Re: [Fail2ban-users] fail2ban not reading all variable in jail.local - bug or feature?

[Dominic R. <do...@ti...>]

On 22 March 2017 at 13:15, Igor <fai...@ko...> wrote:

>
>
> On Wed, 22 Mar 2017, Dominic Raferd wrote:
>
>
>>
>> On 21 March 2017 at 14:36, Igor <fai...@ko...> wrote:
>>
>>
>>       Sorry for the "bump", but I am still hoping that someone from
>>       the core
>>       developers team would be able to respond.
>>
>>       On Fri, 10 Mar 2017, Igor wrote:
>>
>>       >
>>       >
>>       > I was testing a recent patch by Cristoph (#1689):
>>       > https://github.com/fail2ban/fail2ban/issues/1689
>>       > (Thank you, Christoph!)
>>       >
>>       >
>>       > That patch contains a new variable "lowest_rule_num" whose
>>       value is set
>>       > in config/action.d/bsd-ipfw.conf
>>       >
>>       > I thought that setting its value in jail.local would override
>>       its
>>       > default value, but it turns out that fail2ban does not read
>>       this
>>       > value from jail.local (or from fail2ban.local), neither on
>>       "reload" nor on
>>       > a fresh startup.
>>       >
>>       > I am probably wrong, but I thought that one can set any
>>       variable's value
>>       > in jail.local (or fail2ban.local) and that will override their
>>       default
>>       > values.
>>       >
>>       > Is this a bug or by design?
>>       > Is there a way that defines the "scope" of a configuration
>>       variable
>>       > (global vs. local) that would affect if the variable value can
>>       be set by
>>       > a user in jail.local or fail2ban.local ?
>>
>>
>> ​A variable set within a named jail (in jail.conf or jail.conf or
>> wherever)
>> will only affect that named jail. If you want a variable that can be used
>> in
>> any jail, set it in the [DEFAULT] section. For instance, see sebres' idea
>> at
>> https://github.com/fail2ban/fail2ban/issues/1464, and he states 'all the
>> parameters described in man [for] jail.conf can be used in [their]
>> respective jails. Default section contains the standard settings [which]
>> apply for all jails at once'.
>>
>>
>>
> Dominic, thank you for your response!
>
> While talking about "local" and "global" variables, I didn't mean the
> differentiation between a single jail and all jails. Rather, I meant
> variables that can be set only within a specific module (action in this
> case), and those that can be set in the "central" configuration files
> (jail.local or fail2ban.local).
>
> I have the variable set in jail.local in the [DFAULT] section, and it is
> totally ignored. fail2ban-client -d does not show that value set. Instead,
> it shows the value set in action.d/bsd-ipfw.conf (if it is set).
>
> So, I am trying to figure out what is needed for a variable defined and
> used in action.d/*.conf to make it possible to set its value in
> jail.local .


​I set a variable in [DEFAULT] section of jail.local and then I use it in
one of the jails below (in same file):

[DEFAULT]
# we create a special variable 'common_ignoreip' so we can add to this for
specific jails below
# - idea found at https://github.com/fail2ban/fail2ban/issues/1464
common_ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
ignoreip = %(common_ignoreip)s
...
[postfix]
# add ignore MxToolbox ip for testing
ignoreip = %(common_ignoreip)s 64.20.227.128/28

Although my variable 'common_ignoreip' is not shown directly by
fail2ban-client -d it is used as I can see in output of fail2ban-client -d:

['set', 'postfix', 'addignoreip', '127.0.0.0/8']
['set', 'postfix', 'addignoreip', '10.0.0.0/8']
['set', 'postfix', 'addignoreip', '172.16.0.0/12']
['set', 'postfix', 'addignoreip', '192.168.0.0/16']
['set', 'postfix', 'addignoreip', '64.20.227.128/28']

I don't know if variables set in a jail conf file can be read by an action
file - the man page says that jail.local can override action settings but
only (it seems) for [Init] section actions.