automatic version update by autodist [release 1.1.0-1mamba;Tue Apr 30 2024]

2024-04-30 09:54:58 +02:00 · 2024-04-30 09:54:58 +02:00 · 22045133fe
commit 22045133fe
parent 219ad0a7b1
4 changed files with 5 additions and 149 deletions
--- a/fail2ban-0.11.2-ufw-0.36-ipv6-2.patch
+++ b/fail2ban-0.11.2-ufw-0.36-ipv6-2.patch
@ -1,37 +0,0 @@
 From 5debaa4cac2723fa863ede9ed32c19cc82c71786 Mon Sep 17 00:00:00 2001
 From: "Sergey G. Brester" <serg.brester@sebres.de>
 Date: Thu, 6 May 2021 20:23:58 +0200
 Subject: [PATCH] option "add", can be set to "insert <num>" instead of prepend
 (customization or backwards compat)
 ---
 config/action.d/ufw.conf | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)
 diff --git a/config/action.d/ufw.conf b/config/action.d/ufw.conf
 index b47fa7e77..bf06fe679 100644
 --- a/config/action.d/ufw.conf
 +++ b/config/action.d/ufw.conf
@@ -19,9 +19,9 @@ actioncheck =
 actionban = if [ -n "<application>" ] && ufw app info "<application>"
             then
 -              ufw prepend <blocktype> from <ip> to <destination> app "<application>" comment "<comment>"
 +              ufw <add> <blocktype> from <ip> to <destination> app "<application>" comment "<comment>"
             else
 -              ufw prepend <blocktype> from <ip> to <destination> comment "<comment>"
 +              ufw <add> <blocktype> from <ip> to <destination> comment "<comment>"
             fi
             ss -K dst [<ip>]
@@ -33,6 +33,10 @@ actionunban = if [ -n "<application>" ] && ufw app info "<application>"
               fi
 [Init]
 +# Option: add
 +# Notes.: can be set to "insert 1" to insert a rule at certain position (here 1):
 +add = prepend
 +
 # Option: blocktype
 # Notes.: reject or deny
 blocktype = reject
--- a/fail2ban-0.11.2-ufw-0.36-ipv6.patch
+++ b/fail2ban-0.11.2-ufw-0.36-ipv6.patch
@ -1,58 +0,0 @@
 From e4e7a83cffb4fb5cbb35c204795fba45c8f40c61 Mon Sep 17 00:00:00 2001
 From: usernamepi <53445688+usernamepi@users.noreply.github.com>
 Date: Thu, 6 May 2021 13:44:36 +0200
 Subject: [PATCH] Update ufw.conf
 Prerequisites:
 * The ss command is available, kernel is compiled with option CONFIG_INET_DIAG_DESTROY.
 * Ufw version is => 0.36 (released in 2018)
 * Now using "prepend" instead of "insert" to be able to handle IPv6 addresses correctly. The current action will fail for IPv6 addresses.
 * Now application names containing a space should handled correctly, solves https://github.com/fail2ban/fail2ban/pull/1532
 * Now closing IPv4 and IPv6 connections (if any) from the ip that is being banned. The current action will leave them open.
   Using ss to accomplish this. For this to work the kernel needs to be compiled with the CONFIG_INET_DIAG_DESTROY option.
   My system apparently is compiled that way.
 ---
 config/action.d/ufw.conf | 27 ++++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)
 diff --git a/config/action.d/ufw.conf b/config/action.d/ufw.conf
 index d2f731f2e6..b47fa7e772 100644
 --- a/config/action.d/ufw.conf
 +++ b/config/action.d/ufw.conf
@@ -13,17 +13,26 @@ actionstop =
 actioncheck = 
 -actionban = [ -n "<application>" ] && app="app <application>"
 -            ufw insert <insertpos> <blocktype> from <ip> to <destination> $app
 -
 -actionunban = [ -n "<application>" ] && app="app <application>"
 -              ufw delete <blocktype> from <ip> to <destination> $app
 +# ufw does "quickly process packets for which we already have a connection" in before.rules,
 +# therefore all related sockets should be closed
 +# actionban is using `ss` to do so, this only handles IPv4 and IPv6.
 +
 +actionban = if [ -n "<application>" ] && ufw app info "<application>"
 +            then
 +              ufw prepend <blocktype> from <ip> to <destination> app "<application>" comment "<comment>"
 +            else
 +              ufw prepend <blocktype> from <ip> to <destination> comment "<comment>"
 +            fi
 +            ss -K dst [<ip>]
 +
 +actionunban = if [ -n "<application>" ] && ufw app info "<application>"
 +              then
 +                ufw delete <blocktype> from <ip> to <destination> app "<application>"
 +              else
 +                ufw delete <blocktype> from <ip> to <destination>
 +              fi
 [Init]
 -# Option: insertpos
 -# Notes.:  The position number in the firewall list to insert the block rule
 -insertpos = 1
 -
 # Option: blocktype
 # Notes.: reject or deny
 blocktype = reject
--- a/fail2ban-0.11.2-ufw-add-kill-options.patch
+++ b/fail2ban-0.11.2-ufw-add-kill-options.patch
@ -1,45 +0,0 @@
 From 8f6a8df3a45395620e434fd15b4ede694a1d00aa Mon Sep 17 00:00:00 2001
 From: "Sergey G. Brester" <serg.brester@sebres.de>
 Date: Thu, 6 May 2021 21:47:06 +0200
 Subject: [PATCH] added new options `kill-mode` and `kill`, which makes the
 drop of all connections optional
 ---
 config/action.d/ufw.conf | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)
 diff --git a/config/action.d/ufw.conf b/config/action.d/ufw.conf
 index bf06fe679..cf8c22bec 100644
 --- a/config/action.d/ufw.conf
 +++ b/config/action.d/ufw.conf
@@ -23,7 +23,7 @@ actionban = if [ -n "<application>" ] && ufw app info "<application>"
             else
               ufw <add> <blocktype> from <ip> to <destination> comment "<comment>"
             fi
 -            ss -K dst [<ip>]
 +            <kill>
 actionunban = if [ -n "<application>" ] && ufw app info "<application>"
               then
@@ -32,6 +32,21 @@ actionunban = if [ -n "<application>" ] && ufw app info "<application>"
                 ufw delete <blocktype> from <ip> to <destination>
               fi
 +# Option: kill-mode
 +# Notes.: can be set to ss (may be extended later with other modes) to immediately drop all connections from banned IP, default empty (no kill)
 +# Example: banaction = ufw[kill-mode=ss]
 +kill-mode =
 +
 +# intern conditional parameter used to provide killing mode after ban:
 +_kill_ =
 +_kill_ss = ss -K dst "[<ip>]"
 +
 +# Option: kill
 +# Notes.: can be used to specify custom killing feature, by default depending on option kill-mode
 +# Examples: banaction = ufw[kill='ss -K "( sport = :http || sport = :https )" dst "[<ip>]"']
 +            banaction = ufw[kill='cutter "<ip>"']
 +kill = <_kill_<kill-mode>>
 +
 [Init]
 # Option: add
 # Notes.: can be set to "insert 1" to insert a rule at certain position (here 1):
--- a/fail2ban.spec
+++ b/fail2ban.spec
@ -1,6 +1,6 @@
 Name:          fail2ban
-Version:       1.0.2
+Version:       1.1.0
-Release:       2mamba
+Release:       1mamba
 Summary:       Daemon to ban hosts that cause multiple authentication errors
 Group:         Applications/Security
 Vendor:        openmamba
@ -9,9 +9,6 @@ Packager:      Silvan Calarco <silvan.calarco@mambasoft.it>
 URL:           https://github.com/fail2ban/fail2ban
 Source:        https://github.com/fail2ban/fail2ban.git/%{version}/fail2ban-%{version}.tar.bz2
 Source1:       fail2ban-paths-openmamba.conf
 Patch0:        fail2ban-0.11.2-ufw-0.36-ipv6.patch
 Patch1:        fail2ban-0.11.2-ufw-0.36-ipv6-2.patch
 Patch2:        fail2ban-0.11.2-ufw-add-kill-options.patch
 License:       GPL
 ## AUTOBUILDREQ-BEGIN
 BuildRequires: libpython311-devel
@ -25,9 +22,6 @@ Daemon to ban hosts that cause multiple authentication errors.
 %prep
 %setup -q
 #%patch0 -p1
 #%patch1 -p1
 #%patch2 -p1
 sed -i "s|/var/run/|/run/|" files/fail2ban.service.in \
   files/fail2ban-tmpfiles.conf fail2ban/server/*.py \
@ -37,7 +31,6 @@ sed -i "s|/var/run/|/run/|" files/fail2ban.service.in \
 sed -i "s|paths-debian.conf|paths-openmamba.conf|" config/jail.conf
 %build
 ./fail2ban-2to3
 CFLAGS="%{optflags}" %{__python3} setup.py build
 %install
@ -119,6 +112,9 @@ rm -f %{buildroot}%{_sysconfdir}/paths-{arch,debian,fedora,freebsd,opensuse,osx}
 %doc COPYING THANKS
 %changelog
 * Tue Apr 30 2024 Automatic Build System <autodist@openmamba.org> 1.1.0-1mamba
 - automatic version update by autodist
 * Mon Oct 09 2023 Silvan Calarco <silvan.calarco@mambasoft.it> 1.0.2-2mamba
 - rebuilt with python3 == 3.11