summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Orlitzky <mjo@gentoo.org>2022-01-04 10:18:46 -0500
committerMichael Orlitzky <mjo@gentoo.org>2022-01-04 11:08:31 -0500
commitabb0829a6cca560c1686ee864b9735a60c2c4b98 (patch)
tree1a565996cba617fa8e5702f311df542d7dcb43c8 /net-analyzer
parentdev-libs/efl: add 1.26.1 (diff)
downloadgentoo-abb0829a6cca560c1686ee864b9735a60c2c4b98.tar.gz
gentoo-abb0829a6cca560c1686ee864b9735a60c2c4b98.tar.bz2
gentoo-abb0829a6cca560c1686ee864b9735a60c2c4b98.zip
net-analyzer/fail2ban: new revision with improved openrc support.
This -r3 adds a patch corresponding to, https://github.com/fail2ban/fail2ban/pull/2182 that (a) upstreams the OpenRC script and (b) adds some nice improvements to it. Done with sam's permission. Package-Manager: Portage-3.0.28, Repoman-3.0.3 Signed-off-by: Michael Orlitzky <mjo@gentoo.org>
Diffstat (limited to 'net-analyzer')
-rw-r--r--net-analyzer/fail2ban/fail2ban-0.11.2-r3.ebuild134
-rw-r--r--net-analyzer/fail2ban/files/fail2ban-0.11.2-upstream-openrc.patch247
2 files changed, 381 insertions, 0 deletions
diff --git a/net-analyzer/fail2ban/fail2ban-0.11.2-r3.ebuild b/net-analyzer/fail2ban/fail2ban-0.11.2-r3.ebuild
new file mode 100644
index 000000000000..1390bc1bdc39
--- /dev/null
+++ b/net-analyzer/fail2ban/fail2ban-0.11.2-r3.ebuild
@@ -0,0 +1,134 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python3_{8..10} )
+DISTUTILS_SINGLE_IMPL=1
+
+inherit bash-completion-r1 distutils-r1 systemd tmpfiles
+
+DESCRIPTION="Scans log files and bans IPs that show malicious signs"
+HOMEPAGE="https://www.fail2ban.org/"
+if [[ ${PV} == *9999 ]] ; then
+ EGIT_REPO_URI="https://github.com/${PN}/${PN}"
+ inherit git-r3
+else
+ SRC_URI="https://github.com/${PN}/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz"
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~sparc ~x86"
+fi
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="selinux systemd"
+
+RDEPEND="
+ virtual/logger
+ virtual/mta
+ selinux? ( sec-policy/selinux-fail2ban )
+ systemd? (
+ $(python_gen_cond_dep '
+ || (
+ dev-python/python-systemd[${PYTHON_USEDEP}]
+ sys-apps/systemd[python(-),${PYTHON_USEDEP}]
+ )' 'python*' )
+ )
+"
+
+DOCS=( ChangeLog DEVELOP README.md THANKS TODO doc/run-rootless.txt )
+
+PATCHES=(
+ "${FILESDIR}"/${P}-fix-tests-for-2021.patch
+ "${FILESDIR}"/${PN}-0.11.2-adjust-apache-logs-paths.patch
+ "${FILESDIR}"/${P}-fix-2to3-usage.patch
+ "${FILESDIR}"/${P}-fix-systemd-test.patch
+ "${FILESDIR}"/${P}-fix-py3.10-collections.patch
+ "${FILESDIR}"/${P}-upstream-openrc.patch
+)
+
+python_prepare_all() {
+ distutils-r1_python_prepare_all
+
+ # Replace /var/run with /run, but not in the top source directory
+ find . -mindepth 2 -type f -exec \
+ sed -i -e 's|/var\(/run/fail2ban\)|\1|g' {} + || die
+}
+
+python_compile() {
+ ./fail2ban-2to3 || die
+ distutils-r1_python_compile
+}
+
+python_test() {
+ bin/fail2ban-testcases \
+ --no-network \
+ --no-gamin \
+ --verbosity=4 || die "Tests failed with ${EPYTHON}"
+}
+
+python_install_all() {
+ distutils-r1_python_install_all
+
+ rm -rf "${ED}"/usr/share/doc/${PN} "${ED}"/run || die
+
+ newconfd files/fail2ban-openrc.conf ${PN}
+
+ # These two are placed in the ${BUILD_DIR} after being "built"
+ # in install_scripts().
+ newinitd "${BUILD_DIR}/fail2ban-openrc.init" "${PN}"
+ systemd_dounit "${BUILD_DIR}/${PN}.service"
+
+ dotmpfiles files/${PN}-tmpfiles.conf
+
+ doman man/*.{1,5}
+
+ # Use INSTALL_MASK if you do not want to touch /etc/logrotate.d.
+ # See http://thread.gmane.org/gmane.linux.gentoo.devel/35675
+ insinto /etc/logrotate.d
+ newins files/${PN}-logrotate ${PN}
+
+ keepdir /var/lib/${PN}
+
+ newbashcomp files/bash-completion ${PN}-client
+ bashcomp_alias ${PN}-client ${PN}-server ${PN}-regex
+}
+
+pkg_preinst() {
+ has_version "<${CATEGORY}/${PN}-0.7"
+ previous_less_than_0_7=$?
+}
+
+pkg_postinst() {
+ tmpfiles_process ${PN}-tmpfiles.conf
+
+ if [[ ${previous_less_than_0_7} = 0 ]] ; then
+ elog
+ elog "Configuration files are now in /etc/fail2ban/"
+ elog "You probably have to manually update your configuration"
+ elog "files before restarting Fail2Ban!"
+ elog
+ elog "Fail2Ban is not installed under /usr/lib anymore. The"
+ elog "new location is under /usr/share."
+ elog
+ elog "You are upgrading from version 0.6.x, please see:"
+ elog "http://www.fail2ban.org/wiki/index.php/HOWTO_Upgrade_from_0.6_to_0.8"
+ fi
+
+ if ! has_version dev-python/pyinotify && ! has_version app-admin/gamin ; then
+ elog "For most jail.conf configurations, it is recommended you install either"
+ elog "dev-python/pyinotify or app-admin/gamin (in order of preference)"
+ elog "to control how log file modifications are detected"
+ fi
+
+ if ! has_version dev-lang/python[sqlite] ; then
+ elog "If you want to use ${PN}'s persistent database, then reinstall"
+ elog "dev-lang/python with USE=sqlite. If you do not use the"
+ elog "persistent database feature, then you should set"
+ elog "dbfile = :memory: in fail2ban.conf accordingly."
+ fi
+
+ if has_version sys-apps/systemd[-python] ; then
+ elog "If you want to track logins through sys-apps/systemd's"
+ elog "journal backend, then reinstall sys-apps/systemd with USE=python"
+ fi
+}
diff --git a/net-analyzer/fail2ban/files/fail2ban-0.11.2-upstream-openrc.patch b/net-analyzer/fail2ban/files/fail2ban-0.11.2-upstream-openrc.patch
new file mode 100644
index 000000000000..7483c5685156
--- /dev/null
+++ b/net-analyzer/fail2ban/files/fail2ban-0.11.2-upstream-openrc.patch
@@ -0,0 +1,247 @@
+https://github.com/fail2ban/fail2ban/pull/2182
+
+diff --git a/MANIFEST b/MANIFEST
+index 48c751a0..c2df1e51 100644
+--- a/MANIFEST
++++ b/MANIFEST
+@@ -393,8 +393,8 @@ files/fail2ban.service.in
+ files/fail2ban-tmpfiles.conf
+ files/fail2ban.upstart
+ files/gen_badbots
+-files/gentoo-confd
+-files/gentoo-initd
++files/fail2ban-openrc.conf
++files/fail2ban-openrc.init.in
+ files/ipmasq-ZZZzzz_fail2ban.rul
+ files/logwatch/fail2ban
+ files/logwatch/fail2ban-0.8.log
+diff --git a/files/fail2ban-openrc.conf b/files/fail2ban-openrc.conf
+new file mode 100644
+index 00000000..9454ef68
+--- /dev/null
++++ b/files/fail2ban-openrc.conf
+@@ -0,0 +1,2 @@
++# For available options, plase run "fail2ban-server --help".
++#FAIL2BAN_OPTIONS="-x"
+diff --git a/files/fail2ban-openrc.init.in b/files/fail2ban-openrc.init.in
+new file mode 100755
+index 00000000..2c56ee3a
+--- /dev/null
++++ b/files/fail2ban-openrc.init.in
+@@ -0,0 +1,86 @@
++#!/sbin/openrc-run
++# This file is part of Fail2Ban.
++#
++# Fail2Ban is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 2 of the License, or
++# (at your option) any later version.
++#
++# Fail2Ban is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with Fail2Ban; if not, write to the Free Software
++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
++#
++# Author: Sireyessire, Cyril Jaquier
++#
++
++description="Ban hosts that cause multiple authentication errors"
++description_reload="reload configuration without dropping bans"
++extra_started_commands="reload"
++
++# Can't (and shouldn't) be changed by the end-user.
++#
++# Note that @BINDIR@ is already supplied by the build system. Some
++# day, it might be nice to have @RUNDIR@ supplied by the build system
++# as well, so that we don't have to hard-code /run here.
++FAIL2BAN_RUNDIR="/run/${RC_SVCNAME}"
++FAIL2BAN_SOCKET="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.sock"
++
++# The fail2ban-client program is also capable of starting and stopping
++# the server, but things are simpler if we let start-stop-daemon do it.
++command="@BINDIR@/fail2ban-server"
++pidfile="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.pid"
++
++# We force the pidfile/socket location in this service script because
++# we're taking responsibility for ensuring that their parent directory
++# exists and has the correct permissions (which we can't do if the
++# user is allowed to change them).
++command_args="${FAIL2BAN_OPTIONS} -p ${pidfile} -s ${FAIL2BAN_SOCKET}"
++retry="30"
++
++depend() {
++ use logger
++ after iptables
++}
++
++checkconfig() {
++ "${command}" ${command_args} --test
++}
++
++start_pre() {
++ # If this isn't a restart, make sure that the user's config isn't
++ # busted before we try to start the daemon (this will produce
++ # better error messages than if we just try to start it blindly).
++ #
++ # If, on the other hand, this *is* a restart, then the stop_pre
++ # action will have ensured that the config is usable and we don't
++ # need to do that again.
++ if [ "${RC_CMD}" != "restart" ] ; then
++ checkconfig || return $?
++ fi
++ checkpath -d "${FAIL2BAN_RUNDIR}"
++}
++
++stop_pre() {
++ # If this is a restart, check to make sure the user's config
++ # isn't busted before we stop the running daemon.
++ if [ "${RC_CMD}" = "restart" ] ; then
++ checkconfig || return $?
++ fi
++}
++
++reload() {
++ # The fail2ban-client uses an undocumented protocol to tell
++ # the server to reload(), so we have to use it here rather
++ # than e.g. sending a signal to the server daemon. Note that
++ # the reload will fail (on the server side) if the new config
++ # is invalid; we therefore don't need to test it ourselves
++ # with checkconfig() before initiating the reload.
++ ebegin "Reloading ${RC_SVCNAME}"
++ "@BINDIR@/fail2ban-client" ${command_args} reload
++ eend $? "Failed to reload ${RC_SVCNAME}"
++}
+diff --git a/files/gentoo-confd b/files/gentoo-confd
+deleted file mode 100644
+index 00d19f8b..00000000
+--- a/files/gentoo-confd
++++ /dev/null
+@@ -1,8 +0,0 @@
+-# Config file for /etc/init.d/fail2ban
+-#
+-# For information on options, see "/usr/bin/fail2ban-client -h".
+-
+-FAIL2BAN_OPTIONS=""
+-
+-# Force execution of the server even if the socket already exists:
+-#FAIL2BAN_OPTIONS="-x"
+diff --git a/files/gentoo-initd b/files/gentoo-initd
+deleted file mode 100755
+index 0fb157cd..00000000
+--- a/files/gentoo-initd
++++ /dev/null
+@@ -1,60 +0,0 @@
+-#!/sbin/openrc-run
+-# This file is part of Fail2Ban.
+-#
+-# Fail2Ban is free software; you can redistribute it and/or modify
+-# it under the terms of the GNU General Public License as published by
+-# the Free Software Foundation; either version 2 of the License, or
+-# (at your option) any later version.
+-#
+-# Fail2Ban is distributed in the hope that it will be useful,
+-# but WITHOUT ANY WARRANTY; without even the implied warranty of
+-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+-# GNU General Public License for more details.
+-#
+-# You should have received a copy of the GNU General Public License
+-# along with Fail2Ban; if not, write to the Free Software
+-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+-#
+-# Author: Sireyessire, Cyril Jaquier
+-#
+-
+-description="Daemon to ban hosts that cause multiple authentication errors"
+-description_reload="reload configuration"
+-description_showlog="show fail2ban logs"
+-extra_started_commands="reload showlog"
+-
+-FAIL2BAN="/usr/bin/fail2ban-client ${FAIL2BAN_OPTIONS}"
+-
+-depend() {
+- need net
+- need logger
+- after iptables
+-}
+-
+-start() {
+- ebegin "Starting fail2ban"
+- mkdir -p /var/run/fail2ban || return 1
+- # remove stalled sock file after system crash
+- # bug 347477
+- rm -f /var/run/fail2ban/fail2ban.sock || return 1
+- start-stop-daemon --start --pidfile /var/run/fail2ban/fail2ban.pid \
+- -- ${FAIL2BAN} start
+- eend $? "Failed to start fail2ban"
+-}
+-
+-stop() {
+- ebegin "Stopping fail2ban"
+- start-stop-daemon --stop --pidfile /var/run/fail2ban/fail2ban.pid --retry 30 \
+- -- ${FAIL2BAN} stop
+- eend $? "Failed to stop fail2ban"
+-}
+-
+-reload() {
+- ebegin "Reloading fail2ban"
+- ${FAIL2BAN} reload
+- eend $? "Failed to reload fail2ban"
+-}
+-
+-showlog(){
+- less /var/log/fail2ban.log
+-}
+diff --git a/setup.py b/setup.py
+index 98413273..91f71cf2 100755
+--- a/setup.py
++++ b/setup.py
+@@ -89,24 +89,27 @@ class install_scripts_f2b(install_scripts):
+ if install_dir.startswith(root):
+ install_dir = install_dir[len(root):]
+ except: # pragma: no cover
+- print('WARNING: Cannot find root-base option, check the bin-path to fail2ban-scripts in "fail2ban.service".')
+- print('Creating %s/fail2ban.service (from fail2ban.service.in): @BINDIR@ -> %s' % (buildroot, install_dir))
+- with open(os.path.join(source_dir, 'files/fail2ban.service.in'), 'r') as fn:
+- lines = fn.readlines()
+- fn = None
+- if not dry_run:
+- fn = open(os.path.join(buildroot, 'fail2ban.service'), 'w')
+- try:
+- for ln in lines:
+- ln = re.sub(r'@BINDIR@', lambda v: install_dir, ln)
+- if dry_run:
+- sys.stdout.write(' | ' + ln)
+- continue
+- fn.write(ln)
+- finally:
+- if fn: fn.close()
+- if dry_run:
+- print(' `')
++ print('WARNING: Cannot find root-base option, check the bin-path to fail2ban-scripts in "fail2ban.service" and "fail2ban-openrc.init".')
++
++ scripts = ['fail2ban.service', 'fail2ban-openrc.init']
++ for script in scripts:
++ print('Creating %s/%s (from %s.in): @BINDIR@ -> %s' % (buildroot, script, script, install_dir))
++ with open(os.path.join(source_dir, 'files/%s.in' % script), 'r') as fn:
++ lines = fn.readlines()
++ fn = None
++ if not dry_run:
++ fn = open(os.path.join(buildroot, script), 'w')
++ try:
++ for ln in lines:
++ ln = re.sub(r'@BINDIR@', lambda v: install_dir, ln)
++ if dry_run:
++ sys.stdout.write(' | ' + ln)
++ continue
++ fn.write(ln)
++ finally:
++ if fn: fn.close()
++ if dry_run:
++ print(' `')
+
+
+ # Wrapper to specify fail2ban own options: