Accepting request 1288744 from security

Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1288744
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=75

f2b-restart.conf

@@ -1,5 +0,0 @@
-# When a restart is issued for SuSEfirewall2, fail2ban.service too must be
-# restarted, which is what this drop-in file does.
-
-[Unit]
-PartOf=SuSEfirewall2.service

fail2ban-0.10.4-env-script-interpreter.patch

@@ -1,6 +1,7 @@
-diff -ur fail2ban-0.10.4-orig/config/filter.d/ignorecommands/apache-fakegooglebot fail2ban-0.10.4/config/filter.d/ignorecommands/apache-fakegooglebot
+Index: fail2ban-1.1.0/config/filter.d/ignorecommands/apache-fakegooglebot
---- fail2ban-0.10.4-orig/config/filter.d/ignorecommands/apache-fakegooglebot	2018-10-04 11:26:22.000000000 +0200
+===================================================================
-+++ fail2ban-0.10.4/config/filter.d/ignorecommands/apache-fakegooglebot	2019-08-12 10:46:05.067842214 +0200
+--- fail2ban-1.1.0.orig/config/filter.d/ignorecommands/apache-fakegooglebot
++++ fail2ban-1.1.0/config/filter.d/ignorecommands/apache-fakegooglebot
 @@ -1,4 +1,4 @@
 -#!/usr/bin/env fail2ban-python
 +#!/usr/bin/fail2ban-python

fail2ban-1.0.2.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ae8b0b41f27a7be12d40488789d6c258029b23a01168e3c0d347ee80b325ac23
-size 583295

fail2ban-1.0.2.tar.gz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEhzhVnib2cd+eLG2eaDvxvr0KiCwFAmNr0KgACgkQaDvxvr0K
-iCyG4Af/eP5ZQvTiGjo/f1oOuBH8wOo7ARlFOcQIbdhXy10vk3bqDjYHVWzXh12Q
-EdfyJVMXFI3XnDQkdXulOjnhX6YK3qYruudl0oDE7jyIWbHETFUpY7y00uxjTD+A
-aBk4XqBym67BtBR/5dfnhXOBYZ9EXcbopvEQXq1Lm4jRSurSQCiVpMY44psW60Rb
-dt1fdIg/GTjhsYNWO2L6DCObV1qdJcdk8Zw7rvk9aHe7iZ+PZW7htG8erTzzV9LV
-Lq6Bcwz6tEFInTvDBZXIhBimYrquWp97qwEC3d1cNbv9pjN69czgLtRaq5EiVu4R
-e8+y9LLToHFjKeji436S6985hBQnEA==
-=jGOy
------END PGP SIGNATURE-----

fail2ban-1.1.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:474fcc25afdaf929c74329d1e4d24420caabeea1ef2e041a267ce19269570bae
+size 603854

fail2ban-1.1.0.tar.gz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEhzhVnib2cd+eLG2eaDvxvr0KiCwFAmYqzEoACgkQaDvxvr0K
+iCwMfQf9GcxsuVs/LiHeDYmmvFOxCmS2zO4K5pzDuX1JmtSzKCj9HbPSxUWbIZIc
+yJv+x8t6QNBPBMnxI70TP+RcxKpCO4Fc2WRcrYS5B6gDTKy9Ty0fHorHlA4QQthu
+ywoqxf1eddQKcwlk+lw/wI1QPwZ1xA93BkasJht/bTnhAvXJBeN1Tgf+jZ23bHHf
+9FIGV8zt8fvaAIG8lB22AD/+PhSYEkp1TRuRx9VEuBbkH00u1i054I0cHTrsu3Fr
+jTIljf5TgpmFyXHBCA6JT6nnGn0jsaNDT/lBNxUmw5BmMxGWUTv4SlKbcjKjgXRH
+MTZipOHHYPx/7IyKJJvB1p1gvmOxyg==
+=qvry
+-----END PGP SIGNATURE-----

fail2ban-disable-iptables-w-option.patch

@@ -1,14 +0,0 @@
---- fail2ban-1.0.1/config/action.d/iptables.conf.orig	2022-10-12 11:35:25.789327341 +0200
-+++ fail2ban-1.0.1/config/action.d/iptables.conf	2022-10-12 11:35:40.585449861 +0200
-@@ -138,8 +138,10 @@
- #          running concurrently and causing irratic behavior.  -w was introduced
- #          in iptables 1.4.20, so might be absent on older systems
- #          See https://github.com/fail2ban/fail2ban/issues/1122
-+#          The default option "-w" can be used for openSUSE versions 13.2+ and
-+#          for updated versions of openSUSE 13.1; SLE 12 supports this option.
- # Values:  STRING
--lockingopt = -w
-+lockingopt =
- 
- # Option:  iptables
- # Notes.:  Actual command to be executed, including common to all calls options

fail2ban-fix-openssh98.patch

@@ -1,7 +1,7 @@
-Index: fail2ban-1.0.2/config/filter.d/sshd.conf
+Index: fail2ban-1.1.0/config/filter.d/sshd.conf
 ===================================================================
---- fail2ban-1.0.2.orig/config/filter.d/sshd.conf
+--- fail2ban-1.1.0.orig/config/filter.d/sshd.conf
-+++ fail2ban-1.0.2/config/filter.d/sshd.conf
++++ fail2ban-1.1.0/config/filter.d/sshd.conf
 @@ -16,7 +16,7 @@ before = common.conf
  
  [DEFAULT]

fail2ban-opensuse-locations.patch

@@ -1,8 +1,8 @@
-Index: fail2ban-1.0.1/config/jail.conf
+Index: fail2ban-1.1.0/config/jail.conf
 ===================================================================
---- fail2ban-1.0.1.orig/config/jail.conf
+--- fail2ban-1.1.0.orig/config/jail.conf
-+++ fail2ban-1.0.1/config/jail.conf
++++ fail2ban-1.1.0/config/jail.conf
-@@ -731,7 +731,7 @@ backend = %(syslog_backend)s
+@@ -735,7 +735,7 @@ backend = %(syslog_backend)s
  # filter   = named-refused
  # port     = domain,953
  # protocol = udp
@@ -11,7 +11,7 @@ Index: fail2ban-1.0.1/config/jail.conf
  
  # IMPORTANT: see filter.d/named-refused for instructions to enable logging
  # This jail blocks TCP traffic for DNS requests.
-@@ -739,7 +739,7 @@ backend = %(syslog_backend)s
+@@ -743,7 +743,7 @@ backend = %(syslog_backend)s
  [named-refused]
  
  port     = domain,953
@@ -20,10 +20,10 @@ Index: fail2ban-1.0.1/config/jail.conf
  
  
  [nsd]
-Index: fail2ban-1.0.1/config/paths-common.conf
+Index: fail2ban-1.1.0/config/paths-common.conf
 ===================================================================
---- fail2ban-1.0.1.orig/config/paths-common.conf
+--- fail2ban-1.1.0.orig/config/paths-common.conf
-+++ fail2ban-1.0.1/config/paths-common.conf
++++ fail2ban-1.1.0/config/paths-common.conf
 @@ -90,4 +90,4 @@ solidpop3d_log = %(syslog_local0)s
  mysql_log = %(syslog_daemon)s
  mysql_backend = %(default_backend)s

fail2ban-opensuse-service-sfw.patch

@@ -1,14 +0,0 @@
-diff -ur fail2ban-0.10.4-orig/files/fail2ban.service.in fail2ban-0.10.4/files/fail2ban.service.in
---- fail2ban-0.10.4-orig/files/fail2ban.service.in	2019-08-12 11:27:18.175106400 +0200
-+++ fail2ban-0.10.4/files/fail2ban.service.in	2019-08-12 11:28:42.045116215 +0200
-@@ -1,8 +1,8 @@
- [Unit]
- Description=Fail2Ban Service
- Documentation=man:fail2ban(1)
--After=network.target iptables.service firewalld.service ip6tables.service ipset.service
--PartOf=iptables.service firewalld.service ip6tables.service ipset.service
-+After=network.target iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service
-+PartOf=iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service
- 
- [Service]
- Type=simple

fail2ban-opensuse-service.patch

@@ -1,27 +0,0 @@
-diff -ur fail2ban-0.11.2-orig/files/fail2ban.service.in fail2ban-0.11.2/files/fail2ban.service.in
---- fail2ban-0.11.2-orig/files/fail2ban.service.in	2020-11-23 21:43:03.000000000 +0100
-+++ fail2ban-0.11.2/files/fail2ban.service.in	2020-12-05 18:22:01.503018894 +0100
-@@ -2,17 +2,18 @@
- Description=Fail2Ban Service
- Documentation=man:fail2ban(1)
- After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service
--PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service
-+PartOf=firewalld.service
- 
- [Service]
- Type=simple
-+EnvironmentFile=-/etc/sysconfig/fail2ban
- Environment="PYTHONNOUSERSITE=1"
- ExecStartPre=/bin/mkdir -p /run/fail2ban
--ExecStart=@BINDIR@/fail2ban-server -xf start
-+ExecStart=/usr/bin/fail2ban-server -xf $FAIL2BAN_OPTIONS start
- # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
--# ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=sysout start
--ExecStop=@BINDIR@/fail2ban-client stop
--ExecReload=@BINDIR@/fail2ban-client reload
-+# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start
-+ExecStop=/usr/bin/fail2ban-client stop
-+ExecReload=/usr/bin/fail2ban-client reload
- PIDFile=/run/fail2ban/fail2ban.pid
- Restart=on-failure
- RestartPreventExitStatus=0 255

fail2ban.changes

@@ -1,3 +1,119 @@
+-------------------------------------------------------------------
+Thu Jun 19 19:00:38 UTC 2025 - chris@computersalat.de
+
+- fix build
+  * service file install
+- some rpmlint fixes
+- Add fail2ban_service.patch
+- rebase patches
+  * fail2ban-0.10.4-env-script-interpreter.patch
+  * fail2ban-fix-openssh98.patch
+  * fail2ban-opensuse-locations.patch
+  * harden_fail2ban.service.patch
+
+-------------------------------------------------------------------
+Mon Jun 16 22:37:03 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- spec:
+  * Drop noarch due to /usr/bin/fail2ban-python ELF
+  * noarch for monitoring subpackage
+
+-------------------------------------------------------------------
+Fri Jun 13 12:31:06 UTC 2025 - Nathan Cutler <ncutler@suse.com>
+
+- Add setup-py-install-dir.patch:
+  * fix unit file population broken by switch to %pyproject_wheel
+
+-------------------------------------------------------------------
+Wed Jun 11 13:04:39 UTC 2025 - Nathan Cutler <ncutler@suse.com>
+
+- spec:
+  * simplify manual installation of files under /etc and /usr from
+    the wheel 
+
+-------------------------------------------------------------------
+Tue Jun 10 13:23:16 UTC 2025 - Nathan Cutler <ncutler@suse.com>
+
+- spec:
+  * Use pyproject macros to build and install (including
+    implementing manual install for files under /etc and /usr from
+    the wheel)
+  * some BuildRequires cleanup
+
+-------------------------------------------------------------------
+Fri Jun  6 11:15:38 UTC 2025 - Max Lin <mlin@suse.com>
+
+- Add %python3_fix_shebang macro
+
+-------------------------------------------------------------------
+Sat Mar 29 13:31:43 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- distutils (provided by python3-setuptools) is also needed during
+  time, or f2b cannot launch the systemd log analyzer backend.
+- Delete all pre-SUSE-15.x build instructions.
+- Delete fail2ban-opensuse-service-sfw.patch,
+  fail2ban-opensuse-service.patch, sfw-fail2ban.conf,
+  since this mostly part of the pristine fail2ban.service.in
+  already. (Unit modified in %install for SFW.)
+
+-------------------------------------------------------------------
+Mon Mar 10 03:39:37 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Add BuildRequires on setuptools, required for Python 3.12+.
+
+-------------------------------------------------------------------
+Wed Oct 23 09:08:23 UTC 2024 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.1.0:
+  * circumvent SEGFAULT in a python's socket module by
+    getaddrinfo with disabled IPv6 (gh-3438)
+  * avoid sporadic error in pyinotify backend if pending file
+    deleted in other thread, e. g. by flushing logs (gh-3635)
+  * `action.d/cloudflare-token.conf` - fixes gh-3479, url-encode
+    args by unban
+  * `action.d/*ipset*`: make `maxelem` ipset option configurable
+    through banaction arguments (gh-3564)
+  * `filter.d/apache-common.conf` - accepts remote besides client
+    (gh-3622)
+  * `filter.d/mysqld-auth.conf` - matches also if no suffix in
+    message (mariadb 10.3 log format, gh-3603)
+  * `filter.d/nginx-*.conf` - nginx error-log filters extended
+    with support of journal format (gh-3646)
+  * `filter.d/postfix.conf`:
+    - "rejected" rule extended to match "Access denied" too
+    - avoid double counting ('lost connection after AUTH'
+      together with message 'disconnect ...', gh-3505)
+    - add Sender address rejected: Malformed DNS server reply
+    - add to postfix syslog daemon format (gh-3690)
+    - change journalmatch postfix, allow sub-units with
+      postfix@-.service (gh-3692)
+  * `filter.d/recidive.conf`: support for systemd-journal,
+    conditional RE depending on logtype (for file or journal,
+    gh-3693)
+  * `filter.d/slapd.conf` - filter rewritten for single-line
+    processing, matches errored result without `text=...`
+    (gh-3604)
+  * supports python 3.12 and 3.13 (gh-3487)
+  * bundling async modules removed in python 3.12+ (fallback to
+    local libraries pyasyncore/pyasynchat if import would miss
+    them, gh-3487)
+  * `fail2ban-client` extended (gh-2975):
+    - `fail2ban-client status --all [flavor]` - returns status
+      of fail2ban and all jails in usual form
+    - `fail2ban-client stats` - returns statistic in form of
+      table (jail, backend, found and banned counts)
+    - `fail2ban-client statistic` or `fail2ban-client
+      statistics` - same as `fail2ban-client stats` (aliases for
+      stats)
+    - `fail2ban-client status --all stats` - (undocumented,
+      flavor "stats") returns statistic of all jails in form of
+      python dict
+  * `fail2ban-regex` extended to load settings from jail (by
+     simple name it'd prefer jail to the filter now, gh-2655);
+- drop fail2ban-disable-iptables-w-option.patch: only needed for
+  sle10 and older, which is no longer supported (is now python >=
+  3.5)
+
 -------------------------------------------------------------------
 Wed Sep  4 07:54:06 UTC 2024 - Marcus Meissner <meissner@suse.com>
 

fail2ban.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package fail2ban
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,13 +16,15 @@
 #
 
 
+%define pythons python3
+
 %{!?tmpfiles_create:%global tmpfiles_create systemd-tmpfiles --create}
 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
   %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           fail2ban
-Version:        1.0.2
+Version:        1.1.0
 Release:        0
 Summary:        Bans IP addresses that make too many authentication failures
 License:        GPL-2.0-or-later
@@ -33,55 +35,47 @@ Source1:        https://github.com/fail2ban/fail2ban/releases/download/%{version
 Source2:        %{name}.sysconfig
 Source3:        %{name}.logrotate
 Source5:        %{name}.tmpfiles
-Source6:        sfw-fail2ban.conf
-Source7:        f2b-restart.conf
 # Path definitions have been submitted to upstream
 Source8:        paths-opensuse.conf
 Source200:      fail2ban.keyring
 # PATCH-FIX-OPENSUSE fail2ban-opensuse-locations.patch bnc#878028 jweberhofer@weberhofer.at -- update default locations for logfiles
 Patch100:       %{name}-opensuse-locations.patch
-# PATCH-FIX-OPENSUSE fail2ban-opensuse-service.patch jweberhofer@weberhofer.at -- openSUSE modifications to the service file
-Patch101:       %{name}-opensuse-service.patch
-# PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch jweberhofer@weberhofer.at -- disable iptables "-w" option for older releases
-Patch200:       %{name}-disable-iptables-w-option.patch
 # PATCH-FIX-OPENSUSE fail2ban-0.10.4-env-script-interpreter.patch jweberhofer@weberhofer.at -- use exact path to define interpretor
 Patch201:       %{name}-0.10.4-env-script-interpreter.patch
-# PATCH-FEATURE-OPENSUSE fail2ban-opensuse-service-sfw.patch jweberhofer@weberhofer.at -- start after SuSEfirewall2 only for older distributions
+# PATCH-FEATURE-OPENSUSE fail2ban_service.patch chris@computersalat.de -- Add [Service] EnvironmentFile
-Patch300:       fail2ban-opensuse-service-sfw.patch
+Patch300:       %{name}_service.patch
 # PATCH-FEATURE-OPENSUSE harden_fail2ban.service.patch jsegitz@suse.com -- Added hardening to systemd service(s) bsc#1181400
 Patch301:       harden_fail2ban.service.patch
 # PATCH-FIX-OPENSUSE fail2ban-fix-openssh98.patch meissner@suse.com -- support openssh9.8 bsc#1230101
 Patch302:       fail2ban-fix-openssh98.patch
+# PATCH-FIX-OPENSUSE setup-py-install-dir.patch ncutler@suse.com -- fix unit file population broken by switch to pyproject_wheel macro
+Patch303:       setup-py-install-dir.patch
+BuildRequires:  %{python_module pip}
+BuildRequires:  %{python_module pyinotify >= 0.8.3}
+BuildRequires:  %{python_module setuptools}
+BuildRequires:  %{python_module systemd}
+BuildRequires:  %{python_module tools}
+BuildRequires:  %{python_module wheel}
 BuildRequires:  fdupes
 BuildRequires:  logrotate
 BuildRequires:  python-rpm-macros
-BuildRequires:  python3-tools
 # timezone package is required to run the tests
 BuildRequires:  timezone
 Requires:       cron
 Requires:       ed
 Requires:       iptables
 Requires:       logrotate
-Requires:       python3 >= 3.2
+Requires:       python3 >= 3.5
+Requires:       python3-setuptools
 Requires:       whois
-%if 0%{?suse_version} != 1110
-BuildArch:      noarch
-%endif
-%if 0%{?suse_version} >= 1230
-# systemd
-BuildRequires:  python3-systemd
 BuildRequires:  pkgconfig(systemd)
 Requires:       python3-systemd
 Requires:       systemd > 204
 %{?systemd_requires}
-%else
-# no systemd (the init-script requires lsof)
-Requires:       lsof
-Requires:       syslog
-%endif
-%if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010  && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315
-BuildRequires:  python3-pyinotify >= 0.8.3
 Requires:       python3-pyinotify >= 0.8.3
+%if 0%{?suse_version} < 1600
+Provides:       SuSEfirewall2-%{name} = %{version}
+Obsoletes:      SuSEfirewall2-%{name} < %{version}
 %endif
 
 %description
@@ -91,22 +85,10 @@ reject the IP address, can send e-mails, or set host.deny entries.  These rules
 can be defined by the user. Fail2Ban can read multiple log files such as sshd
 or Apache web server ones.
 
-%if !0%{?suse_version} > 1500
-%package -n SuSEfirewall2-%{name}
-Summary:        Files for integrating fail2ban into SuSEfirewall2 via systemd
-Group:          Productivity/Networking/Security
-Requires:       SuSEfirewall2
-Requires:       fail2ban
-
-%description -n SuSEfirewall2-%{name}
-This package ships systemd files which will cause fail2ban to be ordered in
-relation to SuSEfirewall2 such that the two can be run concurrently within
-reason, i.e. SFW will always run first because it does a table flush.
-%endif
-
 %package -n monitoring-plugins-%{name}
 Summary:        Check fail2ban server and how many IPs are currently banned
 Group:          System/Monitoring
+BuildArch:      noarch
 %if 0%{?suse_version}
 BuildRequires:  nagios-rpm-macros
 %else
@@ -133,16 +115,11 @@ install -m644 %{SOURCE8} config/paths-opensuse.conf
 sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf
 
 %patch -P 100 -p1
-%patch -P 101 -p1
-%if 0%{?suse_version} < 1310
-%patch -P 200 -p1
-%endif
 %patch -P 201 -p1
-%if !0%{?suse_version} > 1500
 %patch -P 300 -p1
-%endif
 %patch -P 301 -p1
 %patch -P 302 -p1
+%patch -P 303 -p1
 
 rm 	config/paths-arch.conf \
 	config/paths-debian.conf \
@@ -153,129 +130,77 @@ rm 	config/paths-arch.conf \
 # correct doc-path
 sed -i -e 's|%{_datadir}/doc/%{name}|%{_docdir}/%{name}|' setup.py
 
-# remove syslogd-logger settings for older distributions
-%if 0%{?suse_version} < 1230
-sed -i -e 's|^\([^_]*_backend = systemd\)|#\1|' config/paths-opensuse.conf
-%endif
-
 %build
 export CFLAGS="%{optflags}"
-./fail2ban-2to3
+export SERVICE_BINDIR="%{_bindir}"
-python3 setup.py build
+%pyproject_wheel
 gzip man/*.{1,5}
 
 %install
-python3 setup.py install \
+%pyproject_install
-	--root=%{buildroot} \
+%python_expand %fdupes %{buildroot}%{python3_sitelib}
-	--prefix=%{_prefix}
 
 install -d -m 755 %{buildroot}%{_mandir}/man{1,5}
-install -p -m 644 man/fail2ban-*.1.gz %{buildroot}%{_mandir}/man1
+install -m 644 man/fail2ban-*.1.gz %{buildroot}%{_mandir}/man1
-install -p -m 644 man/jail.conf.5.gz %{buildroot}%{_mandir}/man5
+install -m 644 man/jail.conf.5.gz %{buildroot}%{_mandir}/man5
 
 install -d -m 755 %{buildroot}%{_initddir}
 install -d -m 755 %{buildroot}%{_sbindir}
 
-%if 0%{?suse_version} > 1310
 # use /run directory
 install -d -m 755 %{buildroot}/run
 touch %{buildroot}/run/%{name}
-%else
-#use /var/run directory
-install -d -m 755 %{buildroot}%{_localstatedir}/run/%{name}
-%endif
 
-%if 0%{?suse_version} >= 1230
 # systemd
-install -d -m 755 %{buildroot}%{_unitdir}
+if [[ ! -f build/fail2ban.service ]]; then
-install -p -m 644 files/%{name}.service.in %{buildroot}%{_unitdir}/%{name}.service
+  sed -e "s|@BINDIR@|%{_bindir}|g" files/fail2ban.service.in > build/fail2ban.service
-
+fi
-install -d -m 755 %{buildroot}%{_tmpfilesdir}
+install -D -m 644 build/fail2ban.service "%{buildroot}/%{_unitdir}/%{name}.service"
-install -p -m 644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
+install -D -m 644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
-
+ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
-ln -sf service %{buildroot}%{_sbindir}/rc%{name}
-
-%else
-# without systemd
-install -d -m 755 %{buildroot}%{_initddir}
-install -m 755 files/suse-initd %{buildroot}%{_initddir}/%{name}
-ln -sf %{_initddir}/%{name} %{buildroot}%{_sbindir}/rc%{name}
-%endif
 
+install -d -m 755 %{buildroot}%{_sysconfdir}
+mv %{buildroot}%{python3_sitelib}%{_sysconfdir}/%{name} %{buildroot}%{_sysconfdir}
+rm -rv %{buildroot}%{_sysconfdir}/%{name}/action.d/__pycache__/
+install -d -m 755 %{buildroot}%{_sysconfdir}/%{name}/fail2ban.d
+install -d -m 755 %{buildroot}%{_sysconfdir}/%{name}/jail.d
+install -d -m 755 %{buildroot}%{_docdir}
+mv -v %{buildroot}%{python3_sitelib}%{_docdir}/%{name} %{buildroot}%{_docdir}
 echo "# Do all your modifications to the jail's configuration in jail.local!" > %{buildroot}%{_sysconfdir}/%{name}/jail.local
 
 install -d -m 0755 %{buildroot}%{_localstatedir}/lib/%{name}/
 
-install -d -m 755 %{buildroot}%{_fillupdir}
+install -D -m 644 %{SOURCE2} %{buildroot}%{_fillupdir}/sysconfig.%{name}
-install -p -m 644 %{SOURCE2} %{buildroot}%{_fillupdir}/sysconfig.%{name}
 
-install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d
+install -D -m 644 %{SOURCE3}  %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
-install -p -m 644 %{SOURCE3}  %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
 
-%if !0%{?suse_version} > 1500
+%if 0%{?suse_version} < 1600
-%if 0%{?_unitdir:1}
+perl -i -lpe 's{(After|PartOf)=(.*)}{$1=$2 SuSEfirewall2.service}' \
-install -Dm 0644 "%{_sourcedir}/sfw-fail2ban.conf" \
+	"%{buildroot}/%{_unitdir}/%{name}.service"
-	"%{buildroot}%{_unitdir}/SuSEfirewall2.service.d/fail2ban.conf"
-install -D -m 0644 "%{_sourcedir}/f2b-restart.conf" \
-	"%{buildroot}%{_unitdir}/fail2ban.service.d/SuSEfirewall2.conf"
-%endif
 %endif
 install -D -m 755 files/nagios/check_fail2ban %{buildroot}%{nagios_plugindir}/check_%{name}
 
-# install docs using the macro
-rm -r %{buildroot}%{_docdir}/%{name}
-
-# remove duplicates
-%fdupes -s %{buildroot}%{python3_sitelib}
-
 %check
-#stat /dev/log
-#python -c "import platform; print(platform.system())"
 # tests require python-pyinotify to be installed, so don't run them on older versions
-%if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010  && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315
+%if 0%{?suse_version} >= 1500
 # Need a UTF-8 locale to work
 export LANG=en_US.UTF-8
 ./fail2ban-testcases-all --no-network || true
 %endif
 
-%if 0%{?suse_version} >= 1230
 %pre
 %service_add_pre %{name}.service
-%endif
 
 %post
 %fillup_only
-%if 0%{?suse_version} >= 1230
 %tmpfiles_create %{_tmpfilesdir}/%{name}.conf
-# The next line is not workin in Leap 42.1, so keep the old way
-#%%tmpfiles_create %%{_tmpfilesdir}/%%{name}.conf
 %service_add_post %{name}.service
-%endif
 
 %preun
-%if 0%{?suse_version} >= 1230
 %service_del_preun %{name}.service
-%else
-%stop_on_removal %{name}
-%endif
 
 %postun
-%if 0%{?suse_version} >= 1230
 %service_del_postun %{name}.service
-%else
-%restart_on_update %{name}
-%insserv_cleanup
-%endif
-
-%if !0%{?suse_version} > 1500
-%if 0%{?_unitdir:1}
-%post -n SuSEfirewall2-%{name}
-%{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || :
-
-%postun -n SuSEfirewall2-%{name}
-%{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || :
-%endif
-%endif
 
 %files
 %dir %{_sysconfdir}/%{name}
@@ -296,21 +221,11 @@ export LANG=en_US.UTF-8
 #
 %config %{_sysconfdir}/logrotate.d/%{name}
 %dir %{_localstatedir}/lib/%{name}/
-%if 0%{?suse_version} > 1310
 # use /run directory
 %ghost /run/%{name}
-%else
-# use /var/run directory
-%dir %ghost %{_localstatedir}/run/%{name}
-%endif
-%if 0%{?suse_version} >= 1230
 # systemd
 %{_unitdir}/%{name}.service
 %{_tmpfilesdir}/%{name}.conf
-%else
-# without-systemd
-%{_initddir}/%{name}
-%endif
 %{_sbindir}/rc%{name}
 %{_bindir}/%{name}-server
 %{_bindir}/%{name}-client
@@ -323,20 +238,12 @@ export LANG=en_US.UTF-8
 %{_mandir}/man1/*
 %{_mandir}/man5/*
 %license COPYING
-%doc README.md TODO ChangeLog doc/*.txt
+%doc README.md TODO ChangeLog doc/*.txt DEVELOP FILTERS
 
 # do not include tests as they are executed during the build process
 %exclude %{_bindir}/%{name}-testcases
 %exclude %{python3_sitelib}/%{name}/tests
 
-%if !0%{?suse_version} > 1500
-%if 0%{?_unitdir:1}
-%files -n SuSEfirewall2-%{name}
-%{_unitdir}/SuSEfirewall2.service.d
-%{_unitdir}/%{name}.service.d
-%endif
-%endif
-
 %files -n monitoring-plugins-%{name}
 %license COPYING
 %doc files/nagios/README

fail2ban_service.patch

@@ -0,0 +1,16 @@
+Index: fail2ban-1.1.0/files/fail2ban.service.in
+===================================================================
+--- fail2ban-1.1.0.orig/files/fail2ban.service.in
++++ fail2ban-1.1.0/files/fail2ban.service.in
+@@ -6,9 +6,10 @@ PartOf=iptables.service firewalld.servic
+ 
+ [Service]
+ Type=simple
++EnvironmentFile=-/etc/sysconfig/fail2ban
+ Environment="PYTHONNOUSERSITE=1"
+ ExecStartPre=/bin/mkdir -p /run/fail2ban
+-ExecStart=@BINDIR@/fail2ban-server -xf start
++ExecStart=@BINDIR@/fail2ban-server -xf $FAIL2BAN_OPTIONS start
+ # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
+ # ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=sysout start
+ ExecStop=@BINDIR@/fail2ban-client stop

harden_fail2ban.service.patch

@@ -1,9 +1,13 @@
-Index: fail2ban-0.11.2/files/fail2ban.service.in
+---
+ files/fail2ban.service.in |   12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+Index: fail2ban-1.1.0/files/fail2ban.service.in
 ===================================================================
---- fail2ban-0.11.2.orig/files/fail2ban.service.in
+--- fail2ban-1.1.0.orig/files/fail2ban.service.in
-+++ fail2ban-0.11.2/files/fail2ban.service.in
++++ fail2ban-1.1.0/files/fail2ban.service.in
 @@ -5,6 +5,18 @@ After=network.target iptables.service fi
- PartOf=firewalld.service
+ PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service
  
  [Service]
 +# added automatically, for details please see

setup-py-install-dir.patch

@@ -0,0 +1,12 @@
+diff -rub fail2ban-1.1.0/setup.py fail2ban-1.1.0-patched/setup.py
+--- fail2ban-1.1.0/setup.py	2024-04-25 23:08:13.000000000 +0200
++++ fail2ban-1.1.0-patched/setup.py	2025-06-13 14:21:56.504000000 +0200
+@@ -84,7 +84,7 @@
+ 
+ 	def update_scripts(self, dry_run=False):
+ 		buildroot = os.path.dirname(self.build_dir)
+-		install_dir = self.install_dir
++		install_dir = os.environ.get("SERVICE_BINDIR", self.install_dir)
+ 		try:
+ 			# remove root-base from install scripts path:
+ 			root = self.distribution.command_options['install']['root'][1]

sfw-fail2ban.conf

@@ -1,7 +0,0 @@
-# This drop-in file extends SuSEfirewall2.service to also start
-# fail2ban.service, and to make sure that fail2ban is only (re)started after
-# SFW has completed.
-
-[Unit]
-Wants=fail2ban.service
-Before=fail2ban.service