Accepting request 1288744 from security

Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1288744
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=75

f2b-restart.conf

@@ -1,5 +0,0 @@
-# When a restart is issued for SuSEfirewall2, fail2ban.service too must be
-# restarted, which is what this drop-in file does.
-
-[Unit]
-PartOf=SuSEfirewall2.service

fail2ban-0.10.4-env-script-interpreter.patch

@@ -1,6 +1,7 @@
-diff -ur fail2ban-0.10.4-orig/config/filter.d/ignorecommands/apache-fakegooglebot fail2ban-0.10.4/config/filter.d/ignorecommands/apache-fakegooglebot
---- fail2ban-0.10.4-orig/config/filter.d/ignorecommands/apache-fakegooglebot	2018-10-04 11:26:22.000000000 +0200
-+++ fail2ban-0.10.4/config/filter.d/ignorecommands/apache-fakegooglebot	2019-08-12 10:46:05.067842214 +0200
+Index: fail2ban-1.1.0/config/filter.d/ignorecommands/apache-fakegooglebot
+===================================================================
+--- fail2ban-1.1.0.orig/config/filter.d/ignorecommands/apache-fakegooglebot
++++ fail2ban-1.1.0/config/filter.d/ignorecommands/apache-fakegooglebot
 @@ -1,4 +1,4 @@
 -#!/usr/bin/env fail2ban-python
 +#!/usr/bin/fail2ban-python

fail2ban-1.0.2.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ae8b0b41f27a7be12d40488789d6c258029b23a01168e3c0d347ee80b325ac23
-size 583295

fail2ban-1.0.2.tar.gz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEhzhVnib2cd+eLG2eaDvxvr0KiCwFAmNr0KgACgkQaDvxvr0K
-iCyG4Af/eP5ZQvTiGjo/f1oOuBH8wOo7ARlFOcQIbdhXy10vk3bqDjYHVWzXh12Q
-EdfyJVMXFI3XnDQkdXulOjnhX6YK3qYruudl0oDE7jyIWbHETFUpY7y00uxjTD+A
-aBk4XqBym67BtBR/5dfnhXOBYZ9EXcbopvEQXq1Lm4jRSurSQCiVpMY44psW60Rb
-dt1fdIg/GTjhsYNWO2L6DCObV1qdJcdk8Zw7rvk9aHe7iZ+PZW7htG8erTzzV9LV
-Lq6Bcwz6tEFInTvDBZXIhBimYrquWp97qwEC3d1cNbv9pjN69czgLtRaq5EiVu4R
-e8+y9LLToHFjKeji436S6985hBQnEA==
-=jGOy
------END PGP SIGNATURE-----

fail2ban-1.1.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:474fcc25afdaf929c74329d1e4d24420caabeea1ef2e041a267ce19269570bae
+size 603854

fail2ban-1.1.0.tar.gz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEhzhVnib2cd+eLG2eaDvxvr0KiCwFAmYqzEoACgkQaDvxvr0K
+iCwMfQf9GcxsuVs/LiHeDYmmvFOxCmS2zO4K5pzDuX1JmtSzKCj9HbPSxUWbIZIc
+yJv+x8t6QNBPBMnxI70TP+RcxKpCO4Fc2WRcrYS5B6gDTKy9Ty0fHorHlA4QQthu
+ywoqxf1eddQKcwlk+lw/wI1QPwZ1xA93BkasJht/bTnhAvXJBeN1Tgf+jZ23bHHf
+9FIGV8zt8fvaAIG8lB22AD/+PhSYEkp1TRuRx9VEuBbkH00u1i054I0cHTrsu3Fr
+jTIljf5TgpmFyXHBCA6JT6nnGn0jsaNDT/lBNxUmw5BmMxGWUTv4SlKbcjKjgXRH
+MTZipOHHYPx/7IyKJJvB1p1gvmOxyg==
+=qvry
+-----END PGP SIGNATURE-----

fail2ban-disable-iptables-w-option.patch

@@ -1,14 +0,0 @@
---- fail2ban-1.0.1/config/action.d/iptables.conf.orig	2022-10-12 11:35:25.789327341 +0200
-+++ fail2ban-1.0.1/config/action.d/iptables.conf	2022-10-12 11:35:40.585449861 +0200
-@@ -138,8 +138,10 @@
- #          running concurrently and causing irratic behavior.  -w was introduced
- #          in iptables 1.4.20, so might be absent on older systems
- #          See https://github.com/fail2ban/fail2ban/issues/1122
-+#          The default option "-w" can be used for openSUSE versions 13.2+ and
-+#          for updated versions of openSUSE 13.1; SLE 12 supports this option.
- # Values:  STRING
--lockingopt = -w
-+lockingopt =
- 
- # Option:  iptables
- # Notes.:  Actual command to be executed, including common to all calls options

fail2ban-fix-openssh98.patch

@@ -1,7 +1,7 @@
-Index: fail2ban-1.0.2/config/filter.d/sshd.conf
+Index: fail2ban-1.1.0/config/filter.d/sshd.conf
 ===================================================================
---- fail2ban-1.0.2.orig/config/filter.d/sshd.conf
-+++ fail2ban-1.0.2/config/filter.d/sshd.conf
+--- fail2ban-1.1.0.orig/config/filter.d/sshd.conf
++++ fail2ban-1.1.0/config/filter.d/sshd.conf
 @@ -16,7 +16,7 @@ before = common.conf
  
  [DEFAULT]

fail2ban-opensuse-locations.patch

@@ -1,8 +1,8 @@
-Index: fail2ban-1.0.1/config/jail.conf
+Index: fail2ban-1.1.0/config/jail.conf
 ===================================================================
---- fail2ban-1.0.1.orig/config/jail.conf
-+++ fail2ban-1.0.1/config/jail.conf
-@@ -731,7 +731,7 @@ backend = %(syslog_backend)s
+--- fail2ban-1.1.0.orig/config/jail.conf
++++ fail2ban-1.1.0/config/jail.conf
+@@ -735,7 +735,7 @@ backend = %(syslog_backend)s
  # filter   = named-refused
  # port     = domain,953
  # protocol = udp
@@ -11,7 +11,7 @@ Index: fail2ban-1.0.1/config/jail.conf
  
  # IMPORTANT: see filter.d/named-refused for instructions to enable logging
  # This jail blocks TCP traffic for DNS requests.
-@@ -739,7 +739,7 @@ backend = %(syslog_backend)s
+@@ -743,7 +743,7 @@ backend = %(syslog_backend)s
  [named-refused]
  
  port     = domain,953
@@ -20,10 +20,10 @@ Index: fail2ban-1.0.1/config/jail.conf
  
  
  [nsd]
-Index: fail2ban-1.0.1/config/paths-common.conf
+Index: fail2ban-1.1.0/config/paths-common.conf
 ===================================================================
---- fail2ban-1.0.1.orig/config/paths-common.conf
-+++ fail2ban-1.0.1/config/paths-common.conf
+--- fail2ban-1.1.0.orig/config/paths-common.conf
++++ fail2ban-1.1.0/config/paths-common.conf
 @@ -90,4 +90,4 @@ solidpop3d_log = %(syslog_local0)s
  mysql_log = %(syslog_daemon)s
  mysql_backend = %(default_backend)s

fail2ban-opensuse-service-sfw.patch

@@ -1,14 +0,0 @@
-diff -ur fail2ban-0.10.4-orig/files/fail2ban.service.in fail2ban-0.10.4/files/fail2ban.service.in
---- fail2ban-0.10.4-orig/files/fail2ban.service.in	2019-08-12 11:27:18.175106400 +0200
-+++ fail2ban-0.10.4/files/fail2ban.service.in	2019-08-12 11:28:42.045116215 +0200
-@@ -1,8 +1,8 @@
- [Unit]
- Description=Fail2Ban Service
- Documentation=man:fail2ban(1)
--After=network.target iptables.service firewalld.service ip6tables.service ipset.service
--PartOf=iptables.service firewalld.service ip6tables.service ipset.service
-+After=network.target iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service
-+PartOf=iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service
- 
- [Service]
- Type=simple

fail2ban-opensuse-service.patch

@@ -1,27 +0,0 @@
-diff -ur fail2ban-0.11.2-orig/files/fail2ban.service.in fail2ban-0.11.2/files/fail2ban.service.in
---- fail2ban-0.11.2-orig/files/fail2ban.service.in	2020-11-23 21:43:03.000000000 +0100
-+++ fail2ban-0.11.2/files/fail2ban.service.in	2020-12-05 18:22:01.503018894 +0100
-@@ -2,17 +2,18 @@
- Description=Fail2Ban Service
- Documentation=man:fail2ban(1)
- After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service
--PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service
-+PartOf=firewalld.service
- 
- [Service]
- Type=simple
-+EnvironmentFile=-/etc/sysconfig/fail2ban
- Environment="PYTHONNOUSERSITE=1"
- ExecStartPre=/bin/mkdir -p /run/fail2ban
--ExecStart=@BINDIR@/fail2ban-server -xf start
-+ExecStart=/usr/bin/fail2ban-server -xf $FAIL2BAN_OPTIONS start
- # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
--# ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=sysout start
--ExecStop=@BINDIR@/fail2ban-client stop
--ExecReload=@BINDIR@/fail2ban-client reload
-+# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start
-+ExecStop=/usr/bin/fail2ban-client stop
-+ExecReload=/usr/bin/fail2ban-client reload
- PIDFile=/run/fail2ban/fail2ban.pid
- Restart=on-failure
- RestartPreventExitStatus=0 255

fail2ban.changes

@@ -1,3 +1,119 @@
+-------------------------------------------------------------------
+Thu Jun 19 19:00:38 UTC 2025 - chris@computersalat.de
+
+- fix build
+  * service file install
+- some rpmlint fixes
+- Add fail2ban_service.patch
+- rebase patches
+  * fail2ban-0.10.4-env-script-interpreter.patch
+  * fail2ban-fix-openssh98.patch
+  * fail2ban-opensuse-locations.patch
+  * harden_fail2ban.service.patch
+
+-------------------------------------------------------------------
+Mon Jun 16 22:37:03 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- spec:
+  * Drop noarch due to /usr/bin/fail2ban-python ELF
+  * noarch for monitoring subpackage
+
+-------------------------------------------------------------------
+Fri Jun 13 12:31:06 UTC 2025 - Nathan Cutler <ncutler@suse.com>
+
+- Add setup-py-install-dir.patch:
+  * fix unit file population broken by switch to %pyproject_wheel
+
+-------------------------------------------------------------------
+Wed Jun 11 13:04:39 UTC 2025 - Nathan Cutler <ncutler@suse.com>
+
+- spec:
+  * simplify manual installation of files under /etc and /usr from
+    the wheel 
+
+-------------------------------------------------------------------
+Tue Jun 10 13:23:16 UTC 2025 - Nathan Cutler <ncutler@suse.com>
+
+- spec:
+  * Use pyproject macros to build and install (including
+    implementing manual install for files under /etc and /usr from
+    the wheel)
+  * some BuildRequires cleanup
+
+-------------------------------------------------------------------
+Fri Jun  6 11:15:38 UTC 2025 - Max Lin <mlin@suse.com>
+
+- Add %python3_fix_shebang macro
+
+-------------------------------------------------------------------
+Sat Mar 29 13:31:43 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- distutils (provided by python3-setuptools) is also needed during
+  time, or f2b cannot launch the systemd log analyzer backend.
+- Delete all pre-SUSE-15.x build instructions.
+- Delete fail2ban-opensuse-service-sfw.patch,
+  fail2ban-opensuse-service.patch, sfw-fail2ban.conf,
+  since this mostly part of the pristine fail2ban.service.in
+  already. (Unit modified in %install for SFW.)
+
+-------------------------------------------------------------------
+Mon Mar 10 03:39:37 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Add BuildRequires on setuptools, required for Python 3.12+.
+
+-------------------------------------------------------------------
+Wed Oct 23 09:08:23 UTC 2024 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.1.0:
+  * circumvent SEGFAULT in a python's socket module by
+    getaddrinfo with disabled IPv6 (gh-3438)
+  * avoid sporadic error in pyinotify backend if pending file
+    deleted in other thread, e. g. by flushing logs (gh-3635)
+  * `action.d/cloudflare-token.conf` - fixes gh-3479, url-encode
+    args by unban
+  * `action.d/*ipset*`: make `maxelem` ipset option configurable
+    through banaction arguments (gh-3564)
+  * `filter.d/apache-common.conf` - accepts remote besides client
+    (gh-3622)
+  * `filter.d/mysqld-auth.conf` - matches also if no suffix in
+    message (mariadb 10.3 log format, gh-3603)
+  * `filter.d/nginx-*.conf` - nginx error-log filters extended
+    with support of journal format (gh-3646)
+  * `filter.d/postfix.conf`:
+    - "rejected" rule extended to match "Access denied" too
+    - avoid double counting ('lost connection after AUTH'
+      together with message 'disconnect ...', gh-3505)
+    - add Sender address rejected: Malformed DNS server reply
+    - add to postfix syslog daemon format (gh-3690)
+    - change journalmatch postfix, allow sub-units with
+      postfix@-.service (gh-3692)
+  * `filter.d/recidive.conf`: support for systemd-journal,
+    conditional RE depending on logtype (for file or journal,
+    gh-3693)
+  * `filter.d/slapd.conf` - filter rewritten for single-line
+    processing, matches errored result without `text=...`
+    (gh-3604)
+  * supports python 3.12 and 3.13 (gh-3487)
+  * bundling async modules removed in python 3.12+ (fallback to
+    local libraries pyasyncore/pyasynchat if import would miss
+    them, gh-3487)
+  * `fail2ban-client` extended (gh-2975):
+    - `fail2ban-client status --all [flavor]` - returns status
+      of fail2ban and all jails in usual form
+    - `fail2ban-client stats` - returns statistic in form of
+      table (jail, backend, found and banned counts)
+    - `fail2ban-client statistic` or `fail2ban-client
+      statistics` - same as `fail2ban-client stats` (aliases for
+      stats)
+    - `fail2ban-client status --all stats` - (undocumented,
+      flavor "stats") returns statistic of all jails in form of
+      python dict
+  * `fail2ban-regex` extended to load settings from jail (by
+     simple name it'd prefer jail to the filter now, gh-2655);
+- drop fail2ban-disable-iptables-w-option.patch: only needed for
+  sle10 and older, which is no longer supported (is now python >=
+  3.5)
+
 -------------------------------------------------------------------
 Wed Sep  4 07:54:06 UTC 2024 - Marcus Meissner <meissner@suse.com>
 
@@ -13,7 +129,7 @@ Mon Jun  5 16:36:47 UTC 2023 - Lars Vogdt <lars@linux-schulserver.de>
 
 - use nagios-rpm-macros to define the libexecdir for SUSE distributions
   correctly (defaut here is /usr/lib/nagios/plugins)
-- move conditional for %%pre scripts, to avoid any dependency or other 
+- move conditional for %%pre scripts, to avoid any dependency or other
   stuff getting in the way on old distributions
 
 -------------------------------------------------------------------
@@ -51,7 +167,7 @@ Wed Jan 19 13:05:44 UTC 2022 - Dirk Müller <dmueller@suse.com>
 -------------------------------------------------------------------
 Fri Nov 12 10:49:20 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>
 
-- Added fail2ban-0.11.2-upstream-patch-python-3.9.patch to allow 
+- Added fail2ban-0.11.2-upstream-patch-python-3.9.patch to allow
   fail2ban run under under python 3.9+
 
 - Shifted the order of the patches
@@ -65,7 +181,7 @@ Tue Sep 14 07:47:32 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
 -------------------------------------------------------------------
 Tue Aug 24 13:40:32 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>
 
-- Added fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch 
+- Added fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch
   to fixs CVE-2021-32749 - bnc#1188610 to prevent a command injection via mail comand
 
 -------------------------------------------------------------------
@@ -78,7 +194,7 @@ Sun Nov 29 11:23:09 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
 
 - Update to 0.11.2
   increased stability, filter and action updates
-  
+
 - New Features and Enhancements
   * fail2ban-regex:
     - speedup formatted output (bypass unneeded stats creation)
@@ -89,7 +205,7 @@ Sun Nov 29 11:23:09 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
   * new filter and jail for GitLab recognizing failed application logins (gh#fail2ban/fail2ban#2689)
   * new filter and jail for Grafana recognizing failed application logins (gh#fail2ban/fail2ban#2855)
   * new filter and jail for SoftEtherVPN recognizing failed application logins (gh#fail2ban/fail2ban#2723)
-  * `filter.d/guacamole.conf` extended with `logging` parameter to follow webapp-logging if it's configured 
+  * `filter.d/guacamole.conf` extended with `logging` parameter to follow webapp-logging if it's configured
     (gh#fail2ban/fail2ban#2631)
   * `filter.d/bitwarden.conf` enhanced to support syslog (gh#fail2ban/fail2ban#2778)
   * introduced new prefix `{UNB}` for `datepattern` to disable word boundaries in regex;
@@ -98,7 +214,7 @@ Sun Nov 29 11:23:09 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
   as well as some warnings signaling user about invalid pattern or zone (gh#fail2ban/fail2ban#2814):
     - filter gets mode in-operation, which gets activated if filter starts processing of new messages;
       in this mode a timestamp read from log-line that appeared recently (not an old line), deviating too much
-      from now (up too 24h), will be considered as now (assuming a timezone issue), so could avoid unexpected 
+      from now (up too 24h), will be considered as now (assuming a timezone issue), so could avoid unexpected
       bypass of failure (previously exceeding `findtime`);
     - better interaction with non-matching optional datepattern or invalid timestamps;
     - implements special datepattern `{NONE}` - allow to find failures totally without date-time in log messages,
@@ -119,9 +235,9 @@ Sun Nov 29 11:23:09 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
   * no mails-action added per default anymore (e. g. to allow that `action = %(action_mw)s` should be specified
     per jail or in default section in jail.local), closes gh#fail2ban/fail2ban#2357
   * ensure we've unique action name per jail (also if parameter `actname` is not set but name deviates from standard name, gh#fail2ban/fail2ban#2686)
-  * don't use `%(banaction)s` interpolation because it can be complex value (containing `[...]` and/or quotes), 
+  * don't use `%(banaction)s` interpolation because it can be complex value (containing `[...]` and/or quotes),
     so would bother the action interpolation
-  * fixed type conversion in config readers (take place after all interpolations get ready), that allows to 
+  * fixed type conversion in config readers (take place after all interpolations get ready), that allows to
     specify typed parameters variable (as substitutions) as well as to supply it in other sections or as init parameters.
   * `action.d/*-ipset*.conf`: several ipset actions fixed (no timeout per default anymore), so no discrepancy
     between ipset and fail2ban (removal from ipset will be managed by fail2ban only, gh#fail2ban/fail2ban#2703)
@@ -132,17 +248,17 @@ Sun Nov 29 11:23:09 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
   * `action.d/bsd-ipfw.conf`: fixed selection of rule-no by large list or initial `lowest_rule_num` (gh#fail2ban/fail2ban#2836)
   * `filter.d/common.conf`: avoid substitute of default values in related `lt_*` section, `__prefix_line`
     should be interpolated in definition section (inside the filter-config, gh#fail2ban/fail2ban#2650)
-  * `filter.d/dovecot.conf`: 
+  * `filter.d/dovecot.conf`:
     - add managesieve and submission support (gh#fail2ban/fail2ban#2795);
     - accept messages with more verbose logging (gh#fail2ban/fail2ban#2573);
   * `filter.d/courier-smtp.conf`: prefregex extended to consider port in log-message (gh#fail2ban/fail2ban#2697)
-  * `filter.d/traefik-auth.conf`: filter extended with parameter mode (`normal`, `ddos`, `aggressive`) to handle 
+  * `filter.d/traefik-auth.conf`: filter extended with parameter mode (`normal`, `ddos`, `aggressive`) to handle
     the match of username differently (gh#fail2ban/fail2ban#2693):
     - `normal`: matches 401 with supplied username only
     - `ddos`: matches 401 without supplied username only
     - `aggressive`: matches 401 and any variant (with and without username)
   * `filter.d/sshd.conf`: normalizing of user pattern in all RE's, allowing empty user (gh#fail2ban/fail2ban#2749)
-  
+
 - Rebased patches
 - Removed upstream patch fail2ban-0.10.4-upstream-pid-file-location.patch
 
@@ -165,7 +281,7 @@ Thu May 21 07:49:38 UTC 2020 - Paolo Stivanin <info@paolostivanin.com>
   * Introduced new action command `actionprolong` to prolong ban-time
     (e. g. set new timeout if expected);
   * algorithm of restore current bans after restart changed:
-    update the restored ban-time (and therefore 
+    update the restored ban-time (and therefore
     end of ban) of the ticket with ban-time of jail (as maximum),
     for all tickets with ban-time greater (or persistent)
   * added new setup-option `--without-tests` to skip building
@@ -215,7 +331,7 @@ Sat Feb 16 22:28:49 UTC 2019 - chris@computersalat.de
   * https://github.com/fail2ban/fail2ban/blob/0.10.4/ChangeLog
 
 - Fixes
-  * `filter.d/dovecot.conf`: 
+  * `filter.d/dovecot.conf`:
     - failregex enhancement to catch sql password mismatch errors (gh-2153);
     - disconnected with "proxy dest auth failed" (gh-2184);
   * `filter.d/freeswitch.conf`:
@@ -229,7 +345,7 @@ Sat Feb 16 22:28:49 UTC 2019 - chris@computersalat.de
   * `filter.d/domino-smtp.conf`:
     - recognizes failures logged using another format (something like session-id, IP enclosed in square brackets);
     - failregex extended to catch connections rejected for policy reasons (gh-2228);
-  * `action.d/hostsdeny.conf`: fix parameter in config (dynamic parameters stating with '_' are protected 
+  * `action.d/hostsdeny.conf`: fix parameter in config (dynamic parameters stating with '_' are protected
     and don't allowed in command-actions), see gh-2114;
   * decoding stability fix by wrong encoded characters like utf-8 surrogate pairs, etc (gh-2171):
     - fail2ban running in the preferred encoding now (as default encoding also within python 2.x), mostly
@@ -238,14 +354,14 @@ Sat Feb 16 22:28:49 UTC 2019 - chris@computersalat.de
     - database: improve adapter/converter handlers working on invalid characters in sense of json and/or sqlite-database;
       additionally both are exception-safe now, so avoid possible locking of database (closes gh-2137);
     - logging in fail2ban is process-wide exception-safe now.
-  * repaired start-time of initial seek to time (as well as other log-parsing related data), 
+  * repaired start-time of initial seek to time (as well as other log-parsing related data),
     if parameter `logpath` specified before `findtime`, `backend`, `datepattern`, etc (gh-2173)
   * systemd: fixed type error on option `journalflags`: an integer is required (gh-2125);
 
 - New Features
-  * new option `ignorecache` to improve performance of ignore failure check (using caching of `ignoreip`, 
+  * new option `ignorecache` to improve performance of ignore failure check (using caching of `ignoreip`,
     `ignoreself` and `ignorecommand`), see `man jail.conf` for syntax-example;
-  * `ignorecommand` extended to use actions-similar replacement (capable to interpolate 
+  * `ignorecommand` extended to use actions-similar replacement (capable to interpolate
     all possible tags like `<ip-host>`, `<family>`, `<fid>`, `F-USER` etc.)
 
 - Enhancements
@@ -332,23 +448,23 @@ Tue Feb 20 08:19:07 UTC 2018 - jweberhofer@weberhofer.at
 - Incompatibility:
   * The configuration for jails using banaction `pf` can be incompatible after upgrade, because pf-action uses
     anchors now (see `action.d/pf.conf` for more information). If you want use obsolete handling without anchors,
-    just rewrite it in the `jail.local` by overwrite of `pfctl` parameter, e. g. like `banaction = pf[pfctl="pfctl"]`. 
+    just rewrite it in the `jail.local` by overwrite of `pfctl` parameter, e. g. like `banaction = pf[pfctl="pfctl"]`.
 
 - Fixes
-  * Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid 
+  * Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid
     write of the time-stamp, if logging to systemd-journal from foreground mode (gh-1876)
   * Fixed recognition of the new date-format on mysqld-auth filter (gh-1639)
-  * jail.conf: port `imap3` replaced with `imap` everywhere, since imap3 is not a standard port and old rarely 
+  * jail.conf: port `imap3` replaced with `imap` everywhere, since imap3 is not a standard port and old rarely
     (if ever) used and can missing on some systems (e. g. debian stretch), see gh-1942.
   * config/paths-common.conf: added missing initial values (and small normalization in config/paths-*.conf)
     in order to avoid errors while interpolating (e. g. starting with systemd-backend), see gh-1955.
-  * `action.d/pf.conf`: 
+  * `action.d/pf.conf`:
     - fixed syntax error in achnor definition (documentation, see gh-1919);
     - enclose ports in braces for multiport jails (see gh-1925);
   * `action.d/firewallcmd-ipset.conf`: fixed create of set for ipv6 (missing `family inet6`, gh-1990)
   * `filter.d/sshd.conf`:
     - extended failregex for modes "extra"/"aggressive": now finds all possible (also future)
-      forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", 
+      forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found",
       see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors (gh-1943, gh-1944);
     - fixed failregex in order to avoid banning of legitimate users with multiple public keys (gh-2014, gh-1263);
 
@@ -375,14 +491,14 @@ Tue Feb 20 08:19:07 UTC 2018 - jweberhofer@weberhofer.at
       - `datetime` - add date-time to the message (default on, ignored if `format` specified);
       - `format` - specify own format how it will be logged, for example for short-log into STDOUT:
         `fail2ban-server -f --logtarget 'stdout[format="%(relativeCreated)5d | %(message)s"]' start`;
-    * Automatically recover or recreate corrupt persistent database (e. g. if failed to open with 
+    * Automatically recover or recreate corrupt persistent database (e. g. if failed to open with
      'database disk image is malformed'). Fail2ban will create a backup, try to repair the database,
       if repair fails - recreate new database (gh-1465, gh-2004).
 
 -------------------------------------------------------------------
 Thu Nov 23 13:44:10 UTC 2017 - rbrown@suse.com
 
-- Replace references to /var/adm/fillup-templates with new 
+- Replace references to /var/adm/fillup-templates with new
   %_fillupdir macro (boo#1069468)
 
 -------------------------------------------------------------------
@@ -393,9 +509,9 @@ Sat Oct 21 04:43:44 UTC 2017 - jweberhofer@weberhofer.at
 
 - Removed 607568f.patch and 1783.patch
 
-- New features: 
+- New features:
   * IPv6 support
-    - IP addresses are now handled as objects rather than strings capable for 
+    - IP addresses are now handled as objects rather than strings capable for
       handling both address types IPv4 and IPv6
     - iptables related actions have been amended to support IPv6 specific actions
       additionally
@@ -451,32 +567,32 @@ Mon Jun 26 07:23:57 UTC 2017 - jweberhofer@weberhofer.at
 Mon May 15 12:11:23 UTC 2017 - jweberhofer@weberhofer.at
 
 - added 607568f.patch from upstream: "Postfix RBL: 554 & SMTP"
-  this fixes bnc#1036928 " fail2ban-rbl regex incorrect, takes no 
+  this fixes bnc#1036928 " fail2ban-rbl regex incorrect, takes no
   action as a result"
 
 - Update to 0.9.7
-  * Fixed a systemd-journal handling in fail2ban-regex 
+  * Fixed a systemd-journal handling in fail2ban-regex
     (gh#fail2ban/fail2ban#1657)
   * filter.d/sshd.conf
     - Fixed non-anchored part of failregex (misleading match of colon inside
-      IPv6 address instead of `: ` in the reason-part by missing space, 
+      IPv6 address instead of `: ` in the reason-part by missing space,
       gh#fail2ban/fail2ban#1658)
       (0.10th resp. IPv6 relevant only, amend for gh#fail2ban/fail2ban#1479)
   * config/pathes-freebsd.conf
     - Fixed filenames for apache and nginx log files (gh#fail2ban/fail2ban#1667)
   * filter.d/exim.conf
-    - optional part `(...)` after host-name before `[IP]` 
+    - optional part `(...)` after host-name before `[IP]`
       (gh#fail2ban/fail2ban#1751)
-    - new reason "Unrouteable address" for "rejected RCPT" regex 
+    - new reason "Unrouteable address" for "rejected RCPT" regex
       (gh#fail2ban/fail2ban#1762)
-    - match of complex time like `D=2m42s` in regex "no MAIL in SMTP 
+    - match of complex time like `D=2m42s` in regex "no MAIL in SMTP
       connection" (gh#fail2ban/fail2ban#1766)
   * filter.d/sshd.conf
     - new aggressive rules (gh#fail2ban/fail2ban#864):
       - Connection reset by peer (multi-line rule during authorization process)
       - No supported authentication methods available
     - single line and multi-line expression optimized, added optional prefixes
-      and suffix (logged from several ssh versions), according 
+      and suffix (logged from several ssh versions), according
       to gh#fail2ban/fail2ban#1206;
     - fixed expression received disconnect auth fail (optional space after port
       part, gh#fail2ban/fail2ban#1652)
@@ -499,7 +615,7 @@ Mon May 15 12:11:23 UTC 2017 - jweberhofer@weberhofer.at
 -------------------------------------------------------------------
 Sun Mar  5 12:56:10 UTC 2017 - wagner-thomas@gmx.at
 
-- rename nagios-plugins-fail2ban to monitoring-plugins-fail2ban 
+- rename nagios-plugins-fail2ban to monitoring-plugins-fail2ban
 
 -------------------------------------------------------------------
 Thu Jan 26 23:16:49 UTC 2017 - chris@computersalat.de
@@ -582,7 +698,7 @@ Mon Jul 25 13:43:18 UTC 2016 - jweberhofer@weberhofer.at
 - Update to version 0.9.5
 
   New Features
-    * New Actions: action.d/firewallcmd-rich-rules and 
+    * New Actions: action.d/firewallcmd-rich-rules and
       action.d/firewallcmd-rich-logging (gh#fail2ban/fail2ban#1367)
     * New filter: slapd - ban hosts, that were failed to connect with invalid
       credentials: error code 49 (gh#fail2ban/fail2ban#1478)
@@ -594,7 +710,7 @@ Mon Jul 25 13:43:18 UTC 2016 - jweberhofer@weberhofer.at
       - (journal_mode = MEMORY) use memory for the transaction logging
       - (temp_store = MEMORY) temporary tables and indices are kept in memory
     * journald journalmatch for pure-ftpd (gh#fail2ban/fail2ban#1362)
-    * Added additional regex filter for dovecot ldap authentication 
+    * Added additional regex filter for dovecot ldap authentication
       failures (gh#fail2ban/fail2ban#1370)
     * filter.d/exim*conf
       - Added additional regexes (gh#fail2ban/fail2ban#1371)
@@ -619,7 +735,7 @@ Mon Jul 25 13:43:18 UTC 2016 - jweberhofer@weberhofer.at
      (gh#fail2ban/fail2ban#1405)
     - All optional spaces normalized in common.conf, test covered now
     - Generic __prefix_line extended with optional brackets for the date ambit
-      (gh#fail2ban/fail2ban#1421), added new parameter __date_ambit 
+      (gh#fail2ban/fail2ban#1421), added new parameter __date_ambit
 
   * gentoo-initd fixed --pidfile bug: --pidfile is option of start-stop-daemon,
     not argument of fail2ban (see gh#fail2ban/fail2ban#1434)
@@ -654,7 +770,7 @@ Thu Mar 10 10:58:53 UTC 2016 - jweberhofer@weberhofer.at
   New Features:
    * New interpolation feature for definition config readers - `<known/parameter>`
      (means last known init definition of filters or actions with name `parameter`).
-     This interpolation makes possible to extend a parameters of stock filter or 
+     This interpolation makes possible to extend a parameters of stock filter or
      action directly in jail inside jail.local file, without creating a separately
      filter.d/*.local file.
      As extension to interpolation `%(known/parameter)s`, that does not works for
@@ -695,7 +811,7 @@ Thu Mar 10 10:58:53 UTC 2016 - jweberhofer@weberhofer.at
    * Add *_backend options for services to allow distros to set the default
      backend per service, set default to systemd for Fedora as appropriate
    * Performance improvements while monitoring large number of files (gh-1265).
-     Use associative array (dict) for monitored log files to speed up lookup 
+     Use associative array (dict) for monitored log files to speed up lookup
      operations. Thanks @kshetragia
    * Specified that fail2ban is PartOf iptables.service firewalld.service in
      .service file -- would reload fail2ban if those services are restarted
@@ -762,7 +878,7 @@ Mon Sep  7 06:54:33 UTC 2015 - jweberhofer@weberhofer.at
   openSUSE.
 
 - fail2ban-disable-iptables-w-option.patch disables iptables "-w" option for
-  older releases. 
+  older releases.
 
 - Update to version 0.9.3
 
@@ -980,7 +1096,7 @@ Wed Jun 25 15:13:37 UTC 2014 - lars@linux-schulserver.de
     user"
   - filter dovecot - lip= was optional and extended TLS errors can occur.
     Thanks Noel Butler.
-- removed fix-for-upstream-firewallcmd-ipset.conf.patch : fixed 
+- removed fix-for-upstream-firewallcmd-ipset.conf.patch : fixed
   upstream
 - split out nagios-plugins-fail2ban package
 
@@ -1044,17 +1160,17 @@ Wed Jan 22 08:50:05 UTC 2014 - jweberhofer@weberhofer.at
   * Filter improvements:
     - apache-noscript now includes php cgi scripts
     - exim-spam filter to match spamassassin log entry for option SAdevnull.
-    - Added to sshd filter expression for 
+    - Added to sshd filter expression for
       "Received disconnect from : 3: Auth fail"
     - Improved ACL-handling for Asterisk
     - Added improper command pipelining to postfix filter.
 
   * General fixes:
-    - Added lots of jail.conf entries for missing filters that creaped in 
+    - Added lots of jail.conf entries for missing filters that creaped in
       over the last year.
     - synchat changed to use push method which verifies whether all data was
       send. This ensures that all data is sent before closing the connection.
-    - Fixed python 2.4 compatibility (as sub-second in date patterns weren't 
+    - Fixed python 2.4 compatibility (as sub-second in date patterns weren't
       2.4 compatible)
     - Complain/email actions fixed to only include relevant IPs to reporting
 
@@ -1064,7 +1180,7 @@ Wed Jan 22 08:50:05 UTC 2014 - jweberhofer@weberhofer.at
     - Kernel syslog expression can have leading spaces
     - allow for ",milliseconds" in the custom date format of proftpd.log
     - recidive jail to block all protocols
-    - smtps not a IANA standard so may be missing from /etc/services. Due to 
+    - smtps not a IANA standard so may be missing from /etc/services. Due to
       (still) common use 465 has been used as the explicit port number
     - Filter dovecot reordered session and TLS items in regex with wider scope
       for session characters
@@ -1081,7 +1197,7 @@ Wed Jan 22 08:50:05 UTC 2014 - jweberhofer@weberhofer.at
 
 - Fixed formating of github references in changelog
 - reformatted spec-file
- 
+
 -------------------------------------------------------------------
 Thu Nov 14 05:14:35 UTC 2013 - jweberhofer@weberhofer.at
 
@@ -1127,7 +1243,7 @@ Thu Jun 13 08:58:53 UTC 2013 - jweberhofer@weberhofer.at
   * files/suse-initd -- update to the copy from stock SUSE
   * Updates to asterisk filter. Closes gh#fail2ban/fail2ban#227,
     gh#fail2ban/fail2ban#230.
-  * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes 
+  * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes
     gh#fail2ban/fail2ban#244.
 
 ------------------------------------------------------------------
@@ -1173,7 +1289,7 @@ Tue May 14 10:06:35 UTC 2013 - jweberhofer@weberhofer.at
    * [945ad3d9] Fix dates on email actions to work in different locals. Closes
      gh#fail2ban/fail2ban#70. Thanks to iGeorgeX for the idea.
   blotus
-   * [96eb8986] ' and " should also be escaped in action tags Closes 
+   * [96eb8986] ' and " should also be escaped in action tags Closes
      gh#fail2ban/fail2ban#109
   Christoph Theis, Nick Hilliard, Daniel Black
    * [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD
@@ -1265,7 +1381,7 @@ would be at a significant security risk.
      custom action files) since its value could contain arbitrary
      symbols.  Thanks for discovery go to the NBS System security
      team
-   * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. 
+   * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes.
      Close gh#fail2ban/fail2ban#83
    * [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3
    * [37a2e59] store IP as a base, non-unicode str to avoid spurious messages
@@ -1274,7 +1390,7 @@ would be at a significant security risk.
 - New features:
   David Engeset
    * [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching
-     the log file to take 'banip' or 'unbanip' in effect. 
+     the log file to take 'banip' or 'unbanip' in effect.
      Close gh#fail2ban/fail2ban#81, gh#fail2ban/fail2ban#86
 
 - Enhancements:
@@ -1384,7 +1500,7 @@ Tue Oct  2 08:09:20 UTC 2012 - jweberhofer@weberhofer.at
 -------------------------------------------------------------------
 Tue Jul 31 16:18:11 CEST 2012 - asemen@suse.de
 
-- Adding to fail2ban.init remove of pid and sock files on stop 
+- Adding to fail2ban.init remove of pid and sock files on stop
   in case not removed before (prevents start fail)
 
 -------------------------------------------------------------------

fail2ban.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package fail2ban
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,13 +16,15 @@
 #
 
 
+%define pythons python3
+
 %{!?tmpfiles_create:%global tmpfiles_create systemd-tmpfiles --create}
 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
   %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           fail2ban
-Version:        1.0.2
+Version:        1.1.0
 Release:        0
 Summary:        Bans IP addresses that make too many authentication failures
 License:        GPL-2.0-or-later
@@ -33,55 +35,47 @@ Source1:        https://github.com/fail2ban/fail2ban/releases/download/%{version
 Source2:        %{name}.sysconfig
 Source3:        %{name}.logrotate
 Source5:        %{name}.tmpfiles
-Source6:        sfw-fail2ban.conf
-Source7:        f2b-restart.conf
 # Path definitions have been submitted to upstream
 Source8:        paths-opensuse.conf
 Source200:      fail2ban.keyring
 # PATCH-FIX-OPENSUSE fail2ban-opensuse-locations.patch bnc#878028 jweberhofer@weberhofer.at -- update default locations for logfiles
 Patch100:       %{name}-opensuse-locations.patch
-# PATCH-FIX-OPENSUSE fail2ban-opensuse-service.patch jweberhofer@weberhofer.at -- openSUSE modifications to the service file
-Patch101:       %{name}-opensuse-service.patch
-# PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch jweberhofer@weberhofer.at -- disable iptables "-w" option for older releases
-Patch200:       %{name}-disable-iptables-w-option.patch
 # PATCH-FIX-OPENSUSE fail2ban-0.10.4-env-script-interpreter.patch jweberhofer@weberhofer.at -- use exact path to define interpretor
 Patch201:       %{name}-0.10.4-env-script-interpreter.patch
-# PATCH-FEATURE-OPENSUSE fail2ban-opensuse-service-sfw.patch jweberhofer@weberhofer.at -- start after SuSEfirewall2 only for older distributions
-Patch300:       fail2ban-opensuse-service-sfw.patch
+# PATCH-FEATURE-OPENSUSE fail2ban_service.patch chris@computersalat.de -- Add [Service] EnvironmentFile
+Patch300:       %{name}_service.patch
 # PATCH-FEATURE-OPENSUSE harden_fail2ban.service.patch jsegitz@suse.com -- Added hardening to systemd service(s) bsc#1181400
 Patch301:       harden_fail2ban.service.patch
 # PATCH-FIX-OPENSUSE fail2ban-fix-openssh98.patch meissner@suse.com -- support openssh9.8 bsc#1230101
 Patch302:       fail2ban-fix-openssh98.patch
+# PATCH-FIX-OPENSUSE setup-py-install-dir.patch ncutler@suse.com -- fix unit file population broken by switch to pyproject_wheel macro
+Patch303:       setup-py-install-dir.patch
+BuildRequires:  %{python_module pip}
+BuildRequires:  %{python_module pyinotify >= 0.8.3}
+BuildRequires:  %{python_module setuptools}
+BuildRequires:  %{python_module systemd}
+BuildRequires:  %{python_module tools}
+BuildRequires:  %{python_module wheel}
 BuildRequires:  fdupes
 BuildRequires:  logrotate
 BuildRequires:  python-rpm-macros
-BuildRequires:  python3-tools
 # timezone package is required to run the tests
 BuildRequires:  timezone
 Requires:       cron
 Requires:       ed
 Requires:       iptables
 Requires:       logrotate
-Requires:       python3 >= 3.2
+Requires:       python3 >= 3.5
+Requires:       python3-setuptools
 Requires:       whois
-%if 0%{?suse_version} != 1110
-BuildArch:      noarch
-%endif
-%if 0%{?suse_version} >= 1230
-# systemd
-BuildRequires:  python3-systemd
 BuildRequires:  pkgconfig(systemd)
 Requires:       python3-systemd
 Requires:       systemd > 204
 %{?systemd_requires}
-%else
-# no systemd (the init-script requires lsof)
-Requires:       lsof
-Requires:       syslog
-%endif
-%if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010  && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315
-BuildRequires:  python3-pyinotify >= 0.8.3
 Requires:       python3-pyinotify >= 0.8.3
+%if 0%{?suse_version} < 1600
+Provides:       SuSEfirewall2-%{name} = %{version}
+Obsoletes:      SuSEfirewall2-%{name} < %{version}
 %endif
 
 %description
@@ -91,22 +85,10 @@ reject the IP address, can send e-mails, or set host.deny entries.  These rules
 can be defined by the user. Fail2Ban can read multiple log files such as sshd
 or Apache web server ones.
 
-%if !0%{?suse_version} > 1500
-%package -n SuSEfirewall2-%{name}
-Summary:        Files for integrating fail2ban into SuSEfirewall2 via systemd
-Group:          Productivity/Networking/Security
-Requires:       SuSEfirewall2
-Requires:       fail2ban
-
-%description -n SuSEfirewall2-%{name}
-This package ships systemd files which will cause fail2ban to be ordered in
-relation to SuSEfirewall2 such that the two can be run concurrently within
-reason, i.e. SFW will always run first because it does a table flush.
-%endif
-
 %package -n monitoring-plugins-%{name}
 Summary:        Check fail2ban server and how many IPs are currently banned
 Group:          System/Monitoring
+BuildArch:      noarch
 %if 0%{?suse_version}
 BuildRequires:  nagios-rpm-macros
 %else
@@ -133,16 +115,11 @@ install -m644 %{SOURCE8} config/paths-opensuse.conf
 sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf
 
 %patch -P 100 -p1
-%patch -P 101 -p1
-%if 0%{?suse_version} < 1310
-%patch -P 200 -p1
-%endif
 %patch -P 201 -p1
-%if !0%{?suse_version} > 1500
 %patch -P 300 -p1
-%endif
 %patch -P 301 -p1
 %patch -P 302 -p1
+%patch -P 303 -p1
 
 rm 	config/paths-arch.conf \
 	config/paths-debian.conf \
@@ -153,129 +130,77 @@ rm 	config/paths-arch.conf \
 # correct doc-path
 sed -i -e 's|%{_datadir}/doc/%{name}|%{_docdir}/%{name}|' setup.py
 
-# remove syslogd-logger settings for older distributions
-%if 0%{?suse_version} < 1230
-sed -i -e 's|^\([^_]*_backend = systemd\)|#\1|' config/paths-opensuse.conf
-%endif
-
 %build
 export CFLAGS="%{optflags}"
-./fail2ban-2to3
-python3 setup.py build
+export SERVICE_BINDIR="%{_bindir}"
+%pyproject_wheel
 gzip man/*.{1,5}
 
 %install
-python3 setup.py install \
-	--root=%{buildroot} \
-	--prefix=%{_prefix}
+%pyproject_install
+%python_expand %fdupes %{buildroot}%{python3_sitelib}
 
 install -d -m 755 %{buildroot}%{_mandir}/man{1,5}
-install -p -m 644 man/fail2ban-*.1.gz %{buildroot}%{_mandir}/man1
-install -p -m 644 man/jail.conf.5.gz %{buildroot}%{_mandir}/man5
+install -m 644 man/fail2ban-*.1.gz %{buildroot}%{_mandir}/man1
+install -m 644 man/jail.conf.5.gz %{buildroot}%{_mandir}/man5
 
 install -d -m 755 %{buildroot}%{_initddir}
 install -d -m 755 %{buildroot}%{_sbindir}
 
-%if 0%{?suse_version} > 1310
 # use /run directory
 install -d -m 755 %{buildroot}/run
 touch %{buildroot}/run/%{name}
-%else
-#use /var/run directory
-install -d -m 755 %{buildroot}%{_localstatedir}/run/%{name}
-%endif
 
-%if 0%{?suse_version} >= 1230
 # systemd
-install -d -m 755 %{buildroot}%{_unitdir}
-install -p -m 644 files/%{name}.service.in %{buildroot}%{_unitdir}/%{name}.service
-
-install -d -m 755 %{buildroot}%{_tmpfilesdir}
-install -p -m 644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
-
-ln -sf service %{buildroot}%{_sbindir}/rc%{name}
-
-%else
-# without systemd
-install -d -m 755 %{buildroot}%{_initddir}
-install -m 755 files/suse-initd %{buildroot}%{_initddir}/%{name}
-ln -sf %{_initddir}/%{name} %{buildroot}%{_sbindir}/rc%{name}
-%endif
+if [[ ! -f build/fail2ban.service ]]; then
+  sed -e "s|@BINDIR@|%{_bindir}|g" files/fail2ban.service.in > build/fail2ban.service
+fi
+install -D -m 644 build/fail2ban.service "%{buildroot}/%{_unitdir}/%{name}.service"
+install -D -m 644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
+ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
 
+install -d -m 755 %{buildroot}%{_sysconfdir}
+mv %{buildroot}%{python3_sitelib}%{_sysconfdir}/%{name} %{buildroot}%{_sysconfdir}
+rm -rv %{buildroot}%{_sysconfdir}/%{name}/action.d/__pycache__/
+install -d -m 755 %{buildroot}%{_sysconfdir}/%{name}/fail2ban.d
+install -d -m 755 %{buildroot}%{_sysconfdir}/%{name}/jail.d
+install -d -m 755 %{buildroot}%{_docdir}
+mv -v %{buildroot}%{python3_sitelib}%{_docdir}/%{name} %{buildroot}%{_docdir}
 echo "# Do all your modifications to the jail's configuration in jail.local!" > %{buildroot}%{_sysconfdir}/%{name}/jail.local
 
 install -d -m 0755 %{buildroot}%{_localstatedir}/lib/%{name}/
 
-install -d -m 755 %{buildroot}%{_fillupdir}
-install -p -m 644 %{SOURCE2} %{buildroot}%{_fillupdir}/sysconfig.%{name}
+install -D -m 644 %{SOURCE2} %{buildroot}%{_fillupdir}/sysconfig.%{name}
 
-install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d
-install -p -m 644 %{SOURCE3}  %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
+install -D -m 644 %{SOURCE3}  %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
 
-%if !0%{?suse_version} > 1500
-%if 0%{?_unitdir:1}
-install -Dm 0644 "%{_sourcedir}/sfw-fail2ban.conf" \
-	"%{buildroot}%{_unitdir}/SuSEfirewall2.service.d/fail2ban.conf"
-install -D -m 0644 "%{_sourcedir}/f2b-restart.conf" \
-	"%{buildroot}%{_unitdir}/fail2ban.service.d/SuSEfirewall2.conf"
-%endif
+%if 0%{?suse_version} < 1600
+perl -i -lpe 's{(After|PartOf)=(.*)}{$1=$2 SuSEfirewall2.service}' \
+	"%{buildroot}/%{_unitdir}/%{name}.service"
 %endif
 install -D -m 755 files/nagios/check_fail2ban %{buildroot}%{nagios_plugindir}/check_%{name}
 
-# install docs using the macro
-rm -r %{buildroot}%{_docdir}/%{name}
-
-# remove duplicates
-%fdupes -s %{buildroot}%{python3_sitelib}
-
 %check
-#stat /dev/log
-#python -c "import platform; print(platform.system())"
 # tests require python-pyinotify to be installed, so don't run them on older versions
-%if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010  && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315
+%if 0%{?suse_version} >= 1500
 # Need a UTF-8 locale to work
 export LANG=en_US.UTF-8
 ./fail2ban-testcases-all --no-network || true
 %endif
 
-%if 0%{?suse_version} >= 1230
 %pre
 %service_add_pre %{name}.service
-%endif
 
 %post
 %fillup_only
-%if 0%{?suse_version} >= 1230
 %tmpfiles_create %{_tmpfilesdir}/%{name}.conf
-# The next line is not workin in Leap 42.1, so keep the old way
-#%%tmpfiles_create %%{_tmpfilesdir}/%%{name}.conf
 %service_add_post %{name}.service
-%endif
 
 %preun
-%if 0%{?suse_version} >= 1230
 %service_del_preun %{name}.service
-%else
-%stop_on_removal %{name}
-%endif
 
 %postun
-%if 0%{?suse_version} >= 1230
 %service_del_postun %{name}.service
-%else
-%restart_on_update %{name}
-%insserv_cleanup
-%endif
-
-%if !0%{?suse_version} > 1500
-%if 0%{?_unitdir:1}
-%post -n SuSEfirewall2-%{name}
-%{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || :
-
-%postun -n SuSEfirewall2-%{name}
-%{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || :
-%endif
-%endif
 
 %files
 %dir %{_sysconfdir}/%{name}
@@ -296,21 +221,11 @@ export LANG=en_US.UTF-8
 #
 %config %{_sysconfdir}/logrotate.d/%{name}
 %dir %{_localstatedir}/lib/%{name}/
-%if 0%{?suse_version} > 1310
 # use /run directory
 %ghost /run/%{name}
-%else
-# use /var/run directory
-%dir %ghost %{_localstatedir}/run/%{name}
-%endif
-%if 0%{?suse_version} >= 1230
 # systemd
 %{_unitdir}/%{name}.service
 %{_tmpfilesdir}/%{name}.conf
-%else
-# without-systemd
-%{_initddir}/%{name}
-%endif
 %{_sbindir}/rc%{name}
 %{_bindir}/%{name}-server
 %{_bindir}/%{name}-client
@@ -323,20 +238,12 @@ export LANG=en_US.UTF-8
 %{_mandir}/man1/*
 %{_mandir}/man5/*
 %license COPYING
-%doc README.md TODO ChangeLog doc/*.txt
+%doc README.md TODO ChangeLog doc/*.txt DEVELOP FILTERS
 
 # do not include tests as they are executed during the build process
 %exclude %{_bindir}/%{name}-testcases
 %exclude %{python3_sitelib}/%{name}/tests
 
-%if !0%{?suse_version} > 1500
-%if 0%{?_unitdir:1}
-%files -n SuSEfirewall2-%{name}
-%{_unitdir}/SuSEfirewall2.service.d
-%{_unitdir}/%{name}.service.d
-%endif
-%endif
-
 %files -n monitoring-plugins-%{name}
 %license COPYING
 %doc files/nagios/README

fail2ban_service.patch

@@ -0,0 +1,16 @@
+Index: fail2ban-1.1.0/files/fail2ban.service.in
+===================================================================
+--- fail2ban-1.1.0.orig/files/fail2ban.service.in
++++ fail2ban-1.1.0/files/fail2ban.service.in
+@@ -6,9 +6,10 @@ PartOf=iptables.service firewalld.servic
+ 
+ [Service]
+ Type=simple
++EnvironmentFile=-/etc/sysconfig/fail2ban
+ Environment="PYTHONNOUSERSITE=1"
+ ExecStartPre=/bin/mkdir -p /run/fail2ban
+-ExecStart=@BINDIR@/fail2ban-server -xf start
++ExecStart=@BINDIR@/fail2ban-server -xf $FAIL2BAN_OPTIONS start
+ # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
+ # ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=sysout start
+ ExecStop=@BINDIR@/fail2ban-client stop

harden_fail2ban.service.patch

@@ -1,9 +1,13 @@
-Index: fail2ban-0.11.2/files/fail2ban.service.in
+---
+ files/fail2ban.service.in |   12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+Index: fail2ban-1.1.0/files/fail2ban.service.in
 ===================================================================
---- fail2ban-0.11.2.orig/files/fail2ban.service.in
-+++ fail2ban-0.11.2/files/fail2ban.service.in
+--- fail2ban-1.1.0.orig/files/fail2ban.service.in
++++ fail2ban-1.1.0/files/fail2ban.service.in
 @@ -5,6 +5,18 @@ After=network.target iptables.service fi
- PartOf=firewalld.service
+ PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service
  
  [Service]
 +# added automatically, for details please see

setup-py-install-dir.patch

@@ -0,0 +1,12 @@
+diff -rub fail2ban-1.1.0/setup.py fail2ban-1.1.0-patched/setup.py
+--- fail2ban-1.1.0/setup.py	2024-04-25 23:08:13.000000000 +0200
++++ fail2ban-1.1.0-patched/setup.py	2025-06-13 14:21:56.504000000 +0200
+@@ -84,7 +84,7 @@
+ 
+ 	def update_scripts(self, dry_run=False):
+ 		buildroot = os.path.dirname(self.build_dir)
+-		install_dir = self.install_dir
++		install_dir = os.environ.get("SERVICE_BINDIR", self.install_dir)
+ 		try:
+ 			# remove root-base from install scripts path:
+ 			root = self.distribution.command_options['install']['root'][1]

sfw-fail2ban.conf

@@ -1,7 +0,0 @@
-# This drop-in file extends SuSEfirewall2.service to also start
-# fail2ban.service, and to make sure that fail2ban is only (re)started after
-# SFW has completed.
-
-[Unit]
-Wants=fail2ban.service
-Before=fail2ban.service