-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow unbanip of tuple IDs #3533
base: master
Are you sure you want to change the base?
Conversation
Confirmed. + from ast import literal_eval
...
# IPs can be represented in string format (e.g.: tuples)
- is_ip_parsed = True
- if isinstance(ip, str):
+ if isinstance(ip, str) and str[:1] in ("(","["):
try:
- ip = eval(ip)
+ ip = literal_eval(ip)
- except Exception:
+ except SyntaxError:
- is_ip_parsed = False
+ pass
...
- if not is_ip_parsed and not isinstance(ip, IPAddr):
+ if not isinstance(ip, (IPAddr, tuple, list)): However I don't think fail2ban/fail2ban/server/server.py Line 531 in 48c91df
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As already wrote... actions doesn't look like appropriate place to fix that.
Moreover, thinking about that a bit, it doesn't look as a good fix at all.
Concerning this matter nothing occurs to me excepting probably some new option (like - set <JAIL> unbanip [--report-absent] <IP> ... <IP>
+ set <JAIL> unbanip [--report-absent] [--expr] <IP> ... <IP>
- unban <IP> ... <IP>
+ unban [--expr] <IP> ... <IP> Alternatively, the selector in banmanager may be extended to accept string comparison, so tuple |
I agree with you concerning the |
As specified [here], IDs in Fail2ban can be tuples. However, when a tuple ID is banned, there is no way to remove it via the `unbanip` command line. If tried, the tuple will be considered as a list with each element being an ID. Instead, we should try to parse the string to see if it represents an object. [here]: https://github.com/fail2ban/fail2ban/blob/226a59445a8046b7f86c3bc072be1d78555ccdb0/fail2ban/server/failregex.py#L313
e04113c
to
e03e9bd
Compare
Changed the modification with a small refactoring in order to avoid the recursive method. This would cause issues as it would recurse on the |
Thx!
Understand. |
Done. |
8c60a21
to
98a4cee
Compare
Solved the issue of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thx!
I can't approve the changes right now... see my comments.
except SyntaxError: | ||
return v | ||
if value: | ||
return list(map(parseExpr, value)) if isinstance(value, (list, tuple)) else parseExpr(value) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By the way, why it needs an explicit conversion to list (dereference a map-iterator) here?
checked by isinstance
somewhere or just a simple prevention (against double usage, etc)?
return v | ||
if value: | ||
return list(map(parseExpr, value)) if isinstance(value, (list, tuple)) else parseExpr(value) | ||
return None |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm... return value
maybe? otherwise it'd return None
by empty string or empty list.
@@ -468,7 +468,7 @@ def performSvc(self, force=False): | |||
|
|||
def addAttempt(self, ip, *matches): | |||
"""Generate a failed attempt for ip""" | |||
if not isinstance(ip, IPAddr): | |||
if not isinstance(ip, (IPAddr, list, tuple)): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it really bother somewhere? If so then we'd need to fix that in IPAddr
, because normally IPAddr
can safe handle raw values (not IPs, inclusive tuple or lists) without any problem. But has additional facility to check whether it's IP, etc.
So we'd always prefer IPAddr
as identifier/IP in internal filters/actions functionality if possible.
>>> from fail2ban.server.ipdns import IPAddr
>>> id = ('A','B')
>>> ip = IPAddr(id); ip
('A', 'B')
>>> ip == id
True
>>> ip.family == IPAddr.CIDR_RAW
True
>>> ip.raw
('A', 'B')
@@ -523,27 +522,19 @@ def getAction(self, name, value): | |||
def setBanTime(self, name, value): | |||
self.__jails[name].actions.setBanTime(value) | |||
|
|||
def addAttemptIP(self, name, *args): | |||
return self.__jails[name].filter.addAttempt(*args) | |||
def addAttemptIP(self, name, ip, failures): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure we should change the API here (*failures
can be supplied similarly from outside).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
at least this would be better:
- def addAttemptIP(self, name, ip, failures):
+ def addAttemptIP(self, name, ip, *args):
As specified here, IDs in Fail2ban can be tuples. However, when a tuple ID is banned, there is no way to remove it via the
unbanip
command line. If tried, the tuple will be considered as a list with each element being an ID. Instead, we should try to parse the string to see if it represents an object.