Tue, 4 Oct 2022 15:13:02 GMT (envelope-from git) Date: Tue, 4 Oct 2022 15:13:02 GMT Message-Id: <202210041513.294FD2Tb059511@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Cy Schubert Subject: git: d0fcbc6c271f - main - security/py-fail2ban: Add ipfilter ippool action List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: d0fcbc6c271fe89343642260f36bb5842177f75d Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1664896383; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8gWTSwh9gpSsuRQFXnyLUtkJ83xcuaamnGmURfDTDjM=; b=tgyL5np7RrFM+c6c8OTy8l3XVnf8zYmye+x7ygNGp00usX/56W7BZiXUg7p88P7/Nx32nI KBX3LPhXCYMA/E02FKE3dSzTT4Sf+XBaCfERsG0r6w14OnW/MijA3PtPQthavlA3/WlYKR RIxxdmd0GfIvJeWIbTFjgQ/St7Bpb9K6x/GmMD8GxmU6wDQvhptTEyn8BzLaHJ1cFwVAea dKPFy4D9mp4oK/qWHa/200AEI2wdmKT6jnV2xX29F8pLeNfoZtpNcBUQJAAzDTsNaN5RNd 5UJG4M/O0ezZiEuvBvrhDxu0kYw+agNxikhShi4Oj02es1o6YJ7SWqFicPCSSg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1664896383; a=rsa-sha256; cv=none; b=T2X0uIDEusZ3WACXR3OEp6pQN5naicLijSV31k1/AKDTWRBEK5ESihZ+1Gn/qk+Fn7W6g+ wdxTyQFUKM/XJ+jA8AxzNPvQKPnSBqhE8dH3u6u1QybgvP/yd+VSP6DsjlO0XVKCCwbu7e zsKVl3QjppTYixtTx1wDNd19FMX8rUb8XDwFWBBRGSYjyrr2+8lLEkshkXtyRcsoj067Mx /TfslwfX88MV5OnTmyqRsd29Cdv6L1fOhyspJPKN3Rg6c3r5HGga2V6k8ICoAA9EXaGnIM /pkqmE367eNp4TB+r5JnjKhfU0UfqsIJOtGlkR6wQFWqm9g1cwrrKBLtsxaCOw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/ports/commit/?id=d0fcbc6c271fe89343642260f36bb5842177f75d commit d0fcbc6c271fe89343642260f36bb5842177f75d Author: Cy Schubert AuthorDate: 2022-10-04 14:55:17 +0000 Commit: Cy Schubert CommitDate: 2022-10-04 15:06:21 +0000 security/py-fail2ban: Add ipfilter ippool action Rather than add a block rule for each banned IP, add a blanket block rule that references an ipfilter ippool named fail2ban. Maintain the IPs in the ippool reducing the need to search a large list of rules. An ipfilter tree pool is used. --- security/py-fail2ban/Makefile | 2 +- .../files/patch-config_action.d_ippool.conf | 58 ++++++++++++++++++++++ 2 files changed, 59 insertions(+), 1 deletion(-) diff --git a/security/py-fail2ban/Makefile b/security/py-fail2ban/Makefile index f292316824ee..77cada9444c0 100644 --- a/security/py-fail2ban/Makefile +++ b/security/py-fail2ban/Makefile @@ -1,6 +1,6 @@ PORTNAME= fail2ban DISTVERSION= 1.0.1 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security python PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} diff --git a/security/py-fail2ban/files/patch-config_action.d_ippool.conf b/security/py-fail2ban/files/patch-config_action.d_ippool.conf new file mode 100644 index 000000000000..74857fd6caac --- /dev/null +++ b/security/py-fail2ban/files/patch-config_action.d_ippool.conf @@ -0,0 +1,58 @@ +--- config/action.d/ippool.conf.orig 2022-10-04 07:49:51.467484000 -0700 ++++ config/action.d/ippool.conf 2022-10-04 07:49:54.523077000 -0700 +@@ -0,0 +1,55 @@ ++# Fail2Ban configuration file ++# ++# FreeBSD ipfilter (ippool command) ban/unban ++# ++# Author: Cy Schubert ++# ++# ++ ++[Definition] ++ ++# Option: actionstart ++# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). ++# Values: CMD ++# ++# enable IPF if not already enabled and initialize fail2ban pool ++actionstart = /sbin/ipf -E ++ /sbin/ippool -A -t tree -m fail2ban ++ echo block in log quick from pool/fail2ban to any | /sbin/ipf -f - ++ ++# Option: actionstop ++# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) ++# Values: CMD ++# ++# don't disable IPF with "/sbin/ipf -D", there may be other filters in use ++actionstop = echo block in log quick from pool/fail2ban to any | /sbin/ipf -r -f - ++ /sbin/ippool -R -t tree -m fail2ban ++ ++ ++# Option: actioncheck ++# Notes.: command executed once before each actionban command ++# Values: CMD ++# ++actioncheck = ++ ++ ++# Option: actionban ++# Notes.: command executed when banning an IP. Take care that the ++# command is executed with Fail2Ban user rights. ++# Tags: See jail.conf(5) man page ++# Values: CMD ++# ++actionban = ippool -a -t tree -m fail2ban /32 ++ ++ ++# Option: actionunban ++# Notes.: command executed when unbanning an IP. Take care that the ++# command is executed with Fail2Ban user rights. ++# Tags: See jail.conf(5) man page ++# Values: CMD ++# ++# note -r option used to remove matching rule ++# actionunban = ippool -r -t tree -m fail2ban /32 ++ ++[Init] ++