fail2ban/fail2ban-opensuse-service.patch

diff -ur fail2ban-0.10.1.orig/files/fail2ban.service.in fail2ban-0.10.1/files/fail2ban.service.in
--- fail2ban-0.10.1.orig/files/fail2ban.service.in	2017-10-12 13:46:46.000000000 +0200
+++ fail2ban-0.10.1/files/fail2ban.service.in	2017-10-21 07:33:59.289164729 +0200
@@ -1,17 +1,18 @@
 [Unit]
 Description=Fail2Ban Service
 Documentation=man:fail2ban(1)
-After=network.target iptables.service firewalld.service
-PartOf=iptables.service firewalld.service
+After=network.target iptables.service firewalld.service SuSEfirewall2.service
+PartOf=iptables.service firewalld.service SuSEfirewall2.service
 
 [Service]
 Type=simple
+EnvironmentFile=-/etc/sysconfig/fail2ban
 ExecStartPre=/bin/mkdir -p /var/run/fail2ban
-ExecStart=@BINDIR@/fail2ban-server -xf start
+ExecStart=/usr/bin/fail2ban-server -xf $FAIL2BAN_OPTIONS start
 # if should be logged in systemd journal, use following line or set logtarget to stdout in fail2ban.local
-# ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=stdout start
-ExecStop=@BINDIR@/fail2ban-client stop
-ExecReload=@BINDIR@/fail2ban-client reload
+# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=stdout start
+ExecStop=/usr/bin/fail2ban-client stop
+ExecReload=/usr/bin/fail2ban-client reload
 PIDFile=/var/run/fail2ban/fail2ban.pid
 Restart=on-failure
 RestartPreventExitStatus=0 255
Accepting request 536273 from home:weberho:branches:security - Updated to version 0.10.1. Changelog: https://github.com/fail2ban/fail2ban/blob/0.10/ChangeLog - Removed 607568f.patch and 1783.patch - New features: * IPv6 support - IP addresses are now handled as objects rather than strings capable for handling both address types IPv4 and IPv6 - iptables related actions have been amended to support IPv6 specific actions additionally - hostsdeny and route actions have been tested to be aware of v4 and v6 already - pf action for BSD systems has been improved and supports now also v4 and v6 - name resolution is now working for either address type - new conditional section functionality used in config resp. includes: - [Init?family=inet4] - IPv4 qualified hosts only - [Init?family=inet6] - IPv6 qualified hosts only Reporting via abuseipdb.com - Bans can now be reported to abuseipdb - Catagories must be set in the config - Relevant log lines included in report * Several commands extended and new commands introduced * Implemented execution of `actionstart` on demand * nftables actions are IPv6-capable now * Introduced new filter option `prefregex` for pre-filtering using single regular expression * Many times faster because of several optimizations * Several filters optimized * Introduced new jail option "ignoreself" - Lots of fixes and internal improvements - Incompatibitilities: * Filter (or `failregex`) internal capture-groups: - If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should rewrite the regex like in example below resp. using `(?:(?P=ip4)\|(?P=ip6)` instead of `(?P=host)` (or `(?:(?P=ip4)\|(?P=ip6)\|(?P=dns))` corresponding your `usedns` and `raw` settings). Of course you can always your own capture-group (like below `_cond_ip_`) to do this. ``` testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1" fail2ban-regex "$testln" "^\sfailure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$" ``` - New internal groups (currently reserved for internal usage): `ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if mapping from tag `<F->` used in failregex (e. g. `user` by `<F-USER>`). * v.0.10 uses more precise date template handling, that can be theoretically incompatible to some user configurations resp. `datepattern`. * Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are IPv6-capable now. OBS-URL: https://build.opensuse.org/request/show/536273 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=83 2017-10-24 12:04:00 +02:00			`diff -ur fail2ban-0.10.1.orig/files/fail2ban.service.in fail2ban-0.10.1/files/fail2ban.service.in`
			`--- fail2ban-0.10.1.orig/files/fail2ban.service.in 2017-10-12 13:46:46.000000000 +0200`
			`+++ fail2ban-0.10.1/files/fail2ban.service.in 2017-10-21 07:33:59.289164729 +0200`
			`@@ -1,17 +1,18 @@`
Accepting request 314731 from home:weberho:branches:security Major update to version 0.9.2 OBS-URL: https://build.opensuse.org/request/show/314731 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=59 2015-07-01 21:56:17 +02:00			`[Unit]`
			`Description=Fail2Ban Service`
			`Documentation=man:fail2ban(1)`
			`-After=network.target iptables.service firewalld.service`
Accepting request 369600 from home:weberho:branches:security - Update to version 0.9.4 - Defined services which per default uses systemd logger - The update to this versions allow to close boo#917818, as the logger-backends for several services are now centrally set in /etc/fail2ban/paths-opensuse.conf OBS-URL: https://build.opensuse.org/request/show/369600 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=69 2016-03-10 13:14:45 +01:00			`-PartOf=iptables.service firewalld.service`
Accepting request 536273 from home:weberho:branches:security - Updated to version 0.10.1. Changelog: https://github.com/fail2ban/fail2ban/blob/0.10/ChangeLog - Removed 607568f.patch and 1783.patch - New features: * IPv6 support - IP addresses are now handled as objects rather than strings capable for handling both address types IPv4 and IPv6 - iptables related actions have been amended to support IPv6 specific actions additionally - hostsdeny and route actions have been tested to be aware of v4 and v6 already - pf action for BSD systems has been improved and supports now also v4 and v6 - name resolution is now working for either address type - new conditional section functionality used in config resp. includes: - [Init?family=inet4] - IPv4 qualified hosts only - [Init?family=inet6] - IPv6 qualified hosts only Reporting via abuseipdb.com - Bans can now be reported to abuseipdb - Catagories must be set in the config - Relevant log lines included in report * Several commands extended and new commands introduced * Implemented execution of `actionstart` on demand * nftables actions are IPv6-capable now * Introduced new filter option `prefregex` for pre-filtering using single regular expression * Many times faster because of several optimizations * Several filters optimized * Introduced new jail option "ignoreself" - Lots of fixes and internal improvements - Incompatibitilities: * Filter (or `failregex`) internal capture-groups: - If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should rewrite the regex like in example below resp. using `(?:(?P=ip4)\|(?P=ip6)` instead of `(?P=host)` (or `(?:(?P=ip4)\|(?P=ip6)\|(?P=dns))` corresponding your `usedns` and `raw` settings). Of course you can always your own capture-group (like below `_cond_ip_`) to do this. ``` testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1" fail2ban-regex "$testln" "^\sfailure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$" ``` - New internal groups (currently reserved for internal usage): `ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if mapping from tag `<F->` used in failregex (e. g. `user` by `<F-USER>`). * v.0.10 uses more precise date template handling, that can be theoretically incompatible to some user configurations resp. `datepattern`. * Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are IPv6-capable now. OBS-URL: https://build.opensuse.org/request/show/536273 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=83 2017-10-24 12:04:00 +02:00			`+After=network.target iptables.service firewalld.service SuSEfirewall2.service`
			`+PartOf=iptables.service firewalld.service SuSEfirewall2.service`
Accepting request 314731 from home:weberho:branches:security Major update to version 0.9.2 OBS-URL: https://build.opensuse.org/request/show/314731 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=59 2015-07-01 21:56:17 +02:00
			`[Service]`
Accepting request 536273 from home:weberho:branches:security - Updated to version 0.10.1. Changelog: https://github.com/fail2ban/fail2ban/blob/0.10/ChangeLog - Removed 607568f.patch and 1783.patch - New features: * IPv6 support - IP addresses are now handled as objects rather than strings capable for handling both address types IPv4 and IPv6 - iptables related actions have been amended to support IPv6 specific actions additionally - hostsdeny and route actions have been tested to be aware of v4 and v6 already - pf action for BSD systems has been improved and supports now also v4 and v6 - name resolution is now working for either address type - new conditional section functionality used in config resp. includes: - [Init?family=inet4] - IPv4 qualified hosts only - [Init?family=inet6] - IPv6 qualified hosts only Reporting via abuseipdb.com - Bans can now be reported to abuseipdb - Catagories must be set in the config - Relevant log lines included in report * Several commands extended and new commands introduced * Implemented execution of `actionstart` on demand * nftables actions are IPv6-capable now * Introduced new filter option `prefregex` for pre-filtering using single regular expression * Many times faster because of several optimizations * Several filters optimized * Introduced new jail option "ignoreself" - Lots of fixes and internal improvements - Incompatibitilities: * Filter (or `failregex`) internal capture-groups: - If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should rewrite the regex like in example below resp. using `(?:(?P=ip4)\|(?P=ip6)` instead of `(?P=host)` (or `(?:(?P=ip4)\|(?P=ip6)\|(?P=dns))` corresponding your `usedns` and `raw` settings). Of course you can always your own capture-group (like below `_cond_ip_`) to do this. ``` testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1" fail2ban-regex "$testln" "^\sfailure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$" ``` - New internal groups (currently reserved for internal usage): `ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if mapping from tag `<F->` used in failregex (e. g. `user` by `<F-USER>`). * v.0.10 uses more precise date template handling, that can be theoretically incompatible to some user configurations resp. `datepattern`. * Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are IPv6-capable now. OBS-URL: https://build.opensuse.org/request/show/536273 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=83 2017-10-24 12:04:00 +02:00			`Type=simple`
Accepting request 314731 from home:weberho:branches:security Major update to version 0.9.2 OBS-URL: https://build.opensuse.org/request/show/314731 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=59 2015-07-01 21:56:17 +02:00			`+EnvironmentFile=-/etc/sysconfig/fail2ban`
Accepting request 536273 from home:weberho:branches:security - Updated to version 0.10.1. Changelog: https://github.com/fail2ban/fail2ban/blob/0.10/ChangeLog - Removed 607568f.patch and 1783.patch - New features: * IPv6 support - IP addresses are now handled as objects rather than strings capable for handling both address types IPv4 and IPv6 - iptables related actions have been amended to support IPv6 specific actions additionally - hostsdeny and route actions have been tested to be aware of v4 and v6 already - pf action for BSD systems has been improved and supports now also v4 and v6 - name resolution is now working for either address type - new conditional section functionality used in config resp. includes: - [Init?family=inet4] - IPv4 qualified hosts only - [Init?family=inet6] - IPv6 qualified hosts only Reporting via abuseipdb.com - Bans can now be reported to abuseipdb - Catagories must be set in the config - Relevant log lines included in report * Several commands extended and new commands introduced * Implemented execution of `actionstart` on demand * nftables actions are IPv6-capable now * Introduced new filter option `prefregex` for pre-filtering using single regular expression * Many times faster because of several optimizations * Several filters optimized * Introduced new jail option "ignoreself" - Lots of fixes and internal improvements - Incompatibitilities: * Filter (or `failregex`) internal capture-groups: - If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should rewrite the regex like in example below resp. using `(?:(?P=ip4)\|(?P=ip6)` instead of `(?P=host)` (or `(?:(?P=ip4)\|(?P=ip6)\|(?P=dns))` corresponding your `usedns` and `raw` settings). Of course you can always your own capture-group (like below `_cond_ip_`) to do this. ``` testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1" fail2ban-regex "$testln" "^\sfailure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$" ``` - New internal groups (currently reserved for internal usage): `ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if mapping from tag `<F->` used in failregex (e. g. `user` by `<F-USER>`). * v.0.10 uses more precise date template handling, that can be theoretically incompatible to some user configurations resp. `datepattern`. * Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are IPv6-capable now. OBS-URL: https://build.opensuse.org/request/show/536273 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=83 2017-10-24 12:04:00 +02:00			`ExecStartPre=/bin/mkdir -p /var/run/fail2ban`
			`-ExecStart=@BINDIR@/fail2ban-server -xf start`
			`+ExecStart=/usr/bin/fail2ban-server -xf $FAIL2BAN_OPTIONS start`
			`# if should be logged in systemd journal, use following line or set logtarget to stdout in fail2ban.local`
			`-# ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=stdout start`
			`-ExecStop=@BINDIR@/fail2ban-client stop`
			`-ExecReload=@BINDIR@/fail2ban-client reload`
			`+# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=stdout start`
			`+ExecStop=/usr/bin/fail2ban-client stop`
			`+ExecReload=/usr/bin/fail2ban-client reload`
Accepting request 314731 from home:weberho:branches:security Major update to version 0.9.2 OBS-URL: https://build.opensuse.org/request/show/314731 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=59 2015-07-01 21:56:17 +02:00			`PIDFile=/var/run/fail2ban/fail2ban.pid`
Accepting request 536273 from home:weberho:branches:security - Updated to version 0.10.1. Changelog: https://github.com/fail2ban/fail2ban/blob/0.10/ChangeLog - Removed 607568f.patch and 1783.patch - New features: * IPv6 support - IP addresses are now handled as objects rather than strings capable for handling both address types IPv4 and IPv6 - iptables related actions have been amended to support IPv6 specific actions additionally - hostsdeny and route actions have been tested to be aware of v4 and v6 already - pf action for BSD systems has been improved and supports now also v4 and v6 - name resolution is now working for either address type - new conditional section functionality used in config resp. includes: - [Init?family=inet4] - IPv4 qualified hosts only - [Init?family=inet6] - IPv6 qualified hosts only Reporting via abuseipdb.com - Bans can now be reported to abuseipdb - Catagories must be set in the config - Relevant log lines included in report * Several commands extended and new commands introduced * Implemented execution of `actionstart` on demand * nftables actions are IPv6-capable now * Introduced new filter option `prefregex` for pre-filtering using single regular expression * Many times faster because of several optimizations * Several filters optimized * Introduced new jail option "ignoreself" - Lots of fixes and internal improvements - Incompatibitilities: * Filter (or `failregex`) internal capture-groups: - If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should rewrite the regex like in example below resp. using `(?:(?P=ip4)\|(?P=ip6)` instead of `(?P=host)` (or `(?:(?P=ip4)\|(?P=ip6)\|(?P=dns))` corresponding your `usedns` and `raw` settings). Of course you can always your own capture-group (like below `_cond_ip_`) to do this. ``` testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1" fail2ban-regex "$testln" "^\sfailure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$" ``` - New internal groups (currently reserved for internal usage): `ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if mapping from tag `<F->` used in failregex (e. g. `user` by `<F-USER>`). * v.0.10 uses more precise date template handling, that can be theoretically incompatible to some user configurations resp. `datepattern`. * Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are IPv6-capable now. OBS-URL: https://build.opensuse.org/request/show/536273 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=83 2017-10-24 12:04:00 +02:00			`Restart=on-failure`
			`RestartPreventExitStatus=0 255`