From: Dominic R. <do...@ti...> - 2017-03-22 14:17:39
|
On 22 March 2017 at 13:15, Igor <fai...@ko...> wrote: > > > On Wed, 22 Mar 2017, Dominic Raferd wrote: > > >> >> On 21 March 2017 at 14:36, Igor <fai...@ko...> wrote: >> >> >> Sorry for the "bump", but I am still hoping that someone from >> the core >> developers team would be able to respond. >> >> On Fri, 10 Mar 2017, Igor wrote: >> >> > >> > >> > I was testing a recent patch by Cristoph (#1689): >> > https://github.com/fail2ban/fail2ban/issues/1689 >> > (Thank you, Christoph!) >> > >> > >> > That patch contains a new variable "lowest_rule_num" whose >> value is set >> > in config/action.d/bsd-ipfw.conf >> > >> > I thought that setting its value in jail.local would override >> its >> > default value, but it turns out that fail2ban does not read >> this >> > value from jail.local (or from fail2ban.local), neither on >> "reload" nor on >> > a fresh startup. >> > >> > I am probably wrong, but I thought that one can set any >> variable's value >> > in jail.local (or fail2ban.local) and that will override their >> default >> > values. >> > >> > Is this a bug or by design? >> > Is there a way that defines the "scope" of a configuration >> variable >> > (global vs. local) that would affect if the variable value can >> be set by >> > a user in jail.local or fail2ban.local ? >> >> >> A variable set within a named jail (in jail.conf or jail.conf or >> wherever) >> will only affect that named jail. If you want a variable that can be used >> in >> any jail, set it in the [DEFAULT] section. For instance, see sebres' idea >> at >> https://github.com/fail2ban/fail2ban/issues/1464, and he states 'all the >> parameters described in man [for] jail.conf can be used in [their] >> respective jails. Default section contains the standard settings [which] >> apply for all jails at once'. >> >> >> > Dominic, thank you for your response! > > While talking about "local" and "global" variables, I didn't mean the > differentiation between a single jail and all jails. Rather, I meant > variables that can be set only within a specific module (action in this > case), and those that can be set in the "central" configuration files > (jail.local or fail2ban.local). > > I have the variable set in jail.local in the [DFAULT] section, and it is > totally ignored. fail2ban-client -d does not show that value set. Instead, > it shows the value set in action.d/bsd-ipfw.conf (if it is set). > > So, I am trying to figure out what is needed for a variable defined and > used in action.d/*.conf to make it possible to set its value in > jail.local . I set a variable in [DEFAULT] section of jail.local and then I use it in one of the jails below (in same file): [DEFAULT] # we create a special variable 'common_ignoreip' so we can add to this for specific jails below # - idea found at https://github.com/fail2ban/fail2ban/issues/1464 common_ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ignoreip = %(common_ignoreip)s ... [postfix] # add ignore MxToolbox ip for testing ignoreip = %(common_ignoreip)s 64.20.227.128/28 Although my variable 'common_ignoreip' is not shown directly by fail2ban-client -d it is used as I can see in output of fail2ban-client -d: ['set', 'postfix', 'addignoreip', '127.0.0.0/8'] ['set', 'postfix', 'addignoreip', '10.0.0.0/8'] ['set', 'postfix', 'addignoreip', '172.16.0.0/12'] ['set', 'postfix', 'addignoreip', '192.168.0.0/16'] ['set', 'postfix', 'addignoreip', '64.20.227.128/28'] I don't know if variables set in a jail conf file can be read by an action file - the man page says that jail.local can override action settings but only (it seems) for [Init] section actions. |