From: ROGERIO DE C. B. <rog...@dc...> - 2011-04-29 01:48:09
|
Quoting Yaroslav Halchenko <li...@on...>: > Ok -- here find my config/code mockup (not tested at all, might even by > syntacticly incorrect or wrong by design ;) ): > > https://github.com/yarikoptic/Fail2Ban/commit/61f80408147304505f0695077c2a80dcb8f66ec2 > in the branch > https://github.com/yarikoptic/Fail2Ban/tree/_tent/ipv6_via_aInfo > > with the only (so far) commit msg: > > ,--- > | NF: Mockup for handling complex additional Init parameters in actions > | > | So we could have substitutions tags chosen according to values of > other tags, > | e.g. in this case ipv (IP version) tag would be added by fail2ban > | internally > | > | novo# grep -e '^[^#]' /etc/fail2ban/action.d/iptables-multiport.conf > | [Definition] > | actionstart = <actioncmd> -N fail2ban-<name> > | <actioncmd> -A fail2ban-<name> -j RETURN > | <actioncmd> -I <chain> -p <protocol> -m multiport > --dports <port> -j fail2ban-<name> > | actionstop = <actioncmd> -D <chain> -p <protocol> -m multiport > --dports <port> -j fail2ban-<name> > | <actioncmd> -F fail2ban-<name> > | <actioncmd> -X fail2ban-<name> > | actioncheck = <actioncmd> -n -L <chain> | grep -q fail2ban-<name> > | actionban = <actioncmd> -I fail2ban-<name> 1 -s <ip> -j DROP > | actionunban = <actioncmd> -D fail2ban-<name> -s <ip> -j DROP > | > | [Init] > | name = default > | port = ssh > | protocol = tcp > | chain = INPUT > | actioncmd/ipv = 4="iptables", 6="ip6tables" > `--- > > or in words -- why not to allow config entires (I chose X/Y string format, > where Y would stay for the key to use) to become dictionaries, so then <X> > could be used in the actions varying accordingly to the value of Y > (in our case > ipv). Then nearly complete strings for any action/occasion could be > tuned up accordingly > > so far code changes seems to be quite minimal and generic (who knows what we > would like to have it done in the future), and it only lacks actual > handling of IPv6 addresses from Rogerio's patch ;-) > > Feedback? Great, this is very interesting, but there are some problems: 1. The dict key 'ipv' comes in aInfo, while 'actioncmd/ipv' comes in cInfo, so _replaceTag need more changes to do what we want 2. What about actionCheck, actionStart and actionStop that do not know about ipv? -- Rogerio de Carvalho Bastos http://wiki.dcc.ufba.br/Main/RogerioBastos |