ogfqdZdZdZddlZddlZddlZddlZddlZddlZddl Z ddl m Z m Z m Z ddlmZddlmZdd lmZmZdd lmZdd lmZdd lmZdd lmZddlmZddl m!Z!m"Z"m#Z#ddl$m%Z%m&Z&m'Z'ddl(m)Z) ddlm*Z*ejXj[ejXj]e/dZ0dZ1e%dZ2GddeZ3Gdde!Z4Gdde4Z5Gdde4Z6Gdd ejnZ8Gd!d"ejnZ9Gd#d$eZ:Gd%d&e!Z;dd'lZ>m?Z?Gd(d)e!Z@y#e+$rdZ*YwxYw)*z Cyril Jaquierz Copyright (c) 2004 Cyril JaquierGPLN)Regex FailRegexRegexException)actions)Server)DNSUtilsIPAddr)Jail) JailThread) BanTicket)Utils) DummyJail)LogCaptureTestCase with_alt_timeMyTime) getLoggerextractOptions PREFER_ENC)version) filtersystemdfilespollingfail2banceZdZdZdZy) TestServercyNselfargskwargss ?/usr/lib/python3/dist-packages/fail2ban/tests/servertestcase.py setLogLevelzTestServer.setLogLevel<cyr r!r"s r& setLogTargetzTestServer.setLogTarget?r(r)N)__name__ __module__ __qualname__r'r+r!r)r&rr;s r)rcHeZdZeZfdZfdZddZddZdZ dZ xZ S) TransmitterBasectt| |j|_|jj |_d|_|jj|jty)Call before every test case. TestJail1N) superr0setUpTEST_SRV_CLASSserver_Server__transmtransmjailNameaddJail FAST_BACKENDr# __class__s r&r5zTransmitterBase.setUpGsR$&##%$+ ++$+$-++dmm\2r)c^|jjtt|yzCall after every test case.N)r7quitr4r0tearDownr=s r&rBzTransmitterBase.tearDownQs"++')r)r cfd||g}d|g}|$|jd||jd||dk(r|}fd} |j| |jj|| ||f|s:|j| |jj|| d|fyy)zoProcess set/get commands and compare both return values with outValue if it was given otherwise with inValuesetgetNrr c"r t|S|S)zPrepare value for comparison)repr)xrepr_s r&vz%TransmitterBase.setGetTest..vds47##r)r)insert assertEqualr9proceed) r#cmdinValueoutValueoutCodejailrIsetCmdgetCmdrJs ` r& setGetTestzTransmitterBase.setGetTestWs 3 & 3<&  ==D ==D8$1T[[((011gx5H3IJ Adkk))&12Aq(m4DE r)cTd||g}d|g}|$|jd||jd||jj|d}|j|jj|dd|j|jj|d|fy)NrDrErr)rKr9rMrL)r#rNrOrRrSrT initValues r& setGetTestNOKzTransmitterBase.setGetTestNOKms 3 & 3<&  ==D ==Dkk!!&)!,)4;;&&v.q1154;;&&v.I?r)cHd|z}d|z}|j|jjd||gdgft|D]\}}|jjd|||g}|j |dt t t|dfdt t t|d|dzfd|jjd||g}|j |dt t t|dfdt t t|d|dzfdt|D]\}}|jjd|||g}|j |dt t t|dfdt t t||dzdfd|jjd||g}|j |dt t t|dfdt t t||dzdfdy) NadddelrErrDrr)level)rLr9rM enumerateassertSortedEquallistmapstr) r#rNvaluesrRcmdAddcmdDelnvaluerets r&jailAddDelTestzTransmitterBase.jailAddDelTestzs 3;& 3;&;;tS)*QG5F#hha   eT659 :33q64CQ(8#9:QSfUYVWXYVYlE[@\<]efg   eT3/ 033q64CQ(8#9:QSfUYVWXYVYlE[@\<]efg h F#hha   eT659 :33q64CQ(8#9:QSfUVWXUXUYlE[@\<]efg   eT3/ 033q64CQ(8#9:QSfUVWXUXUYlE[@\<]efg hr)c xd|z}d|z}|j|jjd||gdgft|D]r\}}|j|jjd|||gd|d|dzf|j|jjd||gd|d|dzftt|D]r\}}|j|jjd||dgd||dzdf|j|jjd||gd||dzdfty)NrZr[rErrDr)rLr9rMr]) r#rNinValues outValuesrRrcrdrerfs r&jailAddDelRegexTestz#TransmitterBase.jailAddDelRegexTests_ 3;& 3;&;;tS)*QG5H%haKKfe45 $1Q3KKc*+ $1Q3 H%haKKfa01 !A#$KKc*+ !A#$ r))r rNF) r,r-r.rr6r5rBrUrXrhrl __classcell__r>s@r&r0r0Cs)3* F, @h"r)r0c$eZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZedZdZdZdZdZdZdZdZdZdZdZ dZ!dZ"d Z#d!Z$d"Z%d#Z&d$Z'd%Z(d&Z)d'Z*d(Z+d)Z,d*Z-d+Z.d,Z/d-Z0y.)/ TransmittercV|j|jjyr ) assertFalser7 isStartedr#s r&testServerIsNotStartedz"Transmitter.testServerIsNotStarteds4;;((*+r)c\|j|jjdgdy)NstoprNrLr9rMrts r&testStopServerzTransmitter.testStopServers#4;;&&x0)r)c||j|jjdgdtjfy)Nrr)rLr9rMrrts r& testVersionzTransmitter.testVersions,4;;&& {3a5IJr)c  |j|jjgdd|jt j |j d|j|j|jjgdd|jt j |j d|j|j|jjgdd|j d |jy#|j|jjgdd|j d |jwxYw) N)rD allowipv6yes)rrz IPv6 is on)rDrnorrz IPv6 is off)rDrauto)rrz IPv6 is auto) rLr9rM assertTruer IPv6IsAllowed assertLoggedpruneLogrrrts r& testSetIPv6zTransmitter.testSetIPv6s 6DKK''(CDjQ??8))+,\"DMMODKK''(BCYOH**,-]#T]]_DKK''(DE{S^$dmmoDKK''(DE{S^$dmmos C"D33AFctjjstj}|j |j j ddgdtj}||z }|jd|cxkxrdkncd|zy|j |j j ddgdy) Nsleepz0.1rxg ףp= ?g?zSleep was %g sec)msgz0.0001)unittestF2BfasttimerLr9rMr)r#t0t1dts r& testSleepzTransmitter.testSleeps    2DKK''%(899E 2 R2??4"?s?(:R(??@DKK''((; 4;;&&! 4;;&& < ++dmm\24;;&&    88C=99[ r)cfd}d}d}|j|jjd|dgd|f|j|jjd|gd|f|j|jjd|dgdd|j|jjd|d gd|f|j|jjd|jdgdd|j|jjgd ddy) N TestJail2 TestJail3 TestJail4rZrrzinvalid backendrr)rZ--allrrLr9rMr:)r#jail2jail3jail4s r& testAddJailzTransmitter.testAddJails! % % %;;ui01Au:?4;;&&u~6E C;;u&789!z/Transmitter.testStartStopJail..A4;;  q ! r*T[[5H5H(TXTaTaIb5ceq*r&rr)rw) rLr9rMr:rrrDEFAULT_SLEEP_TIMErwait_for assertNotInr7_Server__jailsrts`r&testStartStopJailzTransmitter.testStartStopJail s;;/0)=**U % %&//5>>r;; ./<4==$++"<"<=r)cjjdtjjj dj gdjjj ddgdtjtjjtjfddjjj ddgdjtjfddjj jjjdjjy) Nrrrxcjjdxr6tjj dj gt  S)Nrrrrtsr&rz2Transmitter.testStartStopAllJail.."rr)rrwrcDtjj Sr )lenr7rrtsr&rz2Transmitter.testStartStopAllJail..%ss4;;3M3M/N+Nr))r7r;r<rLr9rMr:rrrrrrrrrts`r&testStartStopAllJailz Transmitter.testStartStopAllJails++k<0;;/0)=;;-. ; **U % %&//5>>r4;;&&'899E//5>>#NPQRT4==$++"<"<=; : :;r)c`|j|jjd|jddgd|j|jjd|jddgd|j|jjd|jddgdd y) NrDidleonrToffrFCATrrrrts r& testJailIdlezTransmitter.testJailIdle)s;;t}}fd;< ;;t}}fe<= ;;t}}fe<=a@r)c8|jddd|j|jddd|j|jddd|j|jdd d |j|jdd |jy) Nfindtime120xrR60<30mz-60iDogrUr:rXrts r&testJailFindTimezTransmitter.testJailFindTime4s{//*eSt}}/=//*dBT]]/;//*eU/?//*eSt}}/=ZT]];r)c8|jddd|j|jddd|j|jddd|j|jdd d |j|jdd |jy) Nbantimerrr502z-50iz 15d 5h 30miCatrrts r&testJailBanTimezTransmitter.testJailBanTime;s{//)UCdmm/<//)T2DMM/://)UCdmm/<//)\7/GYDMM:r)c8|jddd|j|jddd|j|jddd|j|jdd d |j|jdd |jy) N datepattern%%%Y%m%d%H%M%S)rz%YearMonthDay24hourMinuteSecondrEpoch)Nrz^Epoch)Nz{^LN-BEG}EpochTAI64N)Nrz %Cat%a%%%grrts r&testDatePatternzTransmitter.testDatePatternBs//-!18 //'?@//(44==J//(,4==B]Lt}}Er)c~|jddd|j|jdd|jy)N logtimezonezUTC+0400rznot-a-time-zonerrts r&testLogTimeZonezTransmitter.testLogTimeZoneNs4//-Zdmm/L]$5DMMJr)c.|jdd|j|jdd|j|jdd|jd}|j|jj d|jd|gdy) NusednsrrwarnrFishrDr)rUr:rLr9rMr#rfs r&testJailUseDNSzTransmitter.testJailUseDNSRs{//(E /6//(F/7//(Dt}}/5 %;;t}}h>? r)c |jj|j|j|jj d|jddddgd|j dddd |j|jj d|jdd gd |j d d |j|jj d|jdddddgd|j dddd |j dddd |j|j|jj d|jdddgdd|j|jj d|jdddgd|j dddd y)NrDbanip 192.0.2.1 192.0.2.2)rr Ban 192.0.2.1 Ban 192.0.2.2TallwaitBadgerrrz Ban Badgerrunbanipz 192.0.2.255z 192.0.2.254zUnban 192.0.2.1zUnban 192.0.2.2z192.0.2.255 is not bannedz192.0.2.254 is not bannedz--report-absentrr)rr)r7 startJailr:rLr9rMrrrts r& testJailBanIPzTransmitter.testJailBanIP]s++ &;;t}}g{KQ\]^  O_$TJ;;t}}gx@A  Lt,;; DMM9m[+}]_  %'8dN/1LRV]ab--/;; DMM9&7GIIJLLMO;; DMM9m]CEEKM/1LRV]abr)c jjjfd}jdddjdD]&}dD]}j ||d|zgd !(j d d d d j |dDcgc]}d|z c}d j dd j dd j dycc}w)Nc\jjdjd|g|zS)NrDattempt)r9rMr:)ipmatchesr#s r&rz.Transmitter.testJailAttemptIP..attempt}s* ++  udmmYCgM NNr)maxretry5r)rr)rrztest failure %drz 192.0.2.1:2z 192.0.2.2:2Tr)rr z 192.0.2.2:5rrr)r7rr:rUrLrassertNotLogged)r#rirs` r&testJailAttemptIPzTransmitter.testJailAttemptIPzs++ &O//*c14==/9 Ca 'CrWR"3a"7!896BCCM=dF72wG! 1A 5GH&QM-O$/' Hs C-c@d}jj|tjj|dddgffd }||g||dddg||d ddd g||d gd  ||dd d g||d d g||d gy)NTestJailBanListr!c|Ejjjd|d|gdjd|zd|Ejjjd|d|gdjd|zdj jjd |dgt |zd |fd t jt jd zy)NrDrrzBan %sTrrzUnban %srErF) nestedOnlyr) rLr9rMrr^r_rsetTimer)rRrrr$outListr#s r&_getBanListTestz4Transmitter.testJailBanList.._getBanListTests  [[%w67   h&T2  [[%y':;   j7*6KKg.tDz9:LU$ >>&++-!#$r))r 127.0.0.1)z --with-timez:127.0.0.1 2005-08-14 12:00:01 + 600 = 2005-08-14 12:10:01)rr$r 192.168.0.1z<192.168.0.1 2005-08-14 12:00:02 + 600 = 2005-08-14 12:10:02 192.168.1.10)rrr)rr)rr)r7r;r<r)r#rRrs` r&testJailBanListzTransmitter.testJailBanLists $++dL)++#'2r%&$ $k0@ I JL$m2BAC EF$n 79$ > *,$ ?$ r)c|jddd|j|jddd|j|jddd|j|jdd |jy) N maxmatchesr r r2r-2Duckrrts r&testJailMaxMatcheszTransmitter.testJailMaxMatchessc//,QT]]/;//,QT]]/;//,bt}}/=\6 >r)c|jddd|j|jddd|j|jddd|j|jdd |jy) Nr r r rrrrrr rrts r&testJailMaxRetryzTransmitter.testJailMaxRetrysc//*c14==/9//*c14==/9//*dBT]]/;Zdmm;; DMM<u=??@Br)cd}|jjd|jd|g}|jt |dt y)Nzthis_file_shouldn't_existrDr/r)r9rMr:rrIOError)r#rfresults r&testJailLogPathInvalidFilez&Transmitter.testJailLogPathInvalidFilesB %% ;;   4==,. 0&//*VAY01r)c&tjd}|dz}tj|||jj d|j d|g}|jt|dttj|y)Ntmp_fail2ban_broken_symlink)prefixz.slinkrDr/r) rmktemprsymlinkr9rMr:rrr9r)r#namesnamer:s r&testJailLogPathBrokenSymlinkz(Transmitter.testJailLogPathBrokenSymlinkso  = >$ /%**T5 ;;   4==,. 0&//*VAY01))Er)ct|jdgd|jd}|j|jj d|jd|gd|gf|j|jj d|jd|gd|gf|j|jj d|jdgd|gf|j|jj d|jd|gdgf|j|jj d|jd gd |j|jj d|jd d gd |j|jj d|jd gd y) Nignoreip)rz 192.168.1.1z8.8.8.8rrD addignoreiprrE delignoreip ignoreselfrFr)rhr:rLr9rMrs r&testJailIgnoreIPzTransmitter.testJailIgnoreIP s  == %;;t}}mUCDw<;;t}}mUCDw<;;t}}j9:w<;;t}}mUCDr7 ;;t}}l;< ;;t}}lEBC ;;t}}l;< r)c@|jdd|jy)N ignorecommandzbin/ignore-command rrUr:rts r&testJailIgnoreCommandz!Transmitter.testJailIgnoreCommand2s///#<4==/Qr)c|jddgd|j|jddd|jy)N ignorecachez%key="",max-time=1d,max-count=9999)zi'iQrrLrts r&testJailIgnoreCachezTransmitter.testJailIgnoreCache5s<//-* //-T />r)c@|jdd|jy)N prefregexz^TestrrLrts r&testJailPrefRegexzTransmitter.testJailPrefRegex<s//+wT]]/;r)c |jdgddtjdzdtjdzdtjdzg|j|j |j j d|jdd gd d |j |j j d|jdd gd d y) N failregex)zuser john at Admin user login from z failed attempt from againzuser john at %sAdmin user login from %szfailed attempt from %s againrD addfailregexz No host regexrrirlr_resolveHostTagr:rLr9rMrts r& testJailRegexzTransmitter.testJailRegex?s; ..x89%"7"7"AB"e&;&;H&EF == ;; DMM>?;==>@;; DMM>3/1124r)c f|jdgdddtjdzdg|j|j |j j d|jdd gd d |j |j j d|jdd gd d y) N ignoreregex) user johnrWDont match me!r`rYrXrarDaddignoreregexzInvalid [regexrrrr[rts r&testJailIgnoreRegexzTransmitter.testJailIgnoreRegexWs= %"7"7"AB == ;; DMM+-=>@@AC;; DMM+R02235r)c |jg}|j|jjdgddt |fddj |fgf|j jdt|jd|j|jjdgddt |fddj |fgfy)NrrzNumber of jailz Jail listz, r) r:rLr9rMrr5r7r;r<append)r#jailss r& testStatuszTransmitter.testStatusos ==/%4;;&&z2 3u:&dii6F(GHIK++k<0,,{4;;&&z2 3u:&dii6F(GHIKr)c |j|jjd|jgdddddgfgfddd d gfgfgfy) NrrFilterzCurrently failedrz Total failedr File listActionszCurrently bannedrz Total bannedrBanned IP listrrts r&testJailStatuszTransmitter.testJailStatusxso4;;&&$--'@AB   r)c |j|jjd|jdgdddddgfgfdd d d gfgfgfy) Nrbasicrrirjrkrlrmrnrorprrts r&testJailStatusBasiczTransmitter.testJailStatusBasicsq4;;&&$--'IJB   r)c |j|jjd|jdgdddddgfgfdd d d gfgfgfy) NrINVALIDrrirjrkrlrmrnrorprrts r&testJailStatusBasicKwargz$Transmitter.testJailStatusBasicKwargsq4;;&&$--'KLB   r)c  tjj ddl}ddl}g}|j |jjd|jdgdddddgfgfd d d d gfd |fd|fd|fgfgfy#t $rdg}YbwxYw)NrerrorrcymrurirjrkrlrmrnrorpzBanned ASN listzBanned Country listzBanned RIR list) rrSkipIfNoNetwork dns.exception dns.resolver ImportErrorrLr9rMr:)r#dnsrfs r&testJailStatusCymruzTransmitter.testJailStatusCymrus ,,  54;;&&$--'IJB % e$% "   95sA>> B  B c d}gd}gd}|j|jjd|jd|gd|f|j|jjd|jdgd d|t ||D]B\}}|j|jjd|jd |||gd|fDt ||D]A\}}|j|jjd|jd ||gd|fC|j|jjd|jd |d d gd |j|jjd|jd |d gd |j|jjd|jd |dgdd |j|jjd|jd |ddgd|j|jjd|jd |dgd|j|jjd|jd|gd|j|jjd|jddgdd y)NTestCaseAction) actionstart actionstop actioncheck actionban actionunban)z Action Startz Action Stopz Action Checkz Action Banz Action UnbanrD addactionrrErractionKEYVALUE)rr InvalidKeytimeout10)r delactionrxz Doesn't exist)rLr9rMr:zip)r#rcmdList cmdValueListrNrfs r& testActionzTransmitter.testActions & ',;;t}}k6BCv;;; DMM9%''(**+-  .jc5KK T]]Hfc59;J .jc5KK xEFJ;; DMM8VUG<>;; DMM8VU35;; DMM8V\:<<=?;; DMM8VY=?  ;; DMM8VY79  ;;t}}k6BC ;; DMM;8::;==>@r)c d}|jjd|jd|tjj t dddg}|j|d|f|j|jjd|jd |gd d d g|j|jjd|jd |d gd|j|jjd|jd |d gd|j|jjd|jd|gd gd|j|jjd|jd |ddgd|j|jjd|jd |d dgd|j|jjd|jd |ddgdy)NrrDraction.dz action.pyz{"opt1": "value"}rrEactionpropertiesropt1opt2r)rrfrx actionmethods)banrebanrrw testmethodunbanrz{"text": "world!"})rzHello world! value another value)rr)rzHello world! another value) r9rMr:rr4r5r6rLr^)r#routs r&$testPythonActionMethodsAndPropertiesz0Transmitter.testPythonActionMethodsAndPropertiess &  4==+vGGLL[9 #3F $;;t}} !!"$ F;;t}}h   ;;t}}h    ;;t}}o   ;=;;t}}h&();;t}}h O;;t}}h&()$&r)cd|j|jjddgddy)NrvCOMMANDrrryrts r&testNOKzTransmitter.testNOK,s+4;;&& 9'=>qA!Dr)cd|j|jjgdddy)N)rDrvrrrryrts r& testSetNOKzTransmitter.testSetNOK/*;;45a8 ;; H'/1% ;; H'/1y> ;; H'/1r7  >%;; H'(5025x@ABD;; H'(5!946 %x0124;; H'(5946r7 % ;;   8&. 0&//*VAY 34 % ;;   8&. 0&//*VAY 34o ( (s  K0 K5c tstjd|jdd}|jj |dgd}t |D]K\}}|j|jjd|d|gd|d|d zDcgc]}|gc}fMt |D]K\}}|j|jjd|d |gd||d zdDcgc]}|gc}fMycc}wcc}w) NrTrzsystemd[journalflags=2]rrDrrrr) rrrrr7r;r]rLr9rM)r#r:rbrerfrs r&testJournalFlagsMatchz!Transmitter.testJournalFlagsMatchs    C DD//$ (++h 9: & F#*haKK X(%02&!A#,'3#'(** F#*haKK X(%02&1,'3#'(** ( (s  D- DN)1r,r-r.rurzr~rrrrrrrrrrrrrrrrrr!r#r&r+r7r;rCrIrMrQrTr]rcrgrqrtrwrrrrrrrrrr!r)r&rprps, =?K 6 I.`;$ ><$ <; FK c:(&))V? = = B(T2#JR?<00K$$$<:@x"&HE<<?E5N*r)rpcLeZdZeZfdZdZdZdZdZ dZ dZ dZ xZ S) TransmitterLoggingctt| |jj d|jj d|jj dy)N /dev/nullCRITICALr)r4rr5r7r+r'setSyslogSocketr=s r&r5zTransmitterLogging.setUpsGD')++;'++*%++f%r)cg}tdD]D}tjdd}|j|dt j |dF|D]}|j d|d}|jd||jjgd|D]}t j||j dd d |j dd d y) Nrr transmitterrr logtarget/this/path/should/not/exist)rDrrzSTDOUT[format="%(message)s"]STDOUTz!STDERR[datetime=off, padding=off]STDERR) rangerrrerrrUrXr9rMremove)r# logTargets_tmpFile logTargetrfs r& testLogTargetz TransmitterLogging.testLogTargets* 8a   j- 87 WQZ 88GAJ+i??; *+ (%[%(++78i99Y//+=xH//+BHMr)c8tjjdstjd|j |j jd|jdd|j |j jdy)N/dev/logz'/dev/log' not presentrrSYSLOG) rr4existsrrrr7getSyslogSocketrUrts r&testLogTargetSYSLOGz&TransmitterLogging.testLogTargetSYSLOGsh  #   3 44//$++--/8//+x(//$++--/>*+E Gr)c|jdd|jdd|jdd|jdd|jdd|jdd|jdd|jdd |jdd |jdd d |jdd y) Nloglevel HEAVYDEBUG TRACEDEBUG9DEBUGINFONOTICEWARNINGERRORrcRiTiCaLBird)rUrXrts r& testLogLevelzTransmitterLogging.testLogLevels//*l+//*l+//*c"//*g&//*f%//*h'//*i(//*g&//*j)//*j*5Z(r)c|j|jjdgd tjd\}}t j ||jjd|j|jjdd|gd|ftd}|jd  tjd\}}t j |t j|||jd |j|jjdgd|jd t|d 5}t|}|jd dk\r t|}|j|j!dt|}|j|j!d t|}|jddk\r!|j#t$|j&n|j)d|zdddt|d 5}t|}|jddk\r t|}|j|j!d|j#t$|j&|j dddt j*| t j*||j|jjgdd|j|jjdgdy#t$$rY)wxYw#1swY/xYw#1swYxYw#t j*wxYw#t,$rYwxYw# t j*w#t,$rYwwxYwxYw)N flushlogs)rz rolled overz fail2ban.logrrDrrrzBefore file movedzAfter file movedzAfter flushlogsrzChanged logging target tozBefore file moved zAfter file moved zCommand: ['flushlogs']zCException StopIteration or Command: ['flushlogs'] expected. Got: %szrollover performed onzAfter flushlogs )rDrr)rr)rflushed)rLr9rMrrrrr7r'rwarningrenameopennextfindrendswith assertRaises StopIteration__next__failrOSError) r#ffnlf2fn2line1line2res r& testFlushLogsz TransmitterLogging.testFlushLogss4;;&& }57IJ*   N +51b88A;;;9%DKK'' R(@AAr7K199 !~.GBHHRLIIb#II !T[[((+79KLII c# ! !WU ./141ge __U^^$9:; !WU __U^^$89: q'a ( )A -  3 yyVYZZ[  b !WU *+q01ge __U^^$789 }ajj1WWY IIcN IIbM4;;&&'EF V4;;&& }5~F#      IIcN    IIbM   sBNBM1 A6MAM+M1?A;M%:M1NN  MMMMM"M1%M.*M11NN NNON21O2 N>;O=N>>Oc|jddd|j|jddd|j|jdd d |j|jd d d |j|jd d|j|jddd|j|jddd|jy)Nzbantime.incrementtrueTrzbantime.rndtime30minrzbantime.maxtimez 1000 daysi\&zbantime.factorrzbantime.formulazGban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)zbantime.multipliersz1 5 30 60 300 720 1440 2880zbantime.overalljailsrLrts r&testBanTimeIncrz"TransmitterLogging.testBanTimeIncr s//%vt$--/H//#We$--/H//#[-dmm/T//"C4==/A//#%nuyvCvC/D//')FHelplyly/z//(&&t}}/Mr))r,r-r.r r6r5rrrrrrrrmrns@r&rrs4& N(=7  ).G`Nr)rceZdZdZy) JailTestscVd}t|}|j|j|y)Nveryveryverylongname)r rLrA)r#longnamerRs r& testLongNamezJailTests.testLongNames$ #( h$499h'r)N)r,r-r.r r!r)r&rrs(r)rceZdZdZdZdZy) RegexTestsc|jttd|jttd|jttdy)NrP  )rrrrts r&testInitzRegexTests.testInit"s8NE2.NE3/NE40r)c|jttdjddd|j tt dj dy)Na"'z Regex('a')rXz FailRegex()rLrarreplacerr startswithrts r&testStrzRegexTests.testStr(sH3uSz?**34lC//#i)*55lCDr)c$ |jttd|jttd|jtd|jtd|jtd|jtd|jtd|jtd|jtd td }|j |j |j d g|j|j |jt|jtd }|j |j |j d g|j|j |jt|jtd}|j |j |j dg|j|j |j|jd|j dg|j|j |j|jd|j dg|j|j |j|jdtd}|j |j |j dg|j|j |j|jdtd}|j dg|j}|j||jfd|j dg|j}|j||jfd|j dg|j}|j||jfd|j dg|j}|j||jfdtd }|j d!g|j}|j||jfd"|j d#g|j}|j||jfd|j d$g|j}|j||jfd%|j d&g|j}|j||jfd'y)(NrPz^test no group$z^test group$z^test group$z^test group$z^test group$z<^test id group: ip:port = (?::)?$z-^test id group: user:\([^\)]+\)$z#^test id group: anything = $z %%?)z%%rPrPz#%%inet(?:=|inet6=)?)z %%inet=testrPrPz(%%(?:inet(?:=|6=)?|dns=?))z%%inet=192.0.2.1rPrPr)z%%inet6=2001:DB8::rPrP 2001:DB8::)z%%dns=example.comrPrPz example.com)z%test id group: user:(test login name)rPrPztest login namez%%net=)z%%net=192.0.2.1rPrP)rinet4)z%%net=192.0.2.1/24rPrP)z 192.0.2.0/24r)z%%net=2001:DB8:FF:FF::1rPrP)z2001:db8:ff:ff::1inet6)z%%net=2001:DB8:FF:FF::1/60rPrP)z2001:db8:ff:f0::/60rz%%ip="", mask="?")z%%ip="192.0.2.2", mask=""rPrP)rr)z%%ip="192.0.2.2", mask="24"rPrP)z"%%ip="2001:DB8:2FF:FF::1", mask=""rPrP)z2001:db8:2ff:ff::1r)z$%%ip="2001:DB8:2FF:FF::1", mask="60"rPrP)z2001:db8:2ff:f0::/60r) rrrrrr hasMatchedsearchgetHostrL getFailIDgetIP familyStr)r#frrs r&testHostzRegexTests.testHost.s+NIr2NI/@A//)234//)123//)123//)123//)[\]//)LMN//)BCD"2==?#))\N//"--/"NBJJ/78"2==?#)) " #$//"--/"NBJJ/<="2==?#)) ' ()//"--/"2::<-)) ) *+//"--/"2::<.)) ( )*//"--/"2::</AB"2==?#)) < =>//"--/"2<<>#45"#")) & '( xxz"B %'=>)) ) *+ xxz"B %'@A)) . /0 xxz"B %'EF)) 1 23 xxz"B %'GH12")) 0 12 xxz"B %'=>)) 2 34 xxz"B %'@A)) 9 :; xxz"B %'FG)) ; <= xxz"B %'HIr)N)r,r-r.rrr%r!r)r&rr s1 E DJr)rceZdZdZy) _BadThreadctd)Nzrun bad thread exception)rrts r&runz_BadThread.runvs/00r)N)r,r-r.r)r!r)r&r'r'us1r)r'ceZdZdZdZdZy) LoggingTestsctd}|j|jjd|j|jdy)Nzfail2ban.some.string.with.namerz fail2ban.name)rrLparentrA)r# testLogSyss r&testGetF2BLoggerzLoggingTests.testGetF2BLogger|s=9:*:$$)):6:??O4r)ctj}gfdt_ t}|j|j j t jfdd|t_jdjtdjddty#|t_wxYw)Nc&j|Sr )re)r$rHs r&rz5LoggingTests.testFail2BanExceptHook..sQXXd^r)c@txrjdS)NUnhandled exception)r _is_logged)r#rHsr&rz5LoggingTests.testFail2BanExceptHook..sCF,]tG\7]r)rr3rr) sys__excepthook__r'rr5rrrrrLrr)r# prev_exchook badThreadrHs` @r&testFail2BanExceptHookz#LoggingTests.testFail2BanExceptHooks##,!3#%|9 ?? >>??ENN$]_`ac$3)*3q611Q47L)%3s AC Ccg}tjdd\}}tj||j |tjdd\}}tj||j |t } |j ||d|j|j|jd|j|D]7}tjj|s#tj|9y#|j|D]7}tjj|s#tj|9wxYw)Nz fail2ban.sockzf2b-testz fail2ban.pidF)forcezServer already running)rrrrrerrrrrsrrAr4rr)r# tmp_filessock_fd sock_name pidfile_fd pidfile_namer7rs r&testStartFailedSockExistsz&LoggingTests.testStartFailedSockExistss)''D'9((7 9%--njI*l((: < <& << s r&rHz ServerConfigReaderTests.__init__s /@@$r)c8tt| g|_y)r2N)r4rFr5 _execCmdLstr=s r&r5zServerConfigReaderTests.setUps,.$r)c*tt| yr@)r4rFrBr=s r&rBz ServerConfigReaderTests.tearDowns/1r)c|jdD]?}|jdstjd|+tj|Ay)N #zexec-cmd: `%s`T)splitrlogSysdebug)r#realCmdrrs r& _executeCmdz#ServerConfigReaderTests._executeCmdsE == a ,,s  LL!1% LLO  r)ct|dsdt}i|_dD]N\}}t|}|j dt j j|||j|<P|jS)N__aInfos))ipv4r)ipv6rr)hasattrr _ServerConfigReaderTests__aInfosr setBanTime_actionsrm ActionInfo)r#dmyjailtrtickets r&_testActionInfosz(ServerConfigReaderTests._testActionInfosss z " [74=?Duq" r]F c''2267CDMM!D r)c2|j}|j}|D]}||jD]}||j|}tj dtj d|dz|j ztj dt |tjs|j|_ tj d|j|jtj d|j|j|dtj d|j|j|dtj d|j|j|d tj d |j|j|d tj d |j|jy) N4# ================================================== # == %-44s == - # === start ===# === ban-ipv4 ===rW# === unban ipv4 ===# === ban ipv6 ===rX# === unban ipv6 ===# === stop ===)rrarrQrR_namerr\ CommandActionrT executeCmdrrrrrw)r#r7rfaInfosrRrrs r&_testExecActionsz(ServerConfigReaderTests._testExecActionss|   %  "&d $K  q 4[  #F LL"# LL$,"=> LL"# fh44 5x((F LL"#T]]_ LLN LL%&  JJvf~ LL'($--/ LL  LL%&  JJvf~ LL'($--/ LL  LL!"DMMO KKM5r)ctjjdttd|j }|j |j|j |j|jd}t}|j}|j}|D]}|ddk7s |ddk(rd|d <nt|d kDr|dd k(ry|d d k(rqtjj!t"d |d}tjj%|s$tjj!t"d}||d <nAtjj&r't|d kDr|ddvr|d dk(r d |d<d|d < ||tjj&s|j-|yy#t($r"}|j+d|d|Yd}~Hd}~wwxYw)NTstock)basedir force_enable share_config)allow_no_filesrrrZrrrrDr/logsrr.)rDz multi-setrZzDUMMY-REGEX zCommand z has failed. Received )rrSkipIfCfgMissingrCrDrIrread getOptionsconvertrr8_Transmitter__commandHandlerrrr4r5r6rrrrrp) r#rfstreamr7r9 cmdHandlerrNres r&testCheckStockJailActionsz1ServerConfigReaderTests.testCheckStockJailActionss ,,d+ jt$JZJZ [%//%**,//%""$% === -& <&  ! !&22* @c !f 1vSV SA#a&E/c!f .D '',,~vs1v 6R GGNN2  77<<(8 9bSV   X\c!f 44Q>9QSV"SV@_/@@      @ YYsA>??@sG G>G99G>c,|jd|}t|\}}d|dgg}t||||jt}|j |j |ji|j|j|S)Nz %(__name__)srZr)rvrt) rrrBrIrDrrzr{extendr|)r#rRactactNameactOptr~rs r&getDefaultJailStreamz,ServerConfigReaderTests.getDefaultJailStreams ND)#"3'/'6 4 &  D&  * 6&//&++- B-- ! -r)c*tjjdtjjddl}t }|j }|j tjjtddD]}tjj|jdd}|jd|z|}|D](}|j|\}} |j|d*|j!|y) NTrrrrz*.confz.confrPzj-)rrry SkipIfFastglobrr8rr4r5rDbasenamerrrMrLrp) r#rr7r9actCfgrr~rNrgress r&testCheckStockAllActionsz0ServerConfigReaderTests.testCheckStockAllActions+s ,,d+ ,, <&  ! !& "'',,z:xHI !f   & ! ) )'2 63  % %d3h 46s~~c"HCS!   !r)ctjjdddddddd d d d d ddddd fdddddddddddddddd fd d!d"d#d$d%d&d'd(d)d*d+ fd,d-d"d#d.d/d0d1d2fd3d4d5d6d7d8d9d:d;dd?d@dAdB fdCdDd5d6d7dEdFdGdHdIdJdKdLdMdNdB fdOdPdQdRdSdTdUdVdWdXdYdZd[d\d]dB fd^d_d`dadSdbdcdddedfdgdhdidjdkdB fdldmd5d6dSdndodpdqdrdsdtdudvdwdB fdxdyd5d6dSdzd{d|d}d~ddddddB fdddddddddddddd fdddddddddddddd fdddddddddddddd fddddddddddddddd fdddddddddddddd fdddddddddddddd fdddddddddddddל fdddddddddddddל fddddddddd2fddddddddd2ff}t}|j}|j }|D]E\}}}|j ||}|D](} |j| \} } |j| d*G|j} |j} |D]d\}}}| |jD]J}| |j|}tjdtjd|dz|jztjd|jt!|t"j$|j&|_|j+d|j-|j/dr|j0|dddin=|j/dr,|j/dr|j2|d|dzddi|j+d|j5| d|j/dr8|j0|j/d|j/dd|dzddi|j/dr|j2|dddi|j0|dddi|j2|dddi|j+d|j7| d|j0|dddi|j2|dddi|j+d|j5| d|j/dr8|j0|j/d|j/dd|dzddi|j/dr|j2|dddi|j0|dddi|j2|dddi|j+d|j7| d|j0|dddi|j2|dddi|j/d r|j+d |j9| dd |j0|j/d |j/dd|d zddi|j/d r#|d |d k7r|j2|d ddi|j/d r|j+d|j9| dd |j0|j/d |j/dd|d zddi|j/d r#|d |d k7r|j2|d ddi|j/dr8|j+d|j;|j0|dddi|j+d|j=|j/ds"|j0|j/dd|dzddiMgy(NTrrz j-w-nft-mpzQnftables-multiport[name=%(__name__)s, port="http,https", protocol="tcp,udp,sctp"])zip ipv4_addrzaddr-)zip6 ipv6_addrzaddr6-)`nft add table inet f2b-table`W`nft -- add chain inet f2b-table f2b-chain \{ type filter hook input priority -1 \; \}`9`for proto in $(echo 'tcp,udp,sctp' | sed 's/,/ /g'); do``done`)zG`nft add set inet f2b-table addr-set-j-w-nft-mp \{ type ipv4_addr\; \}`z`nft add rule inet f2b-table f2b-chain $proto dport \{ $(echo 'http,https' | sed s/:/-/g) \} ip saddr @addr-set-j-w-nft-mp reject`)zH`nft add set inet f2b-table addr6-set-j-w-nft-mp \{ type ipv6_addr\; \}`z`nft add rule inet f2b-table f2b-chain $proto dport \{ $(echo 'http,https' | sed s/:/-/g) \} ip6 saddr @addr6-set-j-w-nft-mp reject`)zG`{ nft flush set inet f2b-table addr-set-j-w-nft-mp 2> /dev/null; } || zH`{ nft flush set inet f2b-table addr6-set-j-w-nft-mp 2> /dev/null; } || )z`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`5`nft delete rule inet f2b-table f2b-chain $hdl; done`z3`nft delete set inet f2b-table addr-set-j-w-nft-mp`z`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`rz4`nft delete set inet f2b-table addr6-set-j-w-nft-mp`)zO`nft list chain inet f2b-table f2b-chain | grep -q '@addr-set-j-w-nft-mp[ \t]'`)zP`nft list chain inet f2b-table f2b-chain | grep -q '@addr6-set-j-w-nft-mp[ \t]'`)zD`nft add element inet f2b-table addr-set-j-w-nft-mp \{ 192.0.2.1 \}`)zG`nft delete element inet f2b-table addr-set-j-w-nft-mp \{ 192.0.2.1 \}`)zF`nft add element inet f2b-table addr6-set-j-w-nft-mp \{ 2001:db8:: \}`)zI`nft delete element inet f2b-table addr6-set-j-w-nft-mp \{ 2001:db8:: \}`) ip4ip6*-start ip4-start ip6-startflushrw ip4-check ip6-checkip4-ban ip4-unbanip6-ban ip6-unbanz j-w-nft-apz8nftables-allports[name=%(__name__)s, protocol="tcp,udp"])rr)zG`nft add set inet f2b-table addr-set-j-w-nft-ap \{ type ipv4_addr\; \}`zg`nft add rule inet f2b-table f2b-chain meta l4proto \{ tcp,udp \} ip saddr @addr-set-j-w-nft-ap reject`)zH`nft add set inet f2b-table addr6-set-j-w-nft-ap \{ type ipv6_addr\; \}`zi`nft add rule inet f2b-table f2b-chain meta l4proto \{ tcp,udp \} ip6 saddr @addr6-set-j-w-nft-ap reject`)zG`{ nft flush set inet f2b-table addr-set-j-w-nft-ap 2> /dev/null; } || zH`{ nft flush set inet f2b-table addr6-set-j-w-nft-ap 2> /dev/null; } || )z`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`rz3`nft delete set inet f2b-table addr-set-j-w-nft-ap`z`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`rz4`nft delete set inet f2b-table addr6-set-j-w-nft-ap`)zO`nft list chain inet f2b-table f2b-chain | grep -q '@addr-set-j-w-nft-ap[ \t]'`)zP`nft list chain inet f2b-table f2b-chain | grep -q '@addr6-set-j-w-nft-ap[ \t]'`)zD`nft add element inet f2b-table addr-set-j-w-nft-ap \{ 192.0.2.1 \}`)zG`nft delete element inet f2b-table addr-set-j-w-nft-ap \{ 192.0.2.1 \}`)zF`nft add element inet f2b-table addr6-set-j-w-nft-ap \{ 2001:db8:: \}`)zI`nft delete element inet f2b-table addr6-set-j-w-nft-ap \{ 2001:db8:: \}`zj-dummyzodummy[name=%(__name__)s, init="=='/'==bt:==bc:==", target="/tmp/fail2ban.dummy"])z family: inet4)z family: inet6)z$`printf %b "=='/'==bt:600==bc:0==\n"z7`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- started"`)z9`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- clear all"`)z7`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- stopped"`)zP`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- banned 192.0.2.1 (family: inet4)"`)zR`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- unbanned 192.0.2.1 (family: inet4)"`)zQ`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- banned 2001:db8:: (family: inet6)"`)zS`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- unbanned 2001:db8:: (family: inet6)"`) rrrrrwrrrrz j-hostsdenyzPhostsdeny[name=%(__name__)s, actionstop="rm ", file="/tmp/fail2ban.dummy"])z5`printf %b "ALL: 192.0.2.1\n" >> /tmp/fail2ban.dummy`)z^`IP=$(echo "192.0.2.1" | sed 's/[][\.]/\\\0/g') && sed -i "/^ALL: $IP$/d" /tmp/fail2ban.dummy`)z8`printf %b "ALL: [2001:db8::]\n" >> /tmp/fail2ban.dummy`)za`IP=$(echo "[2001:db8::]" | sed 's/[][\.]/\\\0/g') && sed -i "/^ALL: $IP$/d" /tmp/fail2ban.dummy`)rrrrrrzj-w-iptables-mpzwiptables-multiport[name=%(__name__)s, bantime="10m", port="http,https", protocol="tcp,udp,sctp", chain=""]) `iptables icmp-port-unreachable) `ip6tables icmp6-port-unreachable)rr)z`{ iptables -w -C f2b-j-w-iptables-mp -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-j-w-iptables-mp || true; iptables -w -A f2b-j-w-iptables-mp -j RETURN; }`z`{ iptables -w -C INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp; }`)z`{ ip6tables -w -C f2b-j-w-iptables-mp -j RETURN >/dev/null 2>&1; } || { ip6tables -w -N f2b-j-w-iptables-mp || true; ip6tables -w -A f2b-j-w-iptables-mp -j RETURN; }`zq`{ ip6tables -w -C INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp >/dev/null 2>&1; } || z]{ ip6tables -w -I INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp; }`)$`iptables -w -F f2b-j-w-iptables-mp`%`ip6tables -w -F f2b-j-w-iptables-mp`)zX`iptables -w -D INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp`rz$`iptables -w -X f2b-j-w-iptables-mp`zY`ip6tables -w -D INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp`rz%`ip6tables -w -X f2b-j-w-iptables-mp`)zX`iptables -w -C INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp`)zY`ip6tables -w -C INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp`)za`iptables -w -I f2b-j-w-iptables-mp 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)z_`iptables -w -D f2b-j-w-iptables-mp -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)zd`ip6tables -w -I f2b-j-w-iptables-mp 1 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)zb`ip6tables -w -D f2b-j-w-iptables-mp -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`) rr*-start-stop-checkrrrrwrrrrrrzj-w-iptables-apzciptables-allports[name=%(__name__)s, bantime="10m", protocol="tcp,udp,sctp", chain=""])z`{ iptables -w -C f2b-j-w-iptables-ap -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-j-w-iptables-ap || true; iptables -w -A f2b-j-w-iptables-ap -j RETURN; }`zO`{ iptables -w -C INPUT -p $proto -j f2b-j-w-iptables-ap >/dev/null 2>&1; } || z;{ iptables -w -I INPUT -p $proto -j f2b-j-w-iptables-ap; }`)z`{ ip6tables -w -C f2b-j-w-iptables-ap -j RETURN >/dev/null 2>&1; } || { ip6tables -w -N f2b-j-w-iptables-ap || true; ip6tables -w -A f2b-j-w-iptables-ap -j RETURN; }`zP`{ ip6tables -w -C INPUT -p $proto -j f2b-j-w-iptables-ap >/dev/null 2>&1; } || z<{ ip6tables -w -I INPUT -p $proto -j f2b-j-w-iptables-ap; }`)$`iptables -w -F f2b-j-w-iptables-ap`%`ip6tables -w -F f2b-j-w-iptables-ap`)z7`iptables -w -D INPUT -p $proto -j f2b-j-w-iptables-ap`rz$`iptables -w -X f2b-j-w-iptables-ap`z8`ip6tables -w -D INPUT -p $proto -j f2b-j-w-iptables-ap`rz%`ip6tables -w -X f2b-j-w-iptables-ap`)z7`iptables -w -C INPUT -p $proto -j f2b-j-w-iptables-ap`)z8`ip6tables -w -C INPUT -p $proto -j f2b-j-w-iptables-ap`)za`iptables -w -I f2b-j-w-iptables-ap 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)z_`iptables -w -D f2b-j-w-iptables-ap -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)zd`ip6tables -w -I f2b-j-w-iptables-ap 1 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)zb`ip6tables -w -D f2b-j-w-iptables-ap -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`zj-w-iptables-ipsetz\iptables-ipset-proto6[name=%(__name__)s, port="http", protocol="tcp", chain=""])z f2b-j-w-iptables-ipset )z f2b-j-w-iptables-ipset6 )z0`for proto in $(echo 'tcp' | sed 's/,/ /g'); do`r)z?`ipset -exist create f2b-j-w-iptables-ipset hash:ip timeout 0 `aJ`{ iptables -w -C INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable; }`)zL`ipset -exist create f2b-j-w-iptables-ipset6 hash:ip timeout 0 family inet6`aP`{ ip6tables -w -C INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable >/dev/null 2>&1; } || { ip6tables -w -I INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable; }`)$`ipset flush f2b-j-w-iptables-ipset`%`ipset flush f2b-j-w-iptables-ipset6`)z`iptables -w -D INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable`rz&`ipset destroy f2b-j-w-iptables-ipset`z`ip6tables -w -D INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`rz'`ipset destroy f2b-j-w-iptables-ipset6`)z`iptables -w -C INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable`)z`ip6tables -w -C INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`)z=`ipset -exist add f2b-j-w-iptables-ipset 192.0.2.1 timeout 0`)z3`ipset -exist del f2b-j-w-iptables-ipset 192.0.2.1`)z?`ipset -exist add f2b-j-w-iptables-ipset6 2001:db8:: timeout 0`)z5`ipset -exist del f2b-j-w-iptables-ipset6 2001:db8::`zj-w-iptables-ipset-apzHiptables-ipset-proto6-allports[name=%(__name__)s, chain=""])z f2b-j-w-iptables-ipset-ap )z f2b-j-w-iptables-ipset-ap6 )zB`ipset -exist create f2b-j-w-iptables-ipset-ap hash:ip timeout 0 `a`{ iptables -w -C INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable; })zO`ipset -exist create f2b-j-w-iptables-ipset-ap6 hash:ip timeout 0 family inet6`a`{ ip6tables -w -C INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable >/dev/null 2>&1; } || { ip6tables -w -I INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable; })'`ipset flush f2b-j-w-iptables-ipset-ap`(`ipset flush f2b-j-w-iptables-ipset-ap6`)z`iptables -w -D INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`rz)`ipset destroy f2b-j-w-iptables-ipset-ap`z`ip6tables -w -D INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`rz*`ipset destroy f2b-j-w-iptables-ipset-ap6`)z`iptables -w -C INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`)z`ip6tables -w -C INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`)z@`ipset -exist add f2b-j-w-iptables-ipset-ap 192.0.2.1 timeout 0`)z6`ipset -exist del f2b-j-w-iptables-ipset-ap 192.0.2.1`)zB`ipset -exist add f2b-j-w-iptables-ipset-ap6 2001:db8:: timeout 0`)z8`ipset -exist del f2b-j-w-iptables-ipset-ap6 2001:db8::`z j-w-iptablesz^iptables[name=%(__name__)s, bantime="10m", port="http", protocol="tcp", chain=""])z`{ iptables -w -C f2b-j-w-iptables -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-j-w-iptables || true; iptables -w -A f2b-j-w-iptables -j RETURN; }z`{ iptables -w -C INPUT -p $proto --dport http -j f2b-j-w-iptables >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto --dport http -j f2b-j-w-iptables; }`)z`{ ip6tables -w -C f2b-j-w-iptables -j RETURN >/dev/null 2>&1; } || { ip6tables -w -N f2b-j-w-iptables || true; ip6tables -w -A f2b-j-w-iptables -j RETURN; }z`{ ip6tables -w -C INPUT -p $proto --dport http -j f2b-j-w-iptables >/dev/null 2>&1; } || { ip6tables -w -I INPUT -p $proto --dport http -j f2b-j-w-iptables; }`)!`iptables -w -F f2b-j-w-iptables`"`ip6tables -w -F f2b-j-w-iptables`)zA`iptables -w -D INPUT -p $proto --dport http -j f2b-j-w-iptables`rz!`iptables -w -X f2b-j-w-iptables`zB`ip6tables -w -D INPUT -p $proto --dport http -j f2b-j-w-iptables`rz"`ip6tables -w -X f2b-j-w-iptables`)zA`iptables -w -C INPUT -p $proto --dport http -j f2b-j-w-iptables`)zB`ip6tables -w -C INPUT -p $proto --dport http -j f2b-j-w-iptables`)z^`iptables -w -I f2b-j-w-iptables 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)z\`iptables -w -D f2b-j-w-iptables -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)za`ip6tables -w -I f2b-j-w-iptables 1 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)z_`ip6tables -w -D f2b-j-w-iptables -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`zj-w-iptables-newzbiptables-new[name=%(__name__)s, bantime="10m", port="http", protocol="tcp", chain=""])z`{ iptables -w -C f2b-j-w-iptables-new -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-j-w-iptables-new || true; iptables -w -A f2b-j-w-iptables-new -j RETURN; }`z`{ iptables -w -C INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new >/dev/null 2>&1; } || { iptables -w -I INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new; }`)z`{ ip6tables -w -C f2b-j-w-iptables-new -j RETURN >/dev/null 2>&1; } || { ip6tables -w -N f2b-j-w-iptables-new || true; ip6tables -w -A f2b-j-w-iptables-new -j RETURN; }`z`{ ip6tables -w -C INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new >/dev/null 2>&1; } || { ip6tables -w -I INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new; }`)%`iptables -w -F f2b-j-w-iptables-new`&`ip6tables -w -F f2b-j-w-iptables-new`)zZ`iptables -w -D INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new`rz%`iptables -w -X f2b-j-w-iptables-new`z[`ip6tables -w -D INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new`rz&`ip6tables -w -X f2b-j-w-iptables-new`)zZ`iptables -w -C INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new`)z[`ip6tables -w -C INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new`)zb`iptables -w -I f2b-j-w-iptables-new 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)z``iptables -w -D f2b-j-w-iptables-new -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)ze`ip6tables -w -I f2b-j-w-iptables-new 1 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)zc`ip6tables -w -D f2b-j-w-iptables-new -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`zj-w-iptables-xtrezPiptables-xt_recent-echo[name=%(__name__)s, bantime="10m", chain=""])rz/f2b-j-w-iptables-xtre`)rz/f2b-j-w-iptables-xtre6`)a"`{ iptables -w -C INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre -j REJECT --reject-with icmp-port-unreachable >/dev/null 2>&1; } || { iptables -w -I INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre -j REJECT --reject-with icmp-port-unreachable; }`)a(`{ ip6tables -w -C INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre6 -j REJECT --reject-with icmp6-port-unreachable >/dev/null 2>&1; } || { ip6tables -w -I INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre6 -j REJECT --reject-with icmp6-port-unreachable; }`)z4`echo / > /proc/net/xt_recent/f2b-j-w-iptables-xtre``if [ `id -u` -eq 0 ];then`z`iptables -w -D INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre -j REJECT --reject-with icmp-port-unreachable;``fi`z5`echo / > /proc/net/xt_recent/f2b-j-w-iptables-xtre6`rz`ip6tables -w -D INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre6 -j REJECT --reject-with icmp6-port-unreachable;`r)z`{ iptables -w -C INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre -j REJECT --reject-with icmp-port-unreachable; } && test -e /proc/net/xt_recent/f2b-j-w-iptables-xtre`)z`{ ip6tables -w -C INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre6 -j REJECT --reject-with icmp6-port-unreachable; } && test -e /proc/net/xt_recent/f2b-j-w-iptables-xtre6`)z=`echo +192.0.2.1 > /proc/net/xt_recent/f2b-j-w-iptables-xtre`)z=`echo -192.0.2.1 > /proc/net/xt_recent/f2b-j-w-iptables-xtre`)z?`echo +2001:db8:: > /proc/net/xt_recent/f2b-j-w-iptables-xtre6`)z?`echo -2001:db8:: > /proc/net/xt_recent/f2b-j-w-iptables-xtre6`) rrrrrwrrrrrrzj-w-pfz2pf[name=%(__name__)s, actionstart_on_demand=false]r!)zF`echo "table persist counters" | pfctl -a f2b/j-w-pf -f-`z port=""z\`echo "block quick proto tcp from to any port $port" | pfctl -a f2b/j-w-pf -f-`),`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T flush`)zT`pfctl -a f2b/j-w-pf -sr 2>/dev/null | grep -v f2b-j-w-pf | pfctl -a f2b/j-w-pf -f-`rz+`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T kill`)z.`pfctl -a f2b/j-w-pf -sr | grep -q f2b-j-w-pf`)z4`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T add 192.0.2.1`)z7`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T delete 192.0.2.1`)z5`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T add 2001:db8::`)z8`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T delete 2001:db8::`) rrrrrwrrrrrrz j-w-pf-mpz@pf[actiontype=][name=%(__name__)s, port="http,https"])zL`echo "table persist counters" | pfctl -a f2b/j-w-pf-mp -f-`zport="http,https"zb`echo "block quick proto tcp from to any port $port" | pfctl -a f2b/j-w-pf-mp -f-`)2`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T flush`)z]`pfctl -a f2b/j-w-pf-mp -sr 2>/dev/null | grep -v f2b-j-w-pf-mp | pfctl -a f2b/j-w-pf-mp -f-`rz1`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T kill`)z4`pfctl -a f2b/j-w-pf-mp -sr | grep -q f2b-j-w-pf-mp`)z:`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T add 192.0.2.1`)z=`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T delete 192.0.2.1`)z;`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T add 2001:db8::`)z>`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T delete 2001:db8::`z j-w-pf-apzHpf[actiontype=, actionstart_on_demand=true][name=%(__name__)s])zL`echo "table persist counters" | pfctl -a f2b/j-w-pf-ap -f-`zW`echo "block quick proto tcp from to any" | pfctl -a f2b/j-w-pf-ap -f-`)2`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T flush`)z]`pfctl -a f2b/j-w-pf-ap -sr 2>/dev/null | grep -v f2b-j-w-pf-ap | pfctl -a f2b/j-w-pf-ap -f-`rz1`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T kill`)z4`pfctl -a f2b/j-w-pf-ap -sr | grep -q f2b-j-w-pf-ap`)z:`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T add 192.0.2.1`)z=`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T delete 192.0.2.1`)z;`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T add 2001:db8::`)z>`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T delete 2001:db8::`) rrrrrrwrrrrrrz j-w-fwcmd-mpzqfirewallcmd-multiport[name=%(__name__)s, bantime="10m", port="http,https", protocol="tcp", chain=""])z ipv4 r)z ipv6 r)z@`firewall-cmd --direct --add-chain ipv4 filter f2b-j-w-fwcmd-mp`zN`firewall-cmd --direct --add-rule ipv4 filter f2b-j-w-fwcmd-mp 1000 -j RETURN`z`firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -m conntrack --ctstate NEW -p tcp -m multiport --dports http,https -j f2b-j-w-fwcmd-mp`)z@`firewall-cmd --direct --add-chain ipv6 filter f2b-j-w-fwcmd-mp`zN`firewall-cmd --direct --add-rule ipv6 filter f2b-j-w-fwcmd-mp 1000 -j RETURN`z`firewall-cmd --direct --add-rule ipv6 filter INPUT_direct 0 -m conntrack --ctstate NEW -p tcp -m multiport --dports http,https -j f2b-j-w-fwcmd-mp`)z`firewall-cmd --direct --remove-rule ipv4 filter INPUT_direct 0 -m conntrack --ctstate NEW -p tcp -m multiport --dports http,https -j f2b-j-w-fwcmd-mp`zC`firewall-cmd --direct --remove-rules ipv4 filter f2b-j-w-fwcmd-mp`zC`firewall-cmd --direct --remove-chain ipv4 filter f2b-j-w-fwcmd-mp`z`firewall-cmd --direct --remove-rule ipv6 filter INPUT_direct 0 -m conntrack --ctstate NEW -p tcp -m multiport --dports http,https -j f2b-j-w-fwcmd-mp`zC`firewall-cmd --direct --remove-rules ipv6 filter f2b-j-w-fwcmd-mp`zC`firewall-cmd --direct --remove-chain ipv6 filter f2b-j-w-fwcmd-mp`)zc`firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-j-w-fwcmd-mp$'`)zc`firewall-cmd --direct --get-chains ipv6 filter | sed -e 's, ,\n,g' | grep -q '^f2b-j-w-fwcmd-mp$'`)z|`firewall-cmd --direct --add-rule ipv4 filter f2b-j-w-fwcmd-mp 0 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)z`firewall-cmd --direct --remove-rule ipv4 filter f2b-j-w-fwcmd-mp 0 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)z~`firewall-cmd --direct --add-rule ipv6 filter f2b-j-w-fwcmd-mp 0 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)z`firewall-cmd --direct --remove-rule ipv6 filter f2b-j-w-fwcmd-mp 0 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`z j-w-fwcmd-apz]firewallcmd-allports[name=%(__name__)s, bantime="10m", protocol="tcp", chain=""])z@`firewall-cmd --direct --add-chain ipv4 filter f2b-j-w-fwcmd-ap`zN`firewall-cmd --direct --add-rule ipv4 filter f2b-j-w-fwcmd-ap 1000 -j RETURN`zQ`firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -j f2b-j-w-fwcmd-ap`)z@`firewall-cmd --direct --add-chain ipv6 filter f2b-j-w-fwcmd-ap`zN`firewall-cmd --direct --add-rule ipv6 filter f2b-j-w-fwcmd-ap 1000 -j RETURN`zQ`firewall-cmd --direct --add-rule ipv6 filter INPUT_direct 0 -j f2b-j-w-fwcmd-ap`)zT`firewall-cmd --direct --remove-rule ipv4 filter INPUT_direct 0 -j f2b-j-w-fwcmd-ap`zC`firewall-cmd --direct --remove-rules ipv4 filter f2b-j-w-fwcmd-ap`zC`firewall-cmd --direct --remove-chain ipv4 filter f2b-j-w-fwcmd-ap`zT`firewall-cmd --direct --remove-rule ipv6 filter INPUT_direct 0 -j f2b-j-w-fwcmd-ap`zC`firewall-cmd --direct --remove-rules ipv6 filter f2b-j-w-fwcmd-ap`zC`firewall-cmd --direct --remove-chain ipv6 filter f2b-j-w-fwcmd-ap`)zc`firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-j-w-fwcmd-ap$'`)zc`firewall-cmd --direct --get-chains ipv6 filter | sed -e 's, ,\n,g' | grep -q '^f2b-j-w-fwcmd-ap$'`)z|`firewall-cmd --direct --add-rule ipv4 filter f2b-j-w-fwcmd-ap 0 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)z`firewall-cmd --direct --remove-rule ipv4 filter f2b-j-w-fwcmd-ap 0 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)z~`firewall-cmd --direct --add-rule ipv6 filter f2b-j-w-fwcmd-ap 0 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)z`firewall-cmd --direct --remove-rule ipv6 filter f2b-j-w-fwcmd-ap 0 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`zj-w-fwcmd-ipsetzXfirewallcmd-ipset[name=%(__name__)s, port="http", protocol="tcp", chain=""])z f2b-j-w-fwcmd-ipset )z f2b-j-w-fwcmd-ipset6 )z<`ipset -exist create f2b-j-w-fwcmd-ipset hash:ip timeout 0 `z`firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports http -m set --match-set f2b-j-w-fwcmd-ipset src -j REJECT --reject-with icmp-port-unreachable`)zI`ipset -exist create f2b-j-w-fwcmd-ipset6 hash:ip timeout 0 family inet6`z`firewall-cmd --direct --add-rule ipv6 filter INPUT_direct 0 -p tcp -m multiport --dports http -m set --match-set f2b-j-w-fwcmd-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`)!`ipset flush f2b-j-w-fwcmd-ipset`"`ipset flush f2b-j-w-fwcmd-ipset6`)z`firewall-cmd --direct --remove-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports http -m set --match-set f2b-j-w-fwcmd-ipset src -j REJECT --reject-with icmp-port-unreachable`rz#`ipset destroy f2b-j-w-fwcmd-ipset`z`firewall-cmd --direct --remove-rule ipv6 filter INPUT_direct 0 -p tcp -m multiport --dports http -m set --match-set f2b-j-w-fwcmd-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`rz$`ipset destroy f2b-j-w-fwcmd-ipset6`)z:`ipset -exist add f2b-j-w-fwcmd-ipset 192.0.2.1 timeout 0`)z0`ipset -exist del f2b-j-w-fwcmd-ipset 192.0.2.1`)z<`ipset -exist add f2b-j-w-fwcmd-ipset6 2001:db8:: timeout 0`)z2`ipset -exist del f2b-j-w-fwcmd-ipset6 2001:db8::`) rrrrrrwrrrrzj-w-fwcmd-ipset-apzbfirewallcmd-ipset[name=%(__name__)s, actiontype=, protocol="tcp", chain=""])z f2b-j-w-fwcmd-ipset-ap )z f2b-j-w-fwcmd-ipset-ap6 )z?`ipset -exist create f2b-j-w-fwcmd-ipset-ap hash:ip timeout 0 `z`firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m set --match-set f2b-j-w-fwcmd-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`)zL`ipset -exist create f2b-j-w-fwcmd-ipset-ap6 hash:ip timeout 0 family inet6`z`firewall-cmd --direct --add-rule ipv6 filter INPUT_direct 0 -p tcp -m set --match-set f2b-j-w-fwcmd-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`)$`ipset flush f2b-j-w-fwcmd-ipset-ap`%`ipset flush f2b-j-w-fwcmd-ipset-ap6`)z`firewall-cmd --direct --remove-rule ipv4 filter INPUT_direct 0 -p tcp -m set --match-set f2b-j-w-fwcmd-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`rz&`ipset destroy f2b-j-w-fwcmd-ipset-ap`z`firewall-cmd --direct --remove-rule ipv6 filter INPUT_direct 0 -p tcp -m set --match-set f2b-j-w-fwcmd-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`rz'`ipset destroy f2b-j-w-fwcmd-ipset-ap6`)z=`ipset -exist add f2b-j-w-fwcmd-ipset-ap 192.0.2.1 timeout 0`)z3`ipset -exist del f2b-j-w-fwcmd-ipset-ap 192.0.2.1`)z?`ipset -exist add f2b-j-w-fwcmd-ipset-ap6 2001:db8:: timeout 0`)z5`ipset -exist del f2b-j-w-fwcmd-ipset-ap6 2001:db8::`z j-fwcmd-rrz4firewallcmd-rich-rules[port="22:24", protocol="tcp"])z family='ipv4'r)z family='ipv6'r)z`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`)z`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`)z `ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`)z`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`z j-fwcmd-rlz6firewallcmd-rich-logging[port="22:24", protocol="tcp"])a `ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`)a `ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`)a  `ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`)a`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`rrcrdrerfrrrrrgrWrrrrrhrrirXrrrjrrz# === check ipv4 ===familyz*-checkrz# === check ipv6 ===rz# === flush ===rkrw)rrryrr8r}rrMrLrrarrQrRrlrrr\rmrTrnrrrErr rr_invariantCheckrrw)r#testJailsActionsr7r9rrRrtestsr~rNrgrrfrorrs r&testCheckStockCommandActionsz4ServerConfigReaderTests.testCheckStockCommandActions?s9  ,,d+e (1P Y/h/bL (1P S,O,\E &8 +G4e &8h Q 2;d    ]1S1f| 2;d    ]11fx (1O    Y/{/bg +4U    Y/j/bt 2;d    ]1w1f| 2;d    ]11fk 4=h C$n$L B b   EDJMKN)E.S b   KJPSQT)V.[ b  KJPSQT)^.H .7[   G&J&Ps .7[   G&v&Pq %.I ?"t"H~ (1O ?"A"HH 6?kK J 6?kMY[ x <&  ! !&22** dC  % %dC 06 s~~c"HCS!    %  "&*>jdC $K  <jq 4[  #F LL"# LL$,"=> LL"#OOJvx'='=>?((FMM#$ LLN yyTg1D1 ; EIIk$:T5-eK.@@KdKMM&' JJvf~ yy0t00%))IuyyQegiGj2klqr}l~2~ JEI J yy3t33U;5GRTRDuY'2T2D%,1D1MM() LL Du[)4t4D%,1D1MM&' JJvf~ yy0t00%))IuyyQegiGj2klqr}l~2~ JEI J yy3t33U;5GRTRDuY'2T2D%,1D1MM() LL Du[)4t4D%,1D1 yy ]])* F6N845T )UYY7KR-PQRWXcRddojno +5#5{9K#KdE+.9D9 yy ]])* F6N845T )UYY7KR-PQRWXcRddojno +5#5{9K#KdE+.9D9 yy ]]$% \\^Tg1D1MM"# KKM yy+$++UYY7KR-PQVW]Q^-^idhiy<j>jr)c|}t|tr|d}tjdd|}tjdd|d}t|tr||d<n|}tj j ||S)Nrz\)\s*\|\s*(\S*mail\b[^\n]*)z$) | cat; printf "\\n... | "; echo \1z\bADDRESSES=\$\(dig\s[^\n]+cy)Nz@ADDRESSES="abuse-1@abuse-test-server, abuse-2@abuse-test-server"r!)ms r&rz9ServerConfigReaderTests._executeMailCmd..sr)r)r)rr_resubr\rmrn)r#rSrrNs r&_executeMailCmdz'ServerConfigReaderTests._executeMailCmdvs# 3 -*C 1# -O #71: 7    * *7G * DDr)c tjjdddtjj t dzdzdztjj t dzd zd d ifd d tjj t dzdzdztjj t dzd zd difddtjj t dzdzdztjj t dzdzdddfdddddff}t}|j}|j}|D]E\}}}|j||}|D](} |j| \} } |j| d*G|j} td} td}t}|D];\}}}| |j D]!}| |j |}t"j%dt"j%d|dz|j&zt"j%d|j(|_d | fd|ffD]\}}|j-|s|j/d |zt1|}|j3d!|j5d"d#gt6j8j;||}|j=||j>||d$di$>y)%NTrrzj-mail-whois-linesz\mail-whois-lines[name=%(__name__)s, grepopts="-m 1", grepmax=2, mailcmd="mail -s", logpath="r.rNz ztestcase01a.logz8", _whois_command="echo '-- information about --'"]r);The IP 87.142.124.10 has just been banned by Fail2Ban afterz(100 attempts against j-mail-whois-lines..Here is more information about 87.142.124.10 :%-- information about 87.142.124.10 --2Lines containing failures of 87.142.124.10 (max 2)etestcase01.log:Dec 31 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 87.142.124.10etestcase01a.log:Dec 31 11:55:01 [sshd] error: PAM: Authentication failure for test from 87.142.124.10zj-sendmail-whois-lineszxsendmail-whois-lines[name=%(__name__)s, grepopts="-m 1", grepmax=2, mailcmd='testmail -f "" ""', logpath=")rz,100 attempts against j-sendmail-whois-lines.rrrrrzj-complain-abusezcomplain[name=%(__name__)s, grepopts="-m 1", grepmax=2, mailcmd="mail -s 'Hostname: , family: ' - ",debug=1,logpath="z", ])6try to resolve 10.124.142.87.abuse-contacts.abusix.orgrrrzymail -s Hostname: test-host, family: inet4 - Abuse from 87.142.124.10 abuse-1@abuse-test-server abuse-2@abuse-test-server)htry to resolve 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.abuse-contacts.abusix.orgz0Lines containing failures of 2001:db8::1 (max 2)zwmail -s Hostname: test-host, family: inet6 - Abuse from 2001:db8::1 abuse-1@abuse-test-server abuse-2@abuse-test-server)rrz j-xarf-abusezIxarf-login-attack[name=%(__name__)s, mailcmd="mail", mailargs="",debug=1])rz8We have detected abuse from the IP address 87.142.124.10VDec 31 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 87.142.124.10UDec 31 11:55:01 [sshd] error: PAM: Authentication failure for test from 87.142.124.108mail abuse-1@abuse-test-server abuse-2@abuse-test-server)rz6We have detected abuse from the IP address 2001:db8::1rrz 87.142.124.10z 2001:db8::1rcrdrerz # === %s ===rrrr) rrryrr4r5r6rr8r}rrMrLrr rrrQrRrlrrnrErr setAttempt setMatchesr\rmr]rr)r#rr7r9rrRrrr~rNrgrrfrWrXr^rrtestrr`s r&testComplexMailActionMultiLogz5ServerConfigReaderTests.testComplexMailActionMultiLogsy ,,d+GGLL1ABCFJJ WW\\.2CD EH   (GGLL1ABCFJJ WW\\.2CD EH   ( GGLL1AB C FJ J   WW\\.2CD E H  8  M^~ <&  ! !&22** dC  % %dC 06 s~~c"HCS!    %  $  $ K'*/dC $K  /q 4[  #F LL"# LL$,"=> LL"#,,F!4(9d*;< / r IIdOX ]]>D()mV s ^]))&':V ZZTd .. ///r))r)r,r-r.rHr5rBrTrarprrrrrrrmrns@r&rFrFsF 2 D1!f !(u jnE$K/r)rF)A __author__ __copyright__ __license__rrrrrr5rserver.failregexrrrr7rr\ server.serverr server.ipdnsr r server.jailr server.jailthreadr server.ticketr server.utilsr dummyjailrutilsrrrhelpersrrrrPrrr~r4r5dirname__file__r6r<rQrr0rprTestCaserrr'r+clientreadertestcaserBrCrDrFr!r)r&rs@. 2    ??("+*% <<;;#bggooh7A : [([|u */u *p{N{N|(!!(RJ""RJj11 '%'THGm/0m/i#s:EE  E