From: ROGERIO DE C. B. <rog...@dc...> - 2011-03-23 21:40:53
|
Hi, I want to add IPv6 support in fail2ban. There's a developer-list to discuss this implementation? -- Rogerio de Carvalho Bastos http://wiki.dcc.ufba.br/Main/RogerioBastos |
From: Yaroslav H. <li...@on...> - 2011-03-23 22:13:22
|
I guess that would be the list ;) on a related note: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=470417 fail2ban: please support ipv6 addresses (and ipv6tables) which might provide some relevant info On Wed, 23 Mar 2011, ROGERIO DE CARVALHO BASTOS wrote: > Hi, > I want to add IPv6 support in fail2ban. There's a developer-list to > discuss this implementation? -- =------------------------------------------------------------------= Keep in touch www.onerussian.com Yaroslav Halchenko www.ohloh.net/accounts/yarikoptic |
From: Arturo 'B. B. <bu...@bu...> - 2011-03-24 13:44:46
|
In general, we might just need actions that can discern between an ipv4 and ipv6 addresses and run iptables or ip6tables accordingly. And make <HOST> detect both types of addresses. On Wed, Mar 23, 2011 at 7:13 PM, Yaroslav Halchenko <li...@on...> wrote: > I guess that would be the list ;) > > on a related note: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=470417 > fail2ban: please support ipv6 addresses (and ipv6tables) > > which might provide some relevant info > > On Wed, 23 Mar 2011, ROGERIO DE CARVALHO BASTOS wrote: > >> Hi, > >> I want to add IPv6 support in fail2ban. There's a developer-list to >> discuss this implementation? > -- > =------------------------------------------------------------------= > Keep in touch www.onerussian.com > Yaroslav Halchenko www.ohloh.net/accounts/yarikoptic > > ------------------------------------------------------------------------------ > Enable your software for Intel(R) Active Management Technology to meet the > growing manageability and security demands of your customers. Businesses > are taking advantage of Intel(R) vPro (TM) technology - will your software > be a part of the solution? Download the Intel(R) Manageability Checker > today! http://p.sf.net/sfu/intel-dev2devmar > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: ROGERIO DE C. B. <rog...@dc...> - 2011-03-24 14:50:44
|
Hi, I think that should have differents actions for IPv4 and IPv6, at least in beginning, to mantain compatibility and avoid break old configuration. Besides, I don't know how other packet filters (like ipfw) track IPv4 and IPv6. The main change should be in DNSUtils class, that do convertions and verifications. Quoting Arturo 'Buanzo' Busleiman <bu...@bu...>: > In general, we might just need actions that can discern between an > ipv4 and ipv6 addresses and run iptables or ip6tables accordingly. And > make <HOST> detect both types of addresses. -- Rogerio de Carvalho Bastos http://wiki.dcc.ufba.br/Main/RogerioBastos |
From: Arturo 'B. B. <bu...@bu...> - 2011-03-24 15:52:06
|
Agreed. On Thu, Mar 24, 2011 at 11:50 AM, ROGERIO DE CARVALHO BASTOS <rog...@dc...> wrote: > Hi, > > I think that should have differents actions for IPv4 and IPv6, at > least in beginning, to mantain compatibility and avoid break old > configuration. > Besides, I don't know how other packet filters (like ipfw) track IPv4 > and IPv6. > > The main change should be in DNSUtils class, that do convertions and > verifications. > > Quoting Arturo 'Buanzo' Busleiman <bu...@bu...>: > >> In general, we might just need actions that can discern between an >> ipv4 and ipv6 addresses and run iptables or ip6tables accordingly. And >> make <HOST> detect both types of addresses. > > -- > > Rogerio de Carvalho Bastos > > http://wiki.dcc.ufba.br/Main/RogerioBastos > > > ------------------------------------------------------------------------------ > Enable your software for Intel(R) Active Management Technology to meet the > growing manageability and security demands of your customers. Businesses > are taking advantage of Intel(R) vPro (TM) technology - will your software > be a part of the solution? Download the Intel(R) Manageability Checker > today! http://p.sf.net/sfu/intel-dev2devmar > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: ROGERIO DE C. B. <rog...@dc...> - 2011-03-25 15:03:20
Attachments:
ipv6.patch
|
Hi, A try to implement using that approach (patch in annex), but some problems arose: - Each filter must exist twice, this can generate a performace problem and is ugly - It's impossible track hostnames, because filter are separated - If a atacker can use IPv4 and IPv6 and fail2ban block by hostname only atacker's IPv4 or IPv6 will be blocked So, I think should be better if fail2ban track IPv4 and IPv6 internally (maybe through any lib) and decides what action to do. Probably, we'll need two differents actions, for IPv4 and for IPv6, and store the IP version. I'm studying about python libs: IPy and netaddr. Suggestions are welcome. Quoting ROGERIO DE CARVALHO BASTOS <rog...@dc...>: > I think that should have differents actions for IPv4 and IPv6, at > least in beginning, to mantain compatibility and avoid break old > configuration. > Besides, I don't know how other packet filters (like ipfw) track > IPv4 and IPv6. > > Quoting Arturo 'Buanzo' Busleiman <bu...@bu...>: > >> In general, we might just need actions that can discern between an >> ipv4 and ipv6 addresses and run iptables or ip6tables accordingly. And >> make <HOST> detect both types of addresses. -- Rogerio de Carvalho Bastos http://wiki.dcc.ufba.br/Main/RogerioBastos |
From: ROGERIO DE C. B. <rog...@dc...> - 2011-03-25 15:22:53
|
About IP manipulation, we don't need extra features, beyond identify it is IPv4 or IPv6 and it is within a network. So, I find three goods libs: IPy [1], netaddr [2] and ipaddr [3]. IHMO we should choose that more efficient. [1] http://pypi.python.org/pypi/IPy/0.74 [2] http://pypi.python.org/pypi/netaddr/0.7.5 [3] http://pypi.python.org/pypi/ipaddr/2.1.7 -- Rogerio de Carvalho Bastos http://wiki.dcc.ufba.br/Main/RogerioBastos |
From: ROGERIO DE C. B. <rog...@dc...> - 2011-04-26 02:48:27
|
Hy guys, Finally, I finish a better patch to do this. The main changes in fail2ban are: * IP and Network addres are tracks like netaddr.IPAddress and netaddr.IPNetwork objects, respectively. But hostname are strings yet. * <HOST> is a regex that match any IPv4, IPv6 and hostname string, but validation is made by netaddr library, that uses socket. * There must be actions for IPv4 (action{start,stop,check,ban,unban}) and for IPv6 (action6{start,stop,check,ban,unban}) * Fail2ban tracks IPv6 ony if there are action6's definitions and this is the only configuration required to do this In [1], you find the patch and a debian package of the patched version. The patch was generated from [2]. I'm testing in some servers and I would like to see you comments. I think, the follows features are needed: * One option to define when action=action6 to avoid duplicated configurations * DNS resolution in IPv6 too [1] http://homes.dcc.ufba.br/~rogeriobastos/files/fail2ban/ [2] http://git.onerussian.com/?p=deb/fail2ban.git;a=summary -- Rogerio de Carvalho Bastos http://wiki.dcc.ufba.br/Main/RogerioBastos |
From: Christopher M. <mor...@gm...> - 2011-04-26 03:18:56
|
On Mon, Apr 25, 2011 at 10:48 PM, ROGERIO DE CARVALHO BASTOS <rog...@dc...> wrote: > Hy guys, > > Finally, I finish a better patch to do this. The main changes in fail2ban are: > > * IP and Network addres are tracks like netaddr.IPAddress and > netaddr.IPNetwork objects, respectively. But hostname are strings yet. netaddr or ipaddr ? > * <HOST> is a regex that match any IPv4, IPv6 and hostname string, but > validation is made by netaddr library, that uses socket. again: netaddr or ipaddr? (I was going the ipaddr route and had essentially decided to eval each 'word' in a string to see if it would resolve ... lame, but should work?) > * There must be actions for IPv4 (action{start,stop,check,ban,unban}) > and for IPv6 (action6{start,stop,check,ban,unban}) > * Fail2ban tracks IPv6 ony if there are action6's definitions and this > is the only configuration required to do this > > In [1], you find the patch and a debian package of the patched > version. The patch was generated from [2]. > I'm testing in some servers and I would like to see you comments. > > I think, the follows features are needed: > > * One option to define when action=action6 to avoid duplicated configurations > * DNS resolution in IPv6 too why not just make the actions agnostic and fork the iptables/ip6tables (or equiv) function based on object.version ? >>> import ipaddr >>> i = '4.2.2.2' >>> o = ipaddr.IPAddress(i) >>> o.version 4 if obj.version == 4: or maybe even action[obj.version]? > [1] http://homes.dcc.ufba.br/~rogeriobastos/files/fail2ban/ > [2] http://git.onerussian.com/?p=deb/fail2ban.git;a=summary pretty cool though. -chris > Rogerio de Carvalho Bastos > > http://wiki.dcc.ufba.br/Main/RogerioBastos > > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: Christopher M. <mor...@gm...> - 2011-04-26 03:23:57
|
On Mon, Apr 25, 2011 at 11:18 PM, Christopher Morrow <mor...@gm...> wrote: > On Mon, Apr 25, 2011 at 10:48 PM, ROGERIO DE CARVALHO BASTOS > <rog...@dc...> wrote: >> Hy guys, >> >> Finally, I finish a better patch to do this. The main changes in fail2ban are: >> >> * IP and Network addres are tracks like netaddr.IPAddress and >> netaddr.IPNetwork objects, respectively. But hostname are strings yet. > > netaddr or ipaddr ? answering my own question... netaddr ... I'd gotten used to using ipaddr (work stuff). >> * <HOST> is a regex that match any IPv4, IPv6 and hostname string, but >> validation is made by netaddr library, that uses socket. > > again: netaddr or ipaddr? (I was going the ipaddr route and had > essentially decided to eval each 'word' in a string to see if it would > resolve ... lame, but should work?) > >> * There must be actions for IPv4 (action{start,stop,check,ban,unban}) >> and for IPv6 (action6{start,stop,check,ban,unban}) >> * Fail2ban tracks IPv6 ony if there are action6's definitions and this >> is the only configuration required to do this >> >> In [1], you find the patch and a debian package of the patched >> version. The patch was generated from [2]. >> I'm testing in some servers and I would like to see you comments. >> >> I think, the follows features are needed: >> >> * One option to define when action=action6 to avoid duplicated configurations >> * DNS resolution in IPv6 too > > why not just make the actions agnostic and fork the iptables/ip6tables > (or equiv) function based on object.version ? > >>>> import ipaddr >>>> i = '4.2.2.2' >>>> o = ipaddr.IPAddress(i) >>>> o.version > 4 > > if obj.version == 4: > > or maybe even action[obj.version]? > >> [1] http://homes.dcc.ufba.br/~rogeriobastos/files/fail2ban/ >> [2] http://git.onerussian.com/?p=deb/fail2ban.git;a=summary > > pretty cool though. > > -chris > >> Rogerio de Carvalho Bastos >> >> http://wiki.dcc.ufba.br/Main/RogerioBastos >> >> >> ------------------------------------------------------------------------------ >> WhatsUp Gold - Download Free Network Management Software >> The most intuitive, comprehensive, and cost-effective network >> management toolset available today. Delivers lowest initial >> acquisition cost and overall TCO of any competing solution. >> http://p.sf.net/sfu/whatsupgold-sd >> _______________________________________________ >> Fail2ban-users mailing list >> Fai...@li... >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> > |
From: ROGERIO DE C. B. <rog...@dc...> - 2011-04-26 12:52:49
|
Quoting Christopher Morrow <mor...@gm...>: > On Mon, Apr 25, 2011 at 10:48 PM, ROGERIO DE CARVALHO BASTOS > <rog...@dc...> wrote: >> Hy guys, >> >> Finally, I finish a better patch to do this. The main changes in >> fail2ban are: >> >> * IP and Network addres are tracks like netaddr.IPAddress and >> netaddr.IPNetwork objects, respectively. But hostname are strings yet. > > netaddr or ipaddr ? I made tests with IPy, netaddr and ipaddr. The features of all are equivalent, but ipaddr was the slower. >> * <HOST> is a regex that match any IPv4, IPv6 and hostname string, but >> validation is made by netaddr library, that uses socket. > > again: netaddr or ipaddr? (I was going the ipaddr route and had > essentially decided to eval each 'word' in a string to see if it would > resolve ... lame, but should work?) > >> * There must be actions for IPv4 (action{start,stop,check,ban,unban}) >> and for IPv6 (action6{start,stop,check,ban,unban}) >> * Fail2ban tracks IPv6 ony if there are action6's definitions and this >> is the only configuration required to do this >> >> In [1], you find the patch and a debian package of the patched >> version. The patch was generated from [2]. >> I'm testing in some servers and I would like to see you comments. >> >> I think, the follows features are needed: >> >> * One option to define when action=action6 to avoid duplicated >> configurations >> * DNS resolution in IPv6 too > > why not just make the actions agnostic and fork the iptables/ip6tables > (or equiv) function based on object.version ? > >>>> import ipaddr >>>> i = '4.2.2.2' >>>> o = ipaddr.IPAddress(i) >>>> o.version > 4 > > if obj.version == 4: > > or maybe even action[obj.version]? I'm doing this! def execActionBan(self, aInfo): if(aInfo["ip"].version == 4): return self.__processCmd(self.__actionBan, aInfo) else: return self.__processCmd(self.__action6Ban, aInfo) >> [1] http://homes.dcc.ufba.br/~rogeriobastos/files/fail2ban/ >> [2] http://git.onerussian.com/?p=deb/fail2ban.git;a=summary > > pretty cool though. > > -chris -- Rogerio de Carvalho Bastos http://wiki.dcc.ufba.br/Main/RogerioBastos |
From: Christopher M. <mor...@gm...> - 2011-04-26 16:42:58
|
On Tue, Apr 26, 2011 at 8:52 AM, ROGERIO DE CARVALHO BASTOS <rog...@dc...> wrote: > Quoting Christopher Morrow <mor...@gm...>: > >> On Mon, Apr 25, 2011 at 10:48 PM, ROGERIO DE CARVALHO BASTOS >> <rog...@dc...> wrote: >>> >>> Hy guys, >>> >>> Finally, I finish a better patch to do this. The main changes in fail2ban >>> are: >>> >>> * IP and Network addres are tracks like netaddr.IPAddress and >>> netaddr.IPNetwork objects, respectively. But hostname are strings yet. >> >> netaddr or ipaddr ? > > I made tests with IPy, netaddr and ipaddr. The features of all are > equivalent, but ipaddr was the slower. ah! interesting... I wonder if pete/tony would be interested in seeing why/fixing ipaddr? (not important here I suppose, I also wonder how important speed is to this endeavour, within reason of course.) >>> * <HOST> is a regex that match any IPv4, IPv6 and hostname string, but >>> validation is made by netaddr library, that uses socket. >> >> again: netaddr or ipaddr? (I was going the ipaddr route and had >> essentially decided to eval each 'word' in a string to see if it would >> resolve ... lame, but should work?) >> >>> * There must be actions for IPv4 (action{start,stop,check,ban,unban}) >>> and for IPv6 (action6{start,stop,check,ban,unban}) >>> * Fail2ban tracks IPv6 ony if there are action6's definitions and this >>> is the only configuration required to do this >>> >>> In [1], you find the patch and a debian package of the patched >>> version. The patch was generated from [2]. >>> I'm testing in some servers and I would like to see you comments. >>> >>> I think, the follows features are needed: >>> >>> * One option to define when action=action6 to avoid duplicated >>> configurations >>> * DNS resolution in IPv6 too >> >> why not just make the actions agnostic and fork the iptables/ip6tables >> (or equiv) function based on object.version ? >> >>>>> import ipaddr >>>>> i = '4.2.2.2' >>>>> o = ipaddr.IPAddress(i) >>>>> o.version >> >> 4 >> >> if obj.version == 4: >> >> or maybe even action[obj.version]? > > I'm doing this! > > def execActionBan(self, aInfo): > if(aInfo["ip"].version == 4): > return self.__processCmd(self.__actionBan, aInfo) > else: > return self.__processCmd(self.__action6Ban, aInfo) > sweet! I'd not gotten very far through the changes you propose. I suppose I'll start wrangling the code into an existing server and see what shakes out. -chris >>> [1] http://homes.dcc.ufba.br/~rogeriobastos/files/fail2ban/ >>> [2] http://git.onerussian.com/?p=deb/fail2ban.git;a=summary >> >> pretty cool though. >> >> -chris > > -- > > Rogerio de Carvalho Bastos > > http://wiki.dcc.ufba.br/Main/RogerioBastos > > |
From: Arturo 'B. B. <bu...@bu...> - 2011-04-26 17:25:13
|
> On Tue, Apr 26, 2011 at 8:52 AM, ROGERIO DE CARVALHO BASTOS > I'm doing this! > > def execActionBan(self, aInfo): > if(aInfo["ip"].version == 4): > return self.__processCmd(self.__actionBan, aInfo) > else: > return self.__processCmd(self.__action6Ban, aInfo) > Can you add an "if" for version == 6, and leave the else: for something else, like an error? -- ⁂ Arturo "Buanzo" Busleiman ⁂ Independent Linux and Security Consultant - OWASP - SANS - OISSG . http://www.buanzo.com.ar/pro/eng.html ..: http://www.cervezacicuta.com.ar - "LA" Cerveza Artesanal de Villa Bosch |
From: Christopher M. <mor...@gm...> - 2011-04-26 17:45:08
|
On Tue, Apr 26, 2011 at 12:55 PM, Arturo 'Buanzo' Busleiman <bu...@bu...> wrote: >> On Tue, Apr 26, 2011 at 8:52 AM, ROGERIO DE CARVALHO BASTOS >> I'm doing this! >> >> def execActionBan(self, aInfo): >> if(aInfo["ip"].version == 4): >> return self.__processCmd(self.__actionBan, aInfo) >> else: >> return self.__processCmd(self.__action6Ban, aInfo) >> > > Can you add an "if" for version == 6, and leave the else: for something else, like an error? as a curiousity, if you can't get the aInfo["ip"] there without making it into a netaddr object... what other version will it have? (should the protections be upstream not here, I mean) -chris > -- > ⁂ Arturo "Buanzo" Busleiman ⁂ > Independent Linux and Security Consultant - OWASP - SANS - OISSG . > http://www.buanzo.com.ar/pro/eng.html ..: > http://www.cervezacicuta.com.ar - "LA" Cerveza Artesanal de Villa Bosch > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: Yaroslav H. <li...@on...> - 2011-04-26 23:30:43
|
THANK YOU ROGERIO! On Mon, 25 Apr 2011, ROGERIO DE CARVALHO BASTOS wrote: > I think, the follows features are needed: > * One option to define when action=action6 to avoid duplicated configurations well, worse comes to worse, I think python string interpolations in config file could do it, e.g. action6ban=%(actionban)s but what about (my 1 cent), avoiding adding custom actions (e.g. action6*) which somewhat sacrifices the current minimalistic generic action* interface, but rather operate on the level of action files, e.g. having iptables.conf, iptables6.conf and adding action-file wide configuration parameter "address_spaces", by default now 'ipv4', but could be a list 'ipv4, ipv6' (thus addressing your desired feature, may be default in the future) or just 'ipv6'. Then it would not require much to tune up any action file which could support both ipv4 and ipv6, and would require adding just 1 new option to the action instead of 1 for each original action*. ? -- =------------------------------------------------------------------= Keep in touch www.onerussian.com Yaroslav Halchenko www.ohloh.net/accounts/yarikoptic |
From: Christopher M. <mor...@gm...> - 2011-04-27 00:25:40
|
On Tue, Apr 26, 2011 at 7:30 PM, Yaroslav Halchenko <li...@on...> wrote: > THANK YOU ROGERIO! > > On Mon, 25 Apr 2011, ROGERIO DE CARVALHO BASTOS wrote: >> I think, the follows features are needed: > >> * One option to define when action=action6 to avoid duplicated configurations > > well, worse comes to worse, I think python string interpolations > in config file could do it, e.g. > > action6ban=%(actionban)s > > but what about (my 1 cent), avoiding adding custom actions (e.g. > action6*) which somewhat sacrifices the current minimalistic > generic action* interface, but rather operate on the level of action > files, e.g. having > > iptables.conf, iptables6.conf > > and adding action-file wide configuration parameter "address_spaces", by > default now 'ipv4', but could be a list 'ipv4, ipv6' (thus addressing > your desired feature, may be default in the future) or just 'ipv6'. > Then it would not require much to tune up any action file which > could support both ipv4 and ipv6, and would require adding just 1 new > option to the action instead of 1 for each original action*. is it unreasonable to just pull the proper family based on the content of the action file? (and obviously implement the right iptables/etc action based on the family) This would mean some actions could spawn dual family actions, of course. |
From: Yaroslav H. <li...@on...> - 2011-04-27 01:40:48
|
On Tue, 26 Apr 2011, Christopher Morrow wrote: > > and adding action-file wide configuration parameter "address_spaces", by > > default now 'ipv4', but could be a list 'ipv4, ipv6' (thus addressing > > your desired feature, may be default in the future) or just 'ipv6'. > > Then it would not require much to tune up any action file which > > could support both ipv4 and ipv6, and would require adding just 1 new > > option to the action instead of 1 for each original action*. > is it unreasonable to just pull the proper family based on the content > of the action file? (and obviously implement the right iptables/etc > action based on the family) hm, not sure where misunderstanding is, but your questions sounds like what I had in my suggestion ;) -- =------------------------------------------------------------------= Keep in touch www.onerussian.com Yaroslav Halchenko www.ohloh.net/accounts/yarikoptic |
From: Christopher M. <mor...@gm...> - 2011-04-27 01:41:03
|
On Tue, Apr 26, 2011 at 9:26 PM, Yaroslav Halchenko <sf...@on...> wrote: > > On Tue, 26 Apr 2011, Christopher Morrow wrote: >> > and adding action-file wide configuration parameter "address_spaces", by >> > default now 'ipv4', but could be a list 'ipv4, ipv6' (thus addressing >> > your desired feature, may be default in the future) or just 'ipv6'. >> > Then it would not require much to tune up any action file which >> > could support both ipv4 and ipv6, and would require adding just 1 new >> > option to the action instead of 1 for each original action*. >> is it unreasonable to just pull the proper family based on the content >> of the action file? (and obviously implement the right iptables/etc >> action based on the family) > > hm, not sure where misunderstanding is, but your questions sounds like > what I had in my suggestion ;) sorry, i saw something like a 'make two actions files' propsal.. I was thinking keep the same file and simply decide if there were 4, 6, both families of address required for each action statement. then replicate the needed iptables/ip6tables output. maybe it's the train I'm on playing tricks with me. :) |
From: Yaroslav H. <li...@on...> - 2011-04-27 01:55:04
|
On Tue, 26 Apr 2011, Christopher Morrow wrote: > sorry, i saw something like a 'make two actions files' propsal.. I was > thinking keep the same file and simply decide if there were 4, 6, both > families of address required for each action statement. then replicate > the needed iptables/ip6tables output. > maybe it's the train I'm on playing tricks with me. :) nah -- probably evening playing tricks on both of us ;) I indeed suggested to have two actions files whenever necessary (i.e. different commands for different address spaces). wouldn't we need any other change than just using ip6tables vs iptables command? in general I foresee possible need to have ipv4 or ipv6 specific cmdline, but what about our simplest generic actions? in any case -- let me postpone further feedback until morning ;) -- =------------------------------------------------------------------= Keep in touch www.onerussian.com Yaroslav Halchenko www.ohloh.net/accounts/yarikoptic |
From: Christopher M. <mor...@gm...> - 2011-04-27 02:10:20
|
On Tue, Apr 26, 2011 at 9:54 PM, Yaroslav Halchenko <li...@on...> wrote: > > On Tue, 26 Apr 2011, Christopher Morrow wrote: >> sorry, i saw something like a 'make two actions files' propsal.. I was >> thinking keep the same file and simply decide if there were 4, 6, both >> families of address required for each action statement. then replicate >> the needed iptables/ip6tables output. > >> maybe it's the train I'm on playing tricks with me. :) > > nah -- probably evening playing tricks on both of us ;) I indeed > suggested to have two actions files whenever necessary (i.e. different > commands for different address spaces). > > wouldn't we need any other change than just using ip6tables vs > iptables command? in general I foresee possible need to have ipv4 or > ipv6 specific cmdline, but what about our simplest generic actions? looking at the action.d files (for the simple iptables) I would think that: (pseudo-codeish) if obj.version == 6: action = re.sub(iptables, iptables6, action) implement_action(action) else: implement_action(action) (toss in a check for version=4 and leave the else: being 'toss error!' of you like) > > in any case -- let me postpone further feedback until morning ;) sounds good... It's awesome to see this moving forward though... progress! :) -Chris |
From: Yaroslav H. <li...@on...> - 2011-04-28 03:02:56
|
Ok -- here find my config/code mockup (not tested at all, might even by syntacticly incorrect or wrong by design ;) ): https://github.com/yarikoptic/Fail2Ban/commit/61f80408147304505f0695077c2a80dcb8f66ec2 in the branch https://github.com/yarikoptic/Fail2Ban/tree/_tent/ipv6_via_aInfo with the only (so far) commit msg: ,--- | NF: Mockup for handling complex additional Init parameters in actions | | So we could have substitutions tags chosen according to values of other tags, | e.g. in this case ipv (IP version) tag would be added by fail2ban | internally | | novo# grep -e '^[^#]' /etc/fail2ban/action.d/iptables-multiport.conf | [Definition] | actionstart = <actioncmd> -N fail2ban-<name> | <actioncmd> -A fail2ban-<name> -j RETURN | <actioncmd> -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> | actionstop = <actioncmd> -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> | <actioncmd> -F fail2ban-<name> | <actioncmd> -X fail2ban-<name> | actioncheck = <actioncmd> -n -L <chain> | grep -q fail2ban-<name> | actionban = <actioncmd> -I fail2ban-<name> 1 -s <ip> -j DROP | actionunban = <actioncmd> -D fail2ban-<name> -s <ip> -j DROP | | [Init] | name = default | port = ssh | protocol = tcp | chain = INPUT | actioncmd/ipv = 4="iptables", 6="ip6tables" `--- or in words -- why not to allow config entires (I chose X/Y string format, where Y would stay for the key to use) to become dictionaries, so then <X> could be used in the actions varying accordingly to the value of Y (in our case ipv). Then nearly complete strings for any action/occasion could be tuned up accordingly so far code changes seems to be quite minimal and generic (who knows what we would like to have it done in the future), and it only lacks actual handling of IPv6 addresses from Rogerio's patch ;-) Feedback? On Tue, 26 Apr 2011, Christopher Morrow wrote: > looking at the action.d files (for the simple iptables) I would think > that: (pseudo-codeish) > if obj.version == 6: > action = re.sub(iptables, iptables6, action) > implement_action(action) > else: > implement_action(action) > (toss in a check for version=4 and leave the else: being 'toss error!' > of you like) > > in any case -- let me postpone further feedback until morning ;) > sounds good... It's awesome to see this moving forward though... progress! :) -- =------------------------------------------------------------------= Keep in touch www.onerussian.com Yaroslav Halchenko www.ohloh.net/accounts/yarikoptic |
From: ROGERIO DE C. B. <rog...@dc...> - 2011-04-29 01:48:09
|
Quoting Yaroslav Halchenko <li...@on...>: > Ok -- here find my config/code mockup (not tested at all, might even by > syntacticly incorrect or wrong by design ;) ): > > https://github.com/yarikoptic/Fail2Ban/commit/61f80408147304505f0695077c2a80dcb8f66ec2 > in the branch > https://github.com/yarikoptic/Fail2Ban/tree/_tent/ipv6_via_aInfo > > with the only (so far) commit msg: > > ,--- > | NF: Mockup for handling complex additional Init parameters in actions > | > | So we could have substitutions tags chosen according to values of > other tags, > | e.g. in this case ipv (IP version) tag would be added by fail2ban > | internally > | > | novo# grep -e '^[^#]' /etc/fail2ban/action.d/iptables-multiport.conf > | [Definition] > | actionstart = <actioncmd> -N fail2ban-<name> > | <actioncmd> -A fail2ban-<name> -j RETURN > | <actioncmd> -I <chain> -p <protocol> -m multiport > --dports <port> -j fail2ban-<name> > | actionstop = <actioncmd> -D <chain> -p <protocol> -m multiport > --dports <port> -j fail2ban-<name> > | <actioncmd> -F fail2ban-<name> > | <actioncmd> -X fail2ban-<name> > | actioncheck = <actioncmd> -n -L <chain> | grep -q fail2ban-<name> > | actionban = <actioncmd> -I fail2ban-<name> 1 -s <ip> -j DROP > | actionunban = <actioncmd> -D fail2ban-<name> -s <ip> -j DROP > | > | [Init] > | name = default > | port = ssh > | protocol = tcp > | chain = INPUT > | actioncmd/ipv = 4="iptables", 6="ip6tables" > `--- > > or in words -- why not to allow config entires (I chose X/Y string format, > where Y would stay for the key to use) to become dictionaries, so then <X> > could be used in the actions varying accordingly to the value of Y > (in our case > ipv). Then nearly complete strings for any action/occasion could be > tuned up accordingly > > so far code changes seems to be quite minimal and generic (who knows what we > would like to have it done in the future), and it only lacks actual > handling of IPv6 addresses from Rogerio's patch ;-) > > Feedback? Great, this is very interesting, but there are some problems: 1. The dict key 'ipv' comes in aInfo, while 'actioncmd/ipv' comes in cInfo, so _replaceTag need more changes to do what we want 2. What about actionCheck, actionStart and actionStop that do not know about ipv? -- Rogerio de Carvalho Bastos http://wiki.dcc.ufba.br/Main/RogerioBastos |
From: Yaroslav H. <li...@on...> - 2011-04-29 02:18:32
|
great catches Rogerio, indeed I mixed up cInfo with aInfo and the situation is not that easy... but I guess manageable: probably if cInfo key is a dictionary, replaceTag should duplicate the commands if given dictionary (eg. *info) lacks the key (now it ignores it in my patch) -- that should take care about 2 when cInfo is given to replaceTags for those commands... and if # Replace tags if not aInfo == None: realCmd = Action.replaceTag(cmd, aInfo) else: realCmd = cmd # Replace static fields realCmd = Action.replaceTag(realCmd, self.__cInfo) gets replaced with smth like # Compose ultimate untagging dictionary if not aInfo == None: allInfo = dict(aInfo.items() + self.__cInfo.items()) else: allInfo = self.__cInfo # Replace tags realCmd = Action.replaceTag(cmd, allInfo) then it should take care about 1, since for ban/unban commands 'ipv' would get into allInfo and it would be properly replaced without duplication by replaceTag... correct logic? ;) On Thu, 28 Apr 2011, ROGERIO DE CARVALHO BASTOS wrote: > Great, this is very interesting, but there are some problems: > 1. The dict key 'ipv' comes in aInfo, while 'actioncmd/ipv' comes in > cInfo, so _replaceTag need more changes to do what we want > 2. What about actionCheck, actionStart and actionStop that do not know > about ipv? -- =------------------------------------------------------------------= Keep in touch www.onerussian.com Yaroslav Halchenko www.ohloh.net/accounts/yarikoptic |
From: Yaroslav H. <li...@on...> - 2011-04-29 02:36:10
|
actually this one to preserve the priority of aInfo # Compose ultimate untagging dictionary with aInfo overriding # present in cInfo allInfo = self.__cInfo.copy() if aInfo: allInfo.update(aInfo) On Thu, 28 Apr 2011, Yaroslav Halchenko wrote: > # Compose ultimate untagging dictionary > if not aInfo == None: > allInfo = dict(aInfo.items() + self.__cInfo.items()) > else: > allInfo = self.__cInfo -- =------------------------------------------------------------------= Keep in touch www.onerussian.com Yaroslav Halchenko www.ohloh.net/accounts/yarikoptic |
From: Yaroslav H. <li...@on...> - 2011-04-29 03:12:48
|
ok -- now it seems to even run and just lacks IPv6 logic to give it a full try ;) also, I had to change definition (since numbers can't be args to function call) actioncmd/ipv = [(4, "iptables"), (6, "ip6tables")] N.B. I guess it should be more intuitive as really "pure" Python, e.g. actioncmd[ipv] = {4: "iptables", 6: "ip6tables"} yes? thinking about it -- kinda cool, because now it should (didn't try) be possible to restrict start/stop commands to specific namespace by providing them in jail definitions (so they should then go into __cInfo), because otherwise now it would work in both namespaces by default. So I pushed again to the same branch https://github.com/yarikoptic/Fail2Ban/tree/_tent/ipv6_via_aInfo On Thu, 28 Apr 2011, Yaroslav Halchenko wrote: > actually this one to preserve the priority of aInfo > # Compose ultimate untagging dictionary with aInfo overriding > # present in cInfo > allInfo = self.__cInfo.copy() > if aInfo: > allInfo.update(aInfo) > On Thu, 28 Apr 2011, Yaroslav Halchenko wrote: > > # Compose ultimate untagging dictionary > > if not aInfo == None: > > allInfo = dict(aInfo.items() + self.__cInfo.items()) > > else: > > allInfo = self.__cInfo -- =------------------------------------------------------------------= Keep in touch www.onerussian.com Yaroslav Halchenko www.ohloh.net/accounts/yarikoptic |