�

�ogf�q
���dZd
Z
dZddlZddlZddlZddlZddlZddlZddl	Z	ddl
mZmZm
Z

ddlmZ
ddlmZ
dd	lmZmZ
dd
lmZ
ddlmZ
ddlmZ
dd
lmZ
ddlmZ
ddl m!Z!m"Z"m#Z#
ddl$m%Z%m&Z&m'Z'
ddl(m)Z)
	ddlm*Z*
ejXj[ejXj]e/�
d�Z0dZ1e%d�
Z2Gd�de�Z3Gd�de!�Z4Gd�de4�Z5Gd�de4�Z6Gd�d ejn�Z8Gd!�d"ejn�Z9Gd#�d$e�Z:Gd%�d&e!�Z;dd'l<m=Z=m>Z>m?Z?
Gd(�d)e!�Z@y#e+$r
dZ*Y��wxYw
)*z
Cyril Jaquierz Copyright (c) 2004 Cyril Jaquier�GPL�N�)�Regex�	FailRegex�RegexException)
�actions)
�Server)�DNSUtils�IPAddr)
�Jail)
�
JailThread)
�	BanTicket)
�Utils�
)
�	DummyJail)�LogCaptureTestCase�
with_alt_time�MyTime)�	getLogger�extractOptions�
PREFER_ENC)
�version)
�
filtersystemd�files�polling�fail2banc
��eZ
dZd
�Zd�Zy)�
TestServerc
��y�
N���self�args�kwargss   �?/usr/lib/python3/dist-packages/fail2ban/tests/servertestcase.py�setLogLevelzTestServer.setLogLevel<����c
��yr r!r"s   r&�setLogTargetzTestServer.setLogTarget?r(r)N)�__name__�
__module__�__qualname__r'r+r!r)r&rr;s��
�
r)rc�H��eZ
dZeZ�f
d
�Z�f
d�Zdd�
Zdd�
Zd�Z	d�Z
�x
ZS)	�TransmitterBasec
���
�tt|��
|j�|_|jj
|_d
|_|jj|jt�
y)�Call before every test case.�	TestJail1N)
�superr0�setUp�TEST_SRV_CLASS�server�_Server__transm�transm�jailName�addJail�FAST_BACKEND�r#�	__class__s �r&r5zTransmitterBase.setUpGsR������$�&��#�#�%�$�+����+�+�$�+��$�-��+�+���d�m�m�\�2r)c
�^�
�|jj�
tt|��
y
�zCall after every test case.N)r7�quitr4r0�tearDownr=s �r&rBzTransmitterBase.tearDownQs"����+�+�������'�)r)r c�f
��d
|
|g}d|
g}|�$|j
d|�
|j
d|�
|dk(r|}�f
d�}	|j|	|jj|�
�
|	||f�
�
|s:|j|	|jj|�
�
|	d|f�
�
yy)zoProcess set/get commands and compare both return values 
		with outValue if it was given otherwise with inValue�set�getNrr c
�"�
��
rt
|�
S|S)
zPrepare value for comparison)
�repr)�
x�repr_s �r&�
vz%TransmitterBase.setGetTest.<locals>.vds����4�
�7�#��#r)r)�insert�assertEqualr9�proceed)
r#�cmd�inValue�outValue�outCode�jailrI�setCmd�getCmdrJs
      `   r&�
setGetTestzTransmitterBase.setGetTestWs����
�3�� �&��3�<�&�	��	�=�=��D��	�=�=��D������8�$����1�T�[�[�(�(��0�1�1�g�x�5H�3I�J�	����A�d�k�k�)�)�&�1�2�A�q�(�m�4D�E�
r)c�T
�d
|
|g}d|
g}|�$|j
d|�
|j
d|�
|jj|�
d}|j|jj|�
dd�
|j|jj|�
d|f�
y)NrDrErr)rKr9rMrL)r#rNrOrRrSrT�	initValues       r&�
setGetTestNOKzTransmitterBase.setGetTestNOKms����3�� �&��3�<�&�	��	�=�=��D��	�=�=��D���k�k�!�!�&�)�!�,�)����4�;�;�&�&�v�.�q�1�1�5����4�;�;�&�&�v�.��I��?r)c�H�d
|
z}d|
z}|j
|jjd||
g�
dgf�
t|�
D]�\}}|jjd|||g�
}|j	|dtt
t|d��
fdtt
t|d|dz��
fd��
|jjd||
g�
}|j	|dtt
t|d��
fdtt
t|d|dz��
fd��
��t|�
D]�\}}|jjd|||g�
}|j	|dtt
t|d��
fdtt
t||dzd��
fd��
|jjd||
g�
}|j	|dtt
t|d��
fdtt
t||dzd��
fd��
��y)	N�add�delrErrDrr)
�level)rLr9rM�	enumerate�assertSortedEqual�list�map�str)	r#rN�valuesrR�cmdAdd�cmdDel�
n�value�rets	         r&�jailAddDelTestzTransmitterBase.jailAddDelTestzs���3�;�&��3�;�&�����;�;����t�S�)�*�Q��G�
5��F�#�h
�h�a��	
���	�	�e�T�6�5�9�	:�3����3�q�6�4��C��Q��(8�#9�:�Q��S��f�UY�VW�XY�VY�l�E[�@\�<]�ef��g�	
���	�	�e�T�3�/�	0�3����3�q�6�4��C��Q��(8�#9�:�Q��S��f�UY�VW�XY�VY�l�E[�@\�<]�ef��g�	h
�
�F�#�h
�h�a��	
���	�	�e�T�6�5�9�	:�3����3�q�6�4��C��Q��(8�#9�:�Q��S��f�UV�WX�UX�UY�l�E[�@\�<]�ef��g�	
���	�	�e�T�3�/�	0�3����3�q�6�4��C��Q��(8�#9�:�Q��S��f�UV�WX�UX�UY�l�E[�@\�<]�ef��g�	h
r)c	�x�d
|
z}d|
z}|j
|jjd||
g�
dgf�
t|�
D]r\}}|j
|jjd|||g�
d|d|dzf�
|j
|jjd||
g�
d|d|dzf�
�tt|�
D]r\}}|j
|jjd||dg�
d||dzdf�
|j
|jjd||
g�
d||dzdf�
�ty)NrZr[rErrDr)rLr9rMr])	r#rN�inValues�	outValuesrRrcrdrerfs	         r&�jailAddDelRegexTestz#TransmitterBase.jailAddDelRegexTest�s_
���3�;�&��3�;�&�����;�;����t�S�)�*�Q��G�
5��H�%��h�a������K�K�����f�e�4�5��	�$�1�Q�3��������K�K�����c�*�+��	�$�1�Q�3����	��H�%��h�a������K�K�����f�a�0�1��	�!�A�#�$��������K�K�����c�*�+��	�!�A�#�$����	r))r rNF)r,r-r.rr6r5rBrUrXrhrl�
__classcell__�
r>s
@r&r0r0Cs)�����3�*�F
�,@
�h
�"r)r0c�$
�eZ
dZd
�Zd�Zd�Zd�Zd�Zd�Zd�Z	d�Z
d	�Zd
�Zd�Z
d�Zd
�Zd�Zd�Zd�Zd�Zd�Zed��Zd�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Z d�Z!d�Z"d �Z#d!�Z$d"�Z%d#�Z&d$�Z'd%�Z(d&�Z)d'�Z*d(�Z+d)�Z,d*�Z-d+�Z.d,�Z/d-�Z0y.)/�Transmitterc
�V�|j
|jj��

yr )�assertFalser7�	isStarted�
r#s
 r&�testServerIsNotStartedz"Transmitter.testServerIsNotStarted�s�����4�;�;�(�(�*�+r)c
�\�|j
|jjd
g
�
d�
y)N�stop�rN�rLr9rMrts
 r&�testStopServerzTransmitter.testStopServer�s#�����4�;�;�&�&��x�0�)�<r)c
�\�|j
|jjd
g
�
d�
y)N�ping)r�pongryrts
 r&�testPingzTransmitter.testPing�s#�����4�;�;�&�&��x�0�+�>r)c
�|�|j
|jjd
g
�
dtjf�
y)Nrr)rLr9rMrrts
 r&�testVersionzTransmitter.testVersion�s,�����4�;�;�&�&�	�{�3�a����5I�Jr)c
��	|j
|jjgd
�
�
d�
|jt	j
��

|j
d�

|j�
|j
|jjgd�
�
d�
|jt	j
��

|j
d�

|j�
|j
|jjgd�
�
d�
|j
d	�

|j�
y#|j
|jjgd�
�
d�
|j
d	�

|j�
wxYw
)
N)rD�	allowipv6�yes)rr�z
IPv6 is on)rDr��no�rr�zIPv6 is off)rDr��auto)rr�zIPv6 is auto)	rLr9rM�
assertTruer
�
IPv6IsAllowed�assertLogged�pruneLogrrrts
 r&�testSetIPv6zTransmitter.testSetIPv6�s
��
6����D�K�K�'�'�(C�D�j�Q��?�?�8�)�)�+�,����\�"�D�M�M�O����D�K�K�'�'�(B�C�Y�O����H�*�*�,�-����]�#�T�]�]�_����D�K�K�'�'�(D�E�{�S����^�$�d�m�m�o�����D�K�K�'�'�(D�E�{�S����^�$�d�m�m�o�s
�C"D3�3AFc
�
�tjjstj�}
|j	|j
j
d
dg�
d�
tj�}||
z
}|jd|cxkx
r
dknc
d|z��
y|j	|j
j
d
dg�
d�
y)	N�sleepz0.1rxg
ףp=
�?g�������?zSleep was %g sec)
�msgz0.0001)�unittest�F2B�fast�timerLr9rMr�)r#�t0�t1�dts    r&�	testSleepzTransmitter.testSleep�s���	���	�	��	�	��2����D�K�K�'�'��%�(8�9�9�E��	�	��2�
�R��2��?�?�4�"�?�s�?�(:�R�(?�?�@����D�K�K�'�'��(�(;�<�i�Hr)c
���tjjstjd
d�\}
}nd}|jd|�
|jj|j�

|jd|�
|jd|�
|jddd�
|jdd�
|jd	d
d�
|jd	d�
|jj|jt�
|jd|�
|jj|j�

|j|jjgd�
�
d
�
|j|jjddg�
d
�
|j|jjgd�
�
d
�
|j|jjddg�
d
�
|j|jjgd�
�
d
�
|j|jjdd	g�
d
�
|jj|jt�
|j|jjgd�
�
d
�
tjjs+tj 
�

tj"|�

yy)Nz.db�	fail2ban_z:memory:�dbfile�dbmaxmatches�100�d�LIZARD�
dbpurgeage�600�X)rDr��NonerxrE)rDr�r�)rDr��500)r�r��	memory_db�tempfile�mkstemprXr7�delJailr:rUr;r<rLr9rM�os�close�unlink)r#�tmp�tmpFilenames   r&�testDatabasezTransmitter.testDatabase�sL��	���	�	��&�&�u�k�:��3���;����X�{�+��+�+���d�m�m�$��/�/�(�K�(��/�/�(�K�(��/�/�.�%��-����^�X�.��/�/�,��s�+����\�8�,��+�+���d�m�m�\�2��/�/�(�K�(��+�+���d�m�m�$����4�;�;�&�&��
������4�;�;�&�&�	�8��
������4�;�;�&�&�!�
#������4�;�;�&�&�	�>��
������4�;�;�&�&��
!������4�;�;�&�&�	�<��
����+�+���d�m�m�\�2����4�;�;�&�&��
���
���	�	��8�8�C�=��9�9�[��
 r)c
�f�d
}
d}d}|j
|jjd|
dg�
d|
f�
|j
|jjd|g�
d|f�
|j
|jjd|dg�
dd�
|j
|jjd|d	g�
d|f�
|j
|jjd|jdg�
dd�
|j
|jjgd
�
�
dd�
y)N�	TestJail2�	TestJail3�	TestJail4rZrrzinvalid backendrr�)rZ�--allr�rLr9rMr:)r#�jail2�jail3�jail4s    r&�testAddJailzTransmitter.testAddJail�s!
��
�%�
�%�
�%�����;�;����u�i�0�1�A�u�:�
?����4�;�;�&�&��u�~�6��E�
�C�����;�;����u�&7�8�9�!�<�a�
A
�����;�;����u�f�-�.��E�
�
<�����;�;����t�}�}�i�8�9�!�<�a�
A
�����;�;���2�3�A�6�
�
;r)c
��
���j
�jjd
�jg�
d�
t	j
tj�

�jt
j�f
d�d��

�j
�jjd�jg�
d�
�j�j�jj�
y)N�startrxc��
��jjd
�
x
r6
t�jj	d�j
g�
t�S)Nr�status�r7�isAlive�
isinstancer9rMr:�RuntimeErrorrts
�r&�<lambda>z/Transmitter.testStartStopJail.<locals>.<lambda>
�A���4�;�;���q�!�r�*�T�[�[�5H�5H�(�TX�Ta�Ta�Ib�5c�eq�*r�&r�r)�rw)
rLr9rMr:r�r�r�DEFAULT_SLEEP_TIMEr��wait_for�assertNotInr7�_Server__jailsrts
`r&�testStartStopJailzTransmitter.testStartStopJail
s��������;�;�������/�0�)�
=��*�*�U�
%�
%�&��/�/�5�>�>�r��������;�;�����
�
�.�/��
<����4�=�=�$�+�+�"<�"<�=r)c
����jjd
t�
�j�jjd�jg�
d�
�j�jjdd
g�
d�
tjtj�

�jtj�f
d�d��

�j�jjddg�
d�
�jtj�f
d�d��

�j�j�jj�
�jd
�jj�
y)	Nr�r�rxc��
��jjd
�
x
r6
t�jj	d�j
g�
t�S)Nrr�r�rts
�r&r�z2Transmitter.testStartStopAllJail.<locals>.<lambda>"
r�r)r�rwr�c�D�
�t
�jj�
Sr )�lenr7r�rts
�r&r�z2Transmitter.testStartStopAllJail.<locals>.<lambda>%
s���s�4�;�;�3M�3M�/N�+N�r))r7r;r<rLr9rMr:r�r�rr�r�r�r�r�rts
`r&�testStartStopAllJailz Transmitter.testStartStopAllJail
s
����+�+���k�<�0�����;�;�������/�0�)�
=�����;�;�����-�.�	�
;�
�*�*�U�
%�
%�&��/�/�5�>�>�r�������4�;�;�&�&���'8�9�9�E��/�/�5�>�>�#N�PQ�R�T����4�=�=�$�+�+�"<�"<�=����;���� :� :�;r)c
�`
�|j
|jjd
|jddg�
d�
|j
|jjd
|jddg�
d�
|j
|jjd
|jddg�
dd	�
y)
NrD�idle�on�rT�off�rF�CATrrr�rts
 r&�testJailIdlezTransmitter.testJailIdle)
s�������;�;����t�}�}�f�d�;�<�������;�;����t�}�}�f�e�<�=�
������;�;����t�}�}�f�e�<�=�a�@��r)c
�8
�|j
d
dd|j��
|j
d
dd|j��
|j
d
dd|j��
|j
d
d	d
|j��
|jd
d|j��
y)N�findtime�120�x�
rR�60�<�30m�z-60i����Dog�rUr:rXrts
 r&�testJailFindTimezTransmitter.testJailFindTime4
s{���/�/�*�e�S�t�}�}�/�=��/�/�*�d�B�T�]�]�/�;��/�/�*�e�U����/�?��/�/�*�e�S�t�}�}�/�=����Z��T�]�]��;r)c
�8
�|j
d
dd|j��
|j
d
dd|j��
|j
d
dd|j��
|j
d
d	d
|j��
|jd
d|j��
y)N�bantimer�r�r��50�2z-50i���z
15d 5h 30mi��Catr�rts
 r&�testJailBanTimezTransmitter.testJailBanTime;
s{���/�/�)�U�C�d�m�m�/�<��/�/�)�T�2�D�M�M�/�:��/�/�)�U�C�d�m�m�/�<��/�/�)�\�7����/�G����Y��D�M�M��:r)c
�8
�|j
d
dd|j��
|j
d
dd|j��
|j
d
dd|j��
|j
d
d	d
|j��
|jd
d|j��
y)N�datepattern�%%%Y%m%d%H%M%S)r�z%YearMonthDay24hourMinuteSecondr��Epoch)Nr�z^Epoch)Nz{^LN-BEG}Epoch�TAI64N)Nr�z
%Cat%a%%%gr�rts
 r&�testDatePatternzTransmitter.testDatePatternB
s����/�/�-�!1�8��
�
����/�/��'�?�����
@
��/�/��(�4�4�=�=��
J
��/�/��(�,�4�=�=��
B
����]�L�t�}�}��Er)c
�~�|j
d
dd|j��
|jd
d|j��
y)N�logtimezonezUTC+0400r�znot-a-time-zoner�rts
 r&�testLogTimeZonezTransmitter.testLogTimeZoneN
s4���/�/�-��Z�d�m�m�/�L����]�$5�D�M�M��Jr)c
�.
�|j
d
d|j��
|j
d
d|j��
|j
d
d|j��
d}
|j|jj	d|jd
|
g�
d�
y)	N�usednsr�r��warnr��FishrDr�)rUr:rLr9rM�r#rfs  r&�testJailUseDNSzTransmitter.testJailUseDNSR
s{���/�/�(�E��
�
�/�6��/�/�(�F����/�7��/�/�(�D�t�}�}�/�5��%�����;�;����t�}�}�h��>�?��r)c
��|jj|j�

|j|jjd
|jddddg�
d�
|j
dddd�	�
|j|jjd
|jdd
g�
d�
|j
dd�
�
|j|jjd
|jdddddg�
d�
|j
dddd�	�
|j
dddd�	�
|j�
|j|jjd
|jdddg�
dd�
|j|jjd
|jdddg�
d�
|j
dddd�	�
y)NrD�banip�	192.0.2.1�	192.0.2.2)rr�
Ban 192.0.2.1�
Ban 192.0.2.2T��all�wait�Badger�rrz
Ban Badger�
r��unbanipz192.0.2.255z192.0.2.254zUnban 192.0.2.1zUnban 192.0.2.2z192.0.2.255 is not bannedz192.0.2.254 is not bannedz--report-absentrr)rr)r7�	startJailr:rLr9rMr�r�rts
 r&�
testJailBanIPzTransmitter.testJailBanIP]
s�
���+�+����
�
�&�����;�;����t�}�}�g�{�K�Q\�]�^�	�����O�_�$�T��J�����;�;����t�}�}�g�x�@�A�	�����L�t��,�����;�;���
�D�M�M�9�m�[�+�}�]�
_
�	�����%�'8�d���N����/�1L�RV�]a��b��-�-�/�����;�;���
�D�M�M�9�&7��G�
I
�IJ�
L
�LM�O
�����;�;���
�D�M�M�9�m�]�C�
E
�EK�M
����/�1L�RV�]a��br)c

��
���jj�j�

�f
d
�}
�jddd�j��
dD]&}dD]}�j	|
|d|zg
�d	�
�!�(�jd
ddd�
�
�j	|
dD�cgc]}d|z��	c}�d	�
�jdd��
�jdd��
�j
d�

yc
c}w)Nc�\�
��jjd
�jd|g|
z�
S)NrD�attempt)r9rMr:)�ip�matchesr#s  �r&r
z.Transmitter.testJailAttemptIP.<locals>.attempt}
s*���
�+�+�
�
�u�d�m�m�Y��C�g�M�
N�Nr)�maxretry�
5�r�)rr)r�r�ztest failure %dr�z192.0.2.1:2z192.0.2.2:2Tr�)r��r
z192.0.2.2:5r
r�r�)r7r
r:rUrLr��assertNotLogged)r#r
�
ir
s`   r&�testJailAttemptIPzTransmitter.testJailAttemptIPz
s�����+�+����
�
�&�
O
��/�/�*�c�1�4�=�=�/�9��C
�a�
'�
C
�r����W�R�"3�a�"7�!8�9�6�B�
C
�C
����M�=�d���F����7�2�w�G�!� 1�A� 5�G�H�&�Q����M���-����O�$��/�����'��	 H
s�C-c
�@
��d
}
�jj|
t�
�jj|
�

dddgf�f
d�	}||
g��
||
dddg
��
||
d	ddd
g��
||
dgd�
�
�
||
dd	dg��
||
dd	g
��
||
d	g��
y)N�TestJailBanListr!c��
�
�|
�E�j
�jjd
|d|
g�
d�
�jd|
zd��
|�E�j
�jjd
|d|g�
d�
�jd|zd��
�j	�jjd	|dgt|�
z�
d
|fd��
t
jt
j�d
z�

y)NrDr�r�zBan %sTr
r

zUnban %srErF)
�
nestedOnlyr)	rLr9rMr�r^r_r�setTimer�)rRr�r

r$�outListr#s     �r&�_getBanListTestz4Transmitter.testJailBanList.<locals>._getBanListTest�
s���������	�[�[���%��w��6�7��
�	���h��&�T��2�
�����	�[�[���%��y�'�:�;��
�	���j�7�*���6�����K�K�����g�.�t�D�z�9�:���L�U��$�
�>�>�&�+�+�-�!�#�$r))
r
�	127.0.0.1)
z--with-timez:127.0.0.1 	2005-08-14 12:00:01 + 600 = 2005-08-14 12:10:01)r�r$r
�192.168.0.1z<192.168.0.1 	2005-08-14 12:00:02 + 600 = 2005-08-14 12:10:02�192.168.1.10)r
r
r
)r�r
)r

r
)r7r;r<r
)r#rRr
s`  r&�testJailBanListzTransmitter.testJailBanList�
s����	�$��+�+���d�L�)��+�+�����#'��2�r�%�&�$�
�
��$�k�0@�I�J�
L
��$�m�2B�A�C�E
�F
��$�n�7�
9��$���>�*�
,��$���?�
��$�
�
�
r)c
��|j
d
dd|j��
|j
d
dd|j��
|j
d
dd|j��
|jd
d	|j��
y)
N�
maxmatchesr

r
r��
2r�-2����Duckr�rts
 r&�testJailMaxMatcheszTransmitter.testJailMaxMatches�
sc���/�/�,��Q�T�]�]�/�;��/�/�,��Q�T�]�]�/�;��/�/�,��b�t�}�}�/�=����\�6��
�
��>r)c
��|j
d
dd|j��
|j
d
dd|j��
|j
d
dd|j��
|jd
d	|j��
y)
Nr	
r

r
r�r
rr
r
r 
r�rts
 r&�testJailMaxRetryzTransmitter.testJailMaxRetry�
sc���/�/�*�c�1�4�=�=�/�9��/�/�*�c�1�4�=�=�/�9��/�/�*�d�B�T�]�]�/�;����Z��d�m�m��<r)c
��|j
d
dd|j��
|j
d
dd|j��
|jd
d|j��
|jd
d|j��
y)	N�maxlinesr

r
r�r
rr
r 
r�rts
 r&�testJailMaxLineszTransmitter.testJailMaxLines�
sd���/�/�*�c�1�4�=�=�/�9��/�/�*�c�1�4�=�=�/�9����Z��D�M�M��:����Z��d�m�m��<r)c
��|j
d
d|j��
|j
d
d|j��
|j
d
dt|j��
|jd
d|j��
y)N�logencodingzUTF-8r��asciir��Monkey)rUr:rrXrts
 r&�testJailLogEncodingzTransmitter.testJailLogEncoding�
se���/�/�-��t�}�}�/�=��/�/�-��t�}�}�/�=��/�/�-����
�
��
����]�H�4�=�=��Ar)c

��|j
d
tjjtd�tjjtd�tjjtd�g|j
�
tjjtd�}
|j
|jjd|j
d|
g�
d|
g
f�
|j
|jjd|j
d|
g�
d|
g
f�
|j
|jjd	|j
d
g�
d|
g
f�
|j
|jjd|j
d
|
g�
dgf�
|j
|jjd|j
d|
dg�
d|
g
f�
|j
|jjd|j
d|
dg�
d|
g
f�
|j
|jjd|j
d|
d
g�
dd�
|j
|jjd|j
d|
|
|
g�
dd�
y)N�logpath�testcase01.logztestcase02.logztestcase03.logztestcase04.logrD�
addlogpathrrE�
dellogpath�tail�head�badgerr)	rhr��path�join�TEST_FILES_DIRr:rLr9rMr�s  r&�testJailLogPathzTransmitter.testJailLogPath�
sF�������G�G�L�L��!1�2��G�G�L�L��!1�2��G�G�L�L��!1�2��
�=�=��
�'�'�,�,�~�'7�
8�%�����;�;����t�}�}�l�E�B�C���w�<������;�;����t�}�}�l�E�B�C���w�<������;�;����t�}�}�i�8�9���w�<������;�;����t�}�}�l�E�B�C��r�7������;�;���
�D�M�M�<���7�
9���w�<������;�;���
�D�M�M�<���7�
9���w�<������;�;���
�D�M�M�<���9�
;�;<�
>�������;�;���
�D�M�M�<���u�=�
?�?@�
B
��r)c
��d
}
|jjd|jd|
g�
}|jt	|dt
��

y)Nzthis_file_shouldn't_existrDr/
r)r9rMr:r�r��IOError)r#rf�results   r&�testJailLogPathInvalidFilez&Transmitter.testJailLogPathInvalidFile�
sB��
%�%��;�;���	�4�=�=�,��.�
0�&��/�/�*�V�A�Y��0�1r)c
�&
�t
jd
��
}
|
dz}tj|
|�
|jjd|jd|g�
}|jt|dt��

tj|�

y)N�tmp_fail2ban_broken_symlink)
�prefixz.slinkrDr/
r)r��mktempr��symlinkr9rMr:r�r�r9
r�)r#�name�snamer:
s    r&�testJailLogPathBrokenSymlinkz(Transmitter.testJailLogPathBrokenSymlinkso��	��� =�	>�$�
��/�%��*�*�T�5���;�;���	�4�=�=�,��.�
0�&��/�/�*�V�A�Y��0�1��)�)�E�r)c
�t�|j
d
gd�
|j�
d}
|j|jj	d|jd|
g�
d|
g
f�
|j|jj	d|jd|
g�
d|
g
f�
|j|jj	d|jd
g�
d|
g
f�
|j|jj	d|jd|
g�
dgf�
|j|jj	d|jd	g�
d
�
|j|jj	d|jd	dg�
d�
|j|jj	d|jd	g�
d�
y)
N�ignoreip)r
z192.168.1.1z8.8.8.8r
rD�addignoreiprrE�delignoreip�
ignoreselfr�Fr�)rhr:rLr9rMr�s  r&�testJailIgnoreIPzTransmitter.testJailIgnoreIP
s�
�����
��
�=�=���%�����;�;����t�}�}�m�U�C�D���w�<������;�;����t�}�}�m�U�C�D���w�<������;�;����t�}�}�j�9�:���w�<������;�;����t�}�}�m�U�C�D��r�7������;�;����t�}�}�l�;�<�������;�;����t�}�}�l�E�B�C�
������;�;����t�}�}�l�;�<�
�r)c
�@�|j
d
d|j��
y)N�
ignorecommandzbin/ignore-command <ip>r��rUr:rts
 r&�testJailIgnoreCommandz!Transmitter.testJailIgnoreCommand2s���/�/�/�#<�4�=�=�/�Qr)c
��|j
d
dgd�
|j��
|j
d
dd|j��
y)N�ignorecachez%key="<ip>",max-time=1d,max-count=9999)z<ip>i'i�Q
r��rL
rts
 r&�testJailIgnoreCachezTransmitter.testJailIgnoreCache5s<���/�/�-�*���
�
����/�/�-��T��
�
�/�>r)c
�@�|j
d
d|j��
y)N�	prefregexz^Testr�rL
rts
 r&�testJailPrefRegexzTransmitter.testJailPrefRegex<s���/�/�+�w�T�]�]�/�;r)c

�
�|j
d
gd�
dtjd�
zdtjd�
zdtjd�
zg|j�
|j	|j
j
d|jdd	g�
d
d�
|j	|j
j
d|jddg�
d
d�
y)
N�	failregex)zuser john at <HOST>�Admin user login from <HOST>z failed attempt from <HOST> againzuser john at %s�<HOST>�Admin user login from %szfailed attempt from %s againrD�addfailregexz
No host regexrri��rlr�_resolveHostTagr:rLr9rMrts
 r&�
testJailRegexzTransmitter.testJailRegex?s������;����.�.�x�8�9��%�"7�"7��"A�B�"�e�&;�&;�H�&E�F��
�=�=������;�;���
�D�M�M�>�?�;�
=�=>�
@
�������;�;���
�D�M�M�>�3�/�
1�12�
4��r)c
	�f
�|j
d
gd�
ddtjd�
zdg|j�
|j	|j
j
d|jdd	g�
d
d�
|j	|j
j
d|jddg�
d
d�
y)
N�ignoreregex)�	user johnrW
�Dont match me!r`
rY
rX
ra
rD�addignoreregexzInvalid [regexrrr�r[
rts
 r&�testJailIgnoreRegexzTransmitter.testJailIgnoreRegexWs������=����%�"7�"7��"A�B���
�=�=������;�;���
�D�M�M�+�-=�>�
@
�@A�
C
�������;�;���
�D�M�M�+�R�0�
2�23�
5��r)c
	�
�|jg
}
|j|jjd
g
�
ddt	|
�
fddj|
�
fgf�
|jjdt�
|
jd�

|j|jjd
g
�
ddt	|
�
fddj|
�
fgf�
y)Nr�rzNumber of jailz	Jail listz, r�)
r:rLr9rMr�r5
r7r;r<�append)r#�jailss  r&�
testStatuszTransmitter.testStatusos����=�=�/�%����4�;�;�&�&��z�2��	�3�u�:�&��d�i�i��6F�(G�H�I�
K
��+�+���k�<�0��,�,�{�����4�;�;�&�&��z�2��	�3�u�:�&��d�i�i��6F�(G�H�I�
K
r)c

��|j
|jjd
|jg�
dddddgfgfddd	d
gfgfgf�
y)Nr�r�Filter�zCurrently failedr�zTotal failedr�	File list�Actions�zCurrently bannedr�zTotal bannedr�Banned IP listr�rts
 r&�testJailStatuszTransmitter.testJailStatusxso�����4�;�;�&�&��$�-�-�'@�A������B����
��������
�
�r)c

��|j
|jjd
|jdg�
dddddgfgfdd	d
dgfgfgf�
y)Nr��basicrri
rj
rk
rl
rm
rn
ro
rp
r�rts
 r&�testJailStatusBasiczTransmitter.testJailStatusBasic�sq�����4�;�;�&�&��$�-�-��'I�J������B����
��������
�
�r)c

��|j
|jjd
|jdg�
dddddgfgfdd	d
dgfgfgf�
y)Nr��INVALIDrri
rj
rk
rl
rm
rn
ro
rp
r�rts
 r&�testJailStatusBasicKwargz$Transmitter.testJailStatusBasicKwarg�sq�����4�;�;�&�&��$�-�-��'K�L������B����
��������
�
�r)c

� 
�tjj�
	d
dl}
d
dl}
g}|j
|jjd|jdg�
d
ddddgfgfd	d
ddgfd
|fd|fd|fgfgf�
y#t
$r
dg
}Y�bwxYw
)Nr�errorr��cymruri
rj
rk
rl
rm
rn
ro
rp
zBanned ASN listzBanned Country listzBanned RIR list)
r�r��SkipIfNoNetwork�
dns.exception�dns.resolver�ImportErrorrLr9rMr:)r#�dnsrfs   r&�testJailStatusCymruzTransmitter.testJailStatusCymru�s���
�,�,��� �����5����4�;�;�&�&��$�-�-��'I�J������B����
�������%� ��e�$��%� �
"��
����
�
��9�5�
�s�A>�>B
�
B
c
��d
}
gd�
}gd�
}|j
|jjd|jd|
g�
d|
f�
|j
|jjd|jdg�
d	d|
�
t	||�D]B\}}|j
|jjd|jd
|
||g�
d|f�
�Dt	||�D]A\}}|j
|jjd|jd
|
|g�
d|f�
�C|j
|jjd|jd
|
ddg�
d
�
|j
|jjd|jd
|
dg�
d
�
|j
|jjd|jd
|
dg�
dd	�
|j
|jjd|jd
|
ddg�
d�
|j
|jjd|jd
|
dg�
d�
|j
|jjd|jd|
g�
d�
|j
|jjd|jddg�
dd	�
y)N�TestCaseAction)�actionstart�
actionstop�actioncheck�	actionban�actionunban)zAction StartzAction StopzAction Checkz
Action BanzAction UnbanrD�	addactionrrErr�action�KEY�VALUE)rr�
�
InvalidKey�timeout�10)r�
�	delactionrxz
Doesn't exist)rLr9rMr:�zip)r#r�
�cmdList�cmdValueListrNrfs      r&�
testActionzTransmitter.testAction�s����&�
�'��,�����;�;����t�}�}�k�6�B�C��v�;������;�;���
�D�M�M�9�%�
'�'(�
*�*+�
-�	�����.��j�c�5�����K�K����T�]�]�H�f�c�5�9�
;���J���
���.��j�c�5�����K�K�����
�
�x���E�F���J�������;�;���
�D�M�M�8�V�U�G�<�
>�������;�;���
�D�M�M�8�V�U�3�
5�������;�;���
�D�M�M�8�V�\�:�
<�<=�
?�������;�;���
�D�M�M�8�V�Y��=�
?�
������;�;���
�D�M�M�8�V�Y�7�
9�
������;�;����t�}�}�k�6�B�C�������;�;���
�D�M�M�;��8�
:�:;�
=�=>�@
r)c
��d
}
|jjd|jd|
tjjtdd�dg�
}|j|d|
f�
|j|jjd|jd	|
g�
d
ddg�
|j|jjd|jd
|
dg�
d�
|j|jjd|jd
|
dg�
d�
|j|jjd|jd|
g�
d
gd�
�
|j|jjd|jd
|
ddg�
d�
|j|jjd|jd
|
ddg�
d�
|j|jjd|jd
|
ddg�
d�
y)Nr�
rDr�
�action.dz	action.pyz{"opt1": "value"}rrE�actionpropertiesr�opt1�opt2r�
)rrfrx�
actionmethods)�ban�rebanr�rw�
testmethod�unbanr�
z{"text": "world!"})rzHello world! value�
another value)rr�
)rzHello world! another value)	r9rMr:r�r4
r5
r6
rLr^)r#r�
�outs   r&�$testPythonActionMethodsAndPropertiesz0Transmitter.testPythonActionMethodsAndPropertiess���&������	�4�=�=�+�v��G�G�L�L���[�9���	�#����3��F��$�����;�;����t�}�}���
 �
!�!"�
$�
�F�������;�;����t�}�}�h��
�
�

�������;�;����t�}�}�h��
�
�

�������;�;����t�}�}�o�
�
�

�
�
�;�=�����;�;����t�}�}�h���&�
(�
)�������;�;����t�}�}�h��
�O�
�
�������;�;����t�}�}�h���&�
(�
)�$�&r)c
�d�|j
|jjd
dg�
dd�
y)Nrv
�COMMANDrrryrts
 r&�testNOKzTransmitter.testNOK,s+�����4�;�;�&�&�	�9�'=�>�q�A�!�Dr)c
�d�|j
|jjgd
�
�
dd�
y)N)rDrv
r�
rrryrts
 r&�
testSetNOKzTransmitter.testSetNOK/�*������;�;���4�5�a�8��
<r)c
�d�|j
|jjgd
�
�
dd�
y)N)rErv
r�
rrryrts
 r&�
testGetNOKzTransmitter.testGetNOK3r�
r)c
�d�|j
|jjgd
�
�
dd�
y)N)r�rv
r�
rrryrts
 r&�
testStatusNOKzTransmitter.testStatusNOK7s*������;�;���7�8��;�A�
?r)c
	���tstjd
�
�
d}
|jj	|
d�
gd�
}t|�
D]K\}}|j
|jjd|
d|g�
d|d|dzD�cgc]}|g
��c}f�
�Mt|�
D]K\}}|j
|jjd|
d	|g�
d||dzdD�cgc]}|g
��c}f�
�Md
}|j
|jjd|
d|g�
d|g
g
f�
|j
|jjd|
d|g�
d|g
|g
gf�
|j
|jjd|
d	|g�
d|g
g
f�
|j
|jjd|
d	|g�
dgf�
gd�
}|j
|jjd|
dg|z�
dd
g
dd
ggf�
|j
|jjd|
d	g|ddz�
ddd
gg
f�
|j
|jjd|
d	g|ddz�
dgf�
d}|jjd|
d|g�
}|jt|dt��

d}|jjd|
d	|g�
}|jt|dt��

yc
c}wc
c}w)N�&systemd python interface not availabler��systemd��_SYSTEMD_UNIT=sshd.servicezTEST_FIELD1=ABCz_HOSTNAME=example.comrD�addjournalmatchrr�deljournalmatch�
_COMM=sshd)r�
�
+r�
�_UID=0r�
r�
rzThis isn't valid!zFIELD=NotPresent)rr��SkipTestr7r;r]rLr9rMr�r��
ValueError)r#r:rbrerf�valr:
s       r&�testJournalMatchzTransmitter.testJournalMatch;sP��	�	�	�	�C�	D�D�
�(��+�+���h�	�*��&�
�F�#�*�h�a������K�K����X�(�%�0�
2��&��!�A�#�,�'�3�#��'�(�*�*�
�F�#�*�h�a������K�K����X�(�%�0�
2��&��1���,�'�3�#��'�(�*�*��%�����;�;���
�H�'��/�
1����y�>������;�;���
�H�'��/�
1����%�����
����;�;���
�H�'��/�
1����y�>��
����;�;���
�H�'��/�
1��r�7��

>�%�����;�;���
�H�'�(�5�0�
2����5�x�@�A�B�D
�����;�;���
�H�'�(�5��!�9�4�
6��	%�x�0�1�2�4�����;�;���
�H�'�(�5���9�4�
6��r�7���%��;�;���	�8�&��.�
0�&��/�/�*�V�A�Y�
�3�4��%��;�;���	�8�&��.�
0�&��/�/�*�V�A�Y�
�3�4��o
	(��
	(s�
K0�
K5c
	��tstjd
�
�
|jd�

d}
|jj|
d�
gd�
}t
|�
D]K\}}|j|jjd|
d|g�
d|d|d	zD�cgc]}|g
��c}f�
�Mt
|�
D]K\}}|j|jjd|
d
|g�
d||d	zdD�cgc]}|g
��c}f�
�Myc
c}wc
c}w)Nr�
Tr�zsystemd[journalflags=2]r�
rDr�
rrr�
)
rr�r�
r�r7r;r]rLr9rM)r#r:rbrerfr�
s      r&�testJournalFlagsMatchz!Transmitter.testJournalFlagsMatch�s
��	�	�	�	�C�	D�D��/�/�$��
�(��+�+���h� 9�:��&�
�F�#�*�h�a������K�K����X�(�%�0�
2��&��!�A�#�,�'�3�#��'�(�*�*�
�F�#�*�h�a������K�K����X�(�%�0�
2��&��1���,�'�3�#��'�(�*�*��	(��
	(s�
D�-
DN)1r,r-r.rurzr~r�r�r�r�r�r�r�r�r�r�r�r�r�r
r
rr
r!
r#
r&
r+
r7
r;
rC
rI
rM
rQ
rT
r]
rc
rg
rq
rt
rw
r�
r�
r�
r�
r�
r�
r�
r�
r�
r!r)r&rprp�s
��,�

=�
?�
K
�6�	I
�.�`
;�$
>�<�$	�<�;�
F
�K
�	�c
�:(�&�)��)�V
?�=�=�B
�(�T
2��#�J

R
�?�
<��0�0K
��$�$�$�<:@
�x
"&�H

E
�<�<�?�E
5�N*r)rpc�L��eZ
dZeZ�f
d
�Zd�Zd�Zd�Zd�Z	d�Z
d�Zd�Z�x
Z
S)	�TransmitterLoggingc
���
�tt|��
|jj	d
�

|jjd�

|jj
d�

y)N�	/dev/null�CRITICALr�)r4r�
r5r7r+r'�setSyslogSocketr=s �r&r5zTransmitterLogging.setUp�sG�����D�'�)��+�+���;�'��+�+���*�%��+�+���f�%r)c
��
�g}
t
d
�
D]D}tjdd�}|
j|d�

t	j
|d�

�F|
D]}|j
d|�
�d}|jd|�
|jjgd�
�

|
D]}t	j|�

�|j
dd	d
�
|j
ddd�
y)
Nr�r�transmitterrr�	logtarget�/this/path/should/not/exist)rDr�
r�
zSTDOUT[format="%(message)s"]�STDOUTz!STDERR[datetime=off, padding=off]�STDERR)�ranger�r�re
r�r�rUrXr9rM�remove)r#�
logTargets�
_�tmpFile�	logTargetrfs      r&�
testLogTargetz TransmitterLogging.testLogTarget�s����*���8��a�
�
�
�j�-�
8�7�
���W�Q�Z� ��8�8�G�A�J����
+�i��?�?�;�	�*�
+�(�%����[�%�(��+�+���7�8��
�i��9�9�Y��
��/�/�+�=�x�H��/�/�+�B�H�Mr)c
�8
�tjjd
�
stjd�
�
|j|jj�d�
|jdd�
|j|jj�d
�
y)N�/dev/logz'/dev/log' not presentr�r�
�SYSLOG)	r�r4
�existsr�r�
r�r7�getSyslogSocketrUrts
 r&�testLogTargetSYSLOGz&TransmitterLogging.testLogTargetSYSLOG�sh��	�����
�	#�	�	�	�3�	4�4��/�/�$�+�+�-�-�/��8��/�/�+�x�(��/�/�$�+�+�-�-�/��<r)c
�(�|j
d
d�
y)N�syslogsocketz/dev/log/NEW/PATH)
rUrts
 r&�testSyslogSocketz#TransmitterLogging.testSyslogSocket�s���/�/�.�"5�6r)c
�4
�|j
d
d�
|jdd�
|j
d
d�
|jdiitdtd�
d�	�d
�t	j
�dvx
r
tjjd�
�
�

y)
Nr�
r�
r�
r�
r�
rzFailed to change log targetT)rQrPrI)TF)
�Linux)r�
r�
)	rUrX�dict�	Exception�platform�systemr�r4
r�
rts
 r&�testSyslogSocketNOKz&TransmitterLogging.testSyslogSocketNOK�s����/�/�.�"?�@����[�(�+��/�/�.�*�-��$�/�/���
���7�8�
�"������J�&�E�2�7�7�>�>�*�+E�
G
�r)c
�
�|j
d
d�
|j
d
d�
|j
d
d�
|j
d
d�
|j
d
d�
|j
d
d�
|j
d
d�
|j
d
d	�
|j
d
d
�
|j
d
dd
�
|jd
d�
y)
N�loglevel�
HEAVYDEBUG�
TRACEDEBUG�
9�DEBUG�INFO�NOTICE�WARNING�ERRORr�
�cRiTiCaL�Bird)rUrXrts
 r&�testLogLevelzTransmitterLogging.testLogLevel�s����/�/�*�l�+��/�/�*�l�+��/�/�*�c�"��/�/�*�g�&��/�/�*�f�%��/�/�*�h�'��/�/�*�i�(��/�/�*�g�&��/�/�*�j�)��/�/�*�j�*�5����Z��(r)c
��|j
|jjd
g
�
d�
	tjd�
\}
}tj|
�

|jjd�

|j
|jjdd|g�
d|f�
td�
}|jd	�

	tjd�
\}}tj|�

tj||�
|jd
�

|j
|jjd
g
�
d�
|jd�

t|d�5}
t|
�
}|jd
�
dk\rt|
�
}|j|j!d�
�

t|
�
}|j|j!d�
�

	t|
�
}|jd�
dk\r!|j#t$|
j&�
n|j)d|z�

ddd�
t|d�5}
t|
�
}|jd�
dk\rt|
�
}|j|j!d�
�

|j#t$|
j&�
|
j
�
ddd�
tj*|�

		tj*|�

|j
|jjgd�
�
d�
|j
|jjd
g
�
d�
y#t$$r
Y�
�)wxYw
#1s
w
Y

�
�/xYw
#1s
w
Y

��xYw
#tj*�

wxYw
#t,$r
Y��wxYw
#	tj*�

w#t,$r
YwwxYw
xYw
)N�	flushlogs)rzrolled overzfail2ban.logr�
rDr�
rrzBefore file movedzAfter file movedzAfter flushlogs�
rzChanged logging target tozBefore file moved
zAfter file moved
zCommand: ['flushlogs']zCException StopIteration or Command: ['flushlogs'] expected. Got: %szrollover performed onzAfter flushlogs
)rDr�
r�
)rr�
)r�flushed)rLr9rMr�r�r�r�r7r'r�warning�rename�open�next�findr��endswith�assertRaises�
StopIteration�__next__�failr�
�OSError)	r#�
f�fn�
l�f2�fn2�line1�line2res	         r&�
testFlushLogsz TransmitterLogging.testFlushLogs�s������4�;�;�&�&��}�5�7I�J�*	����N�+�5�1�b��8�8�A�;��;�;���9�%����D�K�K�'�'���R�(@�A�A�r�7�K����1��9�9�
 �!�����~�.�G�B���H�H�R�L��I�I�b�#���I�I� �!����T�[�[�(�(�+��7�9K�L��I�I�� �	
�c�#���!�
�!�W�U�
�
�
�.�/�1�4��1�g�e�	�_�_�U�^�^�$9�:�;�
�!�W�U�	�_�_�U�^�^�$8�9�:��
�q�'�a�	
���(�	)�A�	-�����
�
�
�3��y�y�V�YZ�Z�[��
�b�����
�!�W�U�
�
�
�*�+�q�0��1�g�e�	�_�_�U�^�^�$7�8�9�	���}�a�j�j�1��W�W�Y�
��I�I�c�N�	��I�I�b�M����4�;�;�&�&�'E�F�
�V����4�;�;�&�&��}�5�~�F��#
�
�
�
���������I�I�c�N���
	��
	��	��I�I�b�M��
�
	��
	�s��BN�BM1� A6M�AM�+M1�?A;M%�:M1�N�N�	M�M�
M�M�M"�M1�%M.�*M1�1N�N�	N�
N�
O
�N2�1
O
�2	N>�;O
�=
N>�>O
c
�
�|j
d
dd|j��
|j
ddd|j��
|j
dd	d
|j��
|j
ddd|j��
|j
d
d|j��
|j
ddd|j��
|j
ddd|j��
y)Nzbantime.increment�trueTr�zbantime.rndtime�30minr�zbantime.maxtimez	1000 daysi\&zbantime.factorr
zbantime.formulazGban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)zbantime.multipliersz1 5 30 60 300 720 1440 2880zbantime.overalljailsrL
rts
 r&�testBanTimeIncrz"TransmitterLogging.testBanTimeIncr
s����/�/�%�v�t�$�-�-�/�H��/�/�#�W�e�$�-�-�/�H��/�/�#�[�-�d�m�m�/�T��/�/�"�C��4�=�=�/�A��/�/�#�%n�uy�v
C�v
C�/�D��/�/�'�)F�He�lp�ly�ly�/�z��/�/�(�&�&�t�}�}�/�Mr))r,r-r.r	r6r5r�
r�
r�
r�
r�
rrrmrns
@r&r�
r�
�s4�����&�N
�(=�
7�
�)�.G
�`
N
r)r�
c
��eZ
dZd
�Zy)�	JailTestsc
�V�d
}
t
|
�
}|j|j|
�
y)N�veryveryverylongname)rrLrA
)r#�longnamerRs   r&�testLongNamezJailTests.testLongNames$��
#�(�	
�h��$����4�9�9�h�'r)N)r,r-r.rr!r)r&rrs��(r)rc
��eZ
dZd
�Zd�Zd�Zy)�
RegexTestsc
��|j
ttd
�
|j
ttd�
|j
ttd�
y)NrP
�
 �
	)r�
rrrts
 r&�testInitzRegexTests.testInit"s8�����N�E�2�.����N�E�3�/����N�E�4�0r)c
���|j
ttd
�
�
jdd�d�
|j	ttd�
�
j
d�
�

y)N�
a�
"�
'z
Regex('a')rX
z
FailRegex()rLrar�replacer�r�
startswithrts
 r&�testStrzRegexTests.testStr(sH�����3�u�S�z�?�*�*�3��4�l�C��/�/�#�i��)�*�5�5�l�C�Dr)c
�$�|j
ttd
�
|j
ttd�
|jtd�
�

|jtd�
�

|jtd�
�

|jtd�
�

|jtd�
�

|jtd�
�

|jtd	�
�

td
�
}
|j	|
j��

|
j
dg
�

|j|
j��

|j
t|
j�
td�
}
|j	|
j��

|
j
d
g
�

|j|
j��

|j
t|
j�
td�
}
|j	|
j��

|
j
dg
�

|j|
j��

|j|
j�d�
|
j
dg
�

|j|
j��

|j|
j�d�
|
j
dg
�

|j|
j��

|j|
j�d�
td�
}
|j	|
j��

|
j
dg
�

|j|
j��

|j|
j�d�
td�
}
|
j
dg
�

|
j�}|j||jfd�
|
j
dg
�

|
j�}|j||jfd�
|
j
dg
�

|
j�}|j||jfd�
|
j
dg
�

|
j�}|j||jfd�
td �
}
|
j
d!g
�

|
j�}|j||jfd"�
|
j
d#g
�

|
j�}|j||jfd�
|
j
d$g
�

|
j�}|j||jfd%�
|
j
d&g
�

|
j�}|j||jfd'�
y)(NrP
z^test no group$z^test <HOST> group$z^test <IP4> group$z^test <IP6> group$z^test <DNS> group$z<^test id group: ip:port = <F-ID><IP4>(?::<F-PORT/>)?</F-ID>$z-^test id group: user:\(<F-ID>[^\)]+</F-ID>\)$z#^test id group: anything = <F-ID/>$z	%%<HOST>?)z%%rP
rP
z#%%inet(?:=<F-IP4/>|inet6=<F-IP6/>)?)z%%inet=testrP
rP
z(%%(?:inet(?:=<IP4>|6=<IP6>)?|dns=<DNS>?))z%%inet=192.0.2.1rP
rP
r�)z%%inet6=2001:DB8::rP
rP
�
2001:DB8::)z%%dns=example.comrP
rP
zexample.com)z%test id group: user:(test login name)rP
rP
ztest login namez%%net=<SUBNET>)z%%net=192.0.2.1rP
rP
)r��inet4)z%%net=192.0.2.1/24rP
rP
)z192.0.2.0/24r)z%%net=2001:DB8:FF:FF::1rP
rP
)z2001:db8:ff:ff::1�inet6)z%%net=2001:DB8:FF:FF::1/60rP
rP
)z2001:db8:ff:f0::/60rz%%ip="<ADDR>", mask="<CIDR>?")z%%ip="192.0.2.2", mask=""rP
rP
)r�r)z%%ip="192.0.2.2", mask="24"rP
rP
)z"%%ip="2001:DB8:2FF:FF::1", mask=""rP
rP
)z2001:db8:2ff:ff::1r)z$%%ip="2001:DB8:2FF:FF::1", mask="60"rP
rP
)z2001:db8:2ff:f0::/60r)r�
rrr�rr�
hasMatched�search�getHostrL�	getFailID�getIP�	familyStr)r#�frr
s   r&�testHostzRegexTests.testHost.s+�����N�I�r�2����N�I�/@�A��/�/�)�2�3�4��/�/�)�1�2�3��/�/�)�1�2�3��/�/�)�1�2�3��/�/�)�[�\�]��/�/�)�L�M�N��/�/�)�B�C�D����"����2�=�=�?�#��)�)�\�N���/�/�"�-�-�/�"����N�B�J�J�/��7�8�"����2�=�=�?�#��)�)�
"�#�$��/�/�"�-�-�/�"����N�B�J�J�/��<�=�"����2�=�=�?�#��)�)�
'�(�)��/�/�"�-�-�/�"����2�:�:�<��-��)�)�
)�*�+��/�/�"�-�-�/�"����2�:�:�<��.��)�)�
(�)�*��/�/�"�-�-�/�"����2�:�:�<��/��A�B�"����2�=�=�?�#��)�)�
<�=�>��/�/�"�-�-�/�"����2�<�<�>�#4�5��"�#�"��)�)�
&�'�(�	�x�x�z�"����B����%�'=�>��)�)�
)�*�+�	�x�x�z�"����B����%�'@�A��)�)�
.�/�0�	�x�x�z�"����B����%�'E�F��)�)�
1�2�3�	�x�x�z�"����B����%�'G�H��1�2�"��)�)�
0�1�2�	�x�x�z�"����B����%�'=�>��)�)�
2�3�4�	�x�x�z�"����B����%�'@�A��)�)�
9�:�;�	�x�x�z�"����B����%�'F�G��)�)�
;�<�=�	�x�x�z�"����B����%�'H�Ir)N)r,r-r.rrr%r!r)r&rr s��1�E
�D
J
r)rc
��eZ
dZd
�Zy)�
_BadThreadc
��t
d
�
�
)Nzrun bad thread exception)
r�rts
 r&�runz_BadThread.runvs���/�0�0r)N)r,r-r.r)r!r)r&r'r'us��
1r)r'c
��eZ
dZd
�Zd�Zd�Zy)�LoggingTestsc
��t
d
�
}
|j|
jjd�
|j|
jd�
y)Nzfail2ban.some.string.with.namerz
fail2ban.name)rrL�parentrA
)r#�
testLogSyss  r&�testGetF2BLoggerzLoggingTests.testGetF2BLogger|s=���9�:�*����:�$�$�)�)�:�6����:�?�?�O�4r)c
�
���tj}
g��f
d
�t_
	t�}|j�
|j	�
�jt
j��fd�d��

|
t_
�jd�

�jt��
d�
�j�ddt�
y#|
t_
wxYw
)Nc�&�
��
j
|�
Sr )
re
)r$rHs �r&r�z5LoggingTests.testFail2BanExceptHook.<locals>.<lambda>�s���Q�X�X�d�^�r)c�@��t
�
�
x
r
�jd
�
S)N�Unhandled exception)r��
_is_logged)r#rHs��r&r�z5LoggingTests.testFail2BanExceptHook.<locals>.<lambda>�s���C�
�F�,]�t���G\�7]�r)r�r3rr)�sys�__excepthook__r'r�r5
r�rr�r�rLr�r�)r#�prev_exchook�	badThreadrHs`  @r&�testFail2BanExceptHookz#LoggingTests.testFail2BanExceptHook�s�����#�#�,��!�3�#��%��|�9��?�?���>�>���?�?�E�N�N�$]�_`�a�c�$�3�����)�*����3�q�6�1�����1�Q�4�
�7�L�)��%�3��s�AC�
Cc
���g}
t
jd
d�\}}tj|�

|
j	|�

t
jdd�\}}tj|�

|
j	|�

t�}	|j
||d��
|j|j��

|jd�

|j�
|
D]7}tjj|�
s
�#tj|�

�9y#|j�
|
D]7}tjj|�
s
�#tj|�

�9wxYw
)Nz
fail2ban.sockzf2b-testzfail2ban.pidF)
�forcezServer already running)r�r�r�r�re
rr�rrrsr�rAr4
r�
r�
)r#�	tmp_files�sock_fd�	sock_name�
pidfile_fd�pidfile_namer7r�
s        r&�testStartFailedSockExistsz&LoggingTests.testStartFailedSockExists�s
���)��'�'���D��'�9��(�(�7�����9��%�-�-�n�j�I��*�l��(�(�:�����<� ��<�&��	�<�<�	�<�u�<�5����F�$�$�&�'����-�.�	�;�;�=���q�	�w�w�~�~�a���Y�Y�q�\���
�;�;�=���q�	�w�w�~�~�a���Y�Y�q�\��s�AD�5E+�E+N)r,r-r.r/r9rAr!r)r&r+r+zs��5�

*�r)r+)�ActionReader�JailsReader�
CONFIG_DIRc�l��eZ
dZ�f
d
�Z�f
d�Z�f
d�Zd
d�
Zd�Zd�Zd�Z	d�Z
d	�Zd
�Zd
d�
Z
d�Z�x
ZS)�ServerConfigReaderTestsc
�:�
�t
t|�
|
i|�
�

i|_yr )r4rF�__init__�#_ServerConfigReaderTests__share_cfg)r#r$r%r>s   �r&rHz ServerConfigReaderTests.__init__�s ������/��@��@��$�r)c
�8�
�tt|��
g|_y
)r2N)r4rFr5�_execCmdLstr=s �r&r5zServerConfigReaderTests.setUp�s������,�.��$�r)c
�*�
�tt|��
y
r@)r4rFrBr=s �r&rBz ServerConfigReaderTests.tearDown�s������/�1r)c��|
j
d
�
D]?}|jd�
stjd|�
�+tj|�

�Ay)N�

�
#zexec-cmd: `%s`T)�splitr�logSys�debug)r#�realCmdr�
r�
s    r&�_executeCmdz#ServerConfigReaderTests._executeCmd�sE���=�=����a�
�,�,�s�
�
�L�L�!�1�%�
�L�L��O�	�

r)c
��t
|d
�sdt�}
i|_dD]N\}}t|�
}|j	d�

t
jj||
�|j|<�P|jS)N�__aInfos))�ipv4r�)�ipv6rr�)�hasattrr� _ServerConfigReaderTests__aInfosr�
setBanTime�_actionsrm
�
ActionInfo)r#�dmyjail�
tr
�tickets     r&�_testActionInfosz(ServerConfigReaderTests._testActionInfos�ss��	��z�	"�
�[�7��4�=�?�D
�u�q�"�
�r�]�F�
���c���'�'�2�2�6�7�C�D�M�M�!��D
�
���r)c�2�|
j}|j�}|D�
]�}||jD�
]�}||j|}tj	d
�

tj	d|dz|j
z�
tj	d
�

t
|tj�s
��|j|_
tj	d�

|j�
|j�
tj	d�

|j�
|j|d�

tj	d�

|j�
|j|d�

tj	d�

|j�
|j|d	�

tj	d
�

|j�
|j|d	�

tj	d�

|j�
|j�
�
���
��y)N�4# ==================================================�
# == %-44s ==� - �# === start ===�# === ban-ipv4 ===rW�# === unban ipv4 ===�# === ban ipv6 ===rX�# === unban ipv6 ===�# === stop ===)r�rarrQrR�_namer�r\�
CommandActionrT�
executeCmdr�r�r�
r�
rw)r#r7rf
�aInfosrRrr�
s       r&�_testExecActionsz(ServerConfigReaderTests._testExecActions�s|
��
�
�
�%�� � �"�&���d��$�K����q�
�4�[�
 �
 ��
#�F�
�L�L�"�#�
�L�L��$��,����"=�>�
�L�L�"�#��f�h�4�4�5�x��(�(�F��
�L�L�"�#�T�]�]�_�
�L�L�N�
�L�L�%�&��
�
��
�J�J�v�f�~��
�L�L�'�(�$�-�-�/�
�L�L���� �
�L�L�%�&��
�
��
�J�J�v�f�~��
�L�L�'�(�$�-�-�/�
�L�L���� �
�L�L�!�"�D�M�M�O�
�K�K�M�5�r)c
��tjjd
��

ttd
|j
��}
|j
|
j��

|j
|
j��

|
jd
��
}t�}|j}|j}|D]�}|ddk7s
�|ddk(rd|d	<n�t|�
d
kDr�|ddk(ry|d	dk(rqtjj!t"d
|d�}tjj%|�
s$tjj!t"d�}||d
<nAtjj&r't|�
d
kDr|ddvr|d	dk(r
d|d<d|d
<	||�

��tjj&s|j-|�

yy#t($r"}|j+d|�d|���

Yd}~�
�Hd}~w
wxYw
)NT�
�stock)�basedir�force_enable�share_config)
�allow_no_filesrr�rZrrr�rDr/
�logsrr.
)rDz	multi-setrZ
zDUMMY-REGEX <HOST>zCommand z has failed. Received )r�r��SkipIfCfgMissingrCrDrIr��read�
getOptions�convertrr8�_Transmitter__commandHandlerr�r�r4
r5
r6
r�
r�r�
r�
rp)	r#rf
�streamr7r9�
cmdHandlerrNr�
�
es	         r&�testCheckStockJailActionsz1ServerConfigReaderTests.testCheckStockJailActions�s�
��
�,�,���d��+�
�j�t�$�JZ�JZ�
[�%��/�/�%�*�*�,���/�/�%�"�"�$�%��=�=��=�-�&��<�&��!�!�&��2�2�*��@
�c�	�!�f���
�1�v����S��V�

�S��A��#�a�&�E�/�c�!�f��.D�
�'�'�,�,�~�v�s�1�v�
6�R�
�G�G�N�N�2��
�7�7�<�<��(8�9�b��S��V�
���	�	���X�
�\�c�!�f� 4�4��Q��>�9Q��S��V�"�S��V�@
���_�/@
�@

���	�	����� �
���
@
�	�Y�Y�s�A�>�?�?��
@
�s�G�	G>�G9�9G>c�,
�|j
d
|
�}t|�
\}}d|
dgg
}t||
||jt��}|j|j
��

|ji�

|j|j��

|S)Nz%(__name__)srZr)rvrt)
rrrBrIrDr�rzr{�extendr|)r#rR�act�actName�actOptr~r�
s       r&�getDefaultJailStreamz,ServerConfigReaderTests.getDefaultJailStreams������N�D�)�#�"�3�'�/�'�6�	�4����&��
�D�&�� � �*�6�&��/�/�&�+�+�-� ����B���-�-���� �!�	�-r)c
�*�tjjd
��

tjj�
ddl}
t�}|j}|
j	tjjtdd��
D]�}tjj|�
jdd�}|jd|z|�}|D](}|j|�
\}}	|j|d�
�*|j!|�

��y)	NTrrrr�
z*.confz.confrP
zj-)r�r�ry�
SkipIfFast�globrr8r�r4
r5
rD�basenamerr�rMrLrp)
r#r�r7r9�actCfgr�r~rNrg�ress
          r&�testCheckStockAllActionsz0ServerConfigReaderTests.testCheckStockAllActions+s���
�,�,���d��+�
�,�,����
��<�&��!�!�&��	�	�"�'�'�,�,�z�:�x�H�I�	!�f�	���	�	�&�	!�	)�	)�'�2�	6�3��%�%�d�3�h��4�6���s��~�~�c�"�H�C�����S�!���
���� �	!r)c
��tjjd
��

ddddddd	d
ddd
ddddd�
fdddddddddddddddd�
fd d!d"d#d$d%d&d'd(d)d*d+�	fd,d-d"d#d.d/d0d1d2�fd3d4d5d6d7d8d9d:d;d<d=d>d?d@dAdB�
fdCdDd5d6d7dEdFdGdHdIdJdKdLdMdNdB�
fdOdPdQdRdSdTdUdVdWdXdYdZd[d\d]dB�
fd^d_d`dadSdbdcdddedfdgdhdidjdkdB�
fdldmd5d6dSdndodpdqdrdsdtdudvdwdB�
fdxdyd5d6dSdzd{d|d}d~dd�d�d�d�dB�
fd�d�d�d�d�d�d�d�d�d�d�d�d�d��fd�d�d�d�d�d�d�d�d�d�d�d�d�d��fd�d�d�d�d�d�d�d�d�d�d�d�d�d��fd�d�d�d�d�d�d�d�d�d�d�d�d�d�d��fd�d�d�d�d�d�d�d�d�d�d�d�d�d��fd�d�d�d�d�d�d�d�d�d�d�d�d�d��fd�d�d�d�d�d�d�d�d�d�d�d�dל
fd�d�d�d�d�d�d�d�d�d�d�d�dל
fd�d�d�d�d�d�d�d�d2�fd�d�d�d�d�d�d�d�d2�ff}
t�}|j}|j
}|
D]E\}}}|j
||�}|D](}	|j|	�
\}
}|j|
d�
�*�G|j}|j�}
|
D�]d\}}}||jD�]J}||j|}tjd�

tjd�|d�z|jz�
tjd�

|jt!|t"j$��

|j&|_|j+d��

|j-�
|j/d��
r|j0|d�d�d
i
�

n=|j/d��
r,|j/d��
r|j2|d�|d�zd�d
i
�

|j+d��

|j5|
d��

|j/d��
r8|j0|j/d�|j/d�d���|d�zd�d
i
�

|j/d��
r|j2|d�d�d
i
�

|j0|d�d�d
i
�

|j2|�
dd�d
i
�

|j+�
d
�

|j7|
d��

|j0|�
dd�d
i
�

|j2|�
dd�d
i
�

|j+�
d�

|j5|
�
d�

|j/d��
r8|j0|j/d�|j/d�d���|d�zd�d
i
�

|j/d��
r|j2|d�d�d
i
�

|j0|�
dd�d
i
�

|j2|�
dd�d
i
�

|j+�
d�

|j7|
�
d�

|j0|�
dd�d
i
�

|j2|�
dd�d
i
�

|j/�
d	�
r�|j+�
d
�

|j9|
d��
d�

|j0|j/�
d|j/d�d���|�
d	zd�d
i
�

|j/�
d
�
r#|�
d
|�
d	k7r|j2|�
d
d�d
i
�

|j/�
d
�
r�|j+�
d�

|j9|
�
d�
d�

|j0|j/�
d|j/d�d���|�
d
zd�d
i
�

|j/�
d	�
r#|�
d	|�
d
k7r|j2|�
d	d�d
i
�

|j/�
d�
r8|j+�
d�

|j;�
|j0|�
dd�d
i
�

|j+�
d�

|j=�
|j/�
d�
s��"|j0|j/d�d��|�
dzd�d
i
�

��M��gy(
NTrrz
j-w-nft-mpzQnftables-multiport[name=%(__name__)s, port="http,https", protocol="tcp,udp,sctp"])zip �	ipv4_addrzaddr-)zip6 �	ipv6_addrzaddr6-)�`nft add table inet f2b-table`�W`nft -- add chain inet f2b-table f2b-chain \{ type filter hook input priority -1 \; \}`�9`for proto in $(echo 'tcp,udp,sctp' | sed 's/,/ /g'); do`�`done`)zG`nft add set inet f2b-table addr-set-j-w-nft-mp \{ type ipv4_addr\; \}`z�`nft add rule inet f2b-table f2b-chain $proto dport \{ $(echo 'http,https' | sed s/:/-/g) \} ip saddr @addr-set-j-w-nft-mp reject`)zH`nft add set inet f2b-table addr6-set-j-w-nft-mp \{ type ipv6_addr\; \}`z�`nft add rule inet f2b-table f2b-chain $proto dport \{ $(echo 'http,https' | sed s/:/-/g) \} ip6 saddr @addr6-set-j-w-nft-mp reject`)zG`{ nft flush set inet f2b-table addr-set-j-w-nft-mp 2> /dev/null; } || zH`{ nft flush set inet f2b-table addr6-set-j-w-nft-mp 2> /dev/null; } || )z�`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`�5`nft delete rule inet f2b-table f2b-chain $hdl; done`z3`nft delete set inet f2b-table addr-set-j-w-nft-mp`z�`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`r�z4`nft delete set inet f2b-table addr6-set-j-w-nft-mp`)
zO`nft list chain inet f2b-table f2b-chain | grep -q '@addr-set-j-w-nft-mp[ \t]'`)
zP`nft list chain inet f2b-table f2b-chain | grep -q '@addr6-set-j-w-nft-mp[ \t]'`)
zD`nft add element inet f2b-table addr-set-j-w-nft-mp \{ 192.0.2.1 \}`)
zG`nft delete element inet f2b-table addr-set-j-w-nft-mp \{ 192.0.2.1 \}`)
zF`nft add element inet f2b-table addr6-set-j-w-nft-mp \{ 2001:db8:: \}`)
zI`nft delete element inet f2b-table addr6-set-j-w-nft-mp \{ 2001:db8:: \}`)
�ip4�ip6�*-start�	ip4-start�	ip6-start�flushrw�	ip4-check�	ip6-check�ip4-ban�	ip4-unban�ip6-ban�	ip6-unbanz
j-w-nft-apz8nftables-allports[name=%(__name__)s, protocol="tcp,udp"])r�r�)zG`nft add set inet f2b-table addr-set-j-w-nft-ap \{ type ipv4_addr\; \}`zg`nft add rule inet f2b-table f2b-chain meta l4proto \{ tcp,udp \} ip saddr @addr-set-j-w-nft-ap reject`)zH`nft add set inet f2b-table addr6-set-j-w-nft-ap \{ type ipv6_addr\; \}`zi`nft add rule inet f2b-table f2b-chain meta l4proto \{ tcp,udp \} ip6 saddr @addr6-set-j-w-nft-ap reject`)zG`{ nft flush set inet f2b-table addr-set-j-w-nft-ap 2> /dev/null; } || zH`{ nft flush set inet f2b-table addr6-set-j-w-nft-ap 2> /dev/null; } || )z�`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`r�z3`nft delete set inet f2b-table addr-set-j-w-nft-ap`z�`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`r�z4`nft delete set inet f2b-table addr6-set-j-w-nft-ap`)
zO`nft list chain inet f2b-table f2b-chain | grep -q '@addr-set-j-w-nft-ap[ \t]'`)
zP`nft list chain inet f2b-table f2b-chain | grep -q '@addr6-set-j-w-nft-ap[ \t]'`)
zD`nft add element inet f2b-table addr-set-j-w-nft-ap \{ 192.0.2.1 \}`)
zG`nft delete element inet f2b-table addr-set-j-w-nft-ap \{ 192.0.2.1 \}`)
zF`nft add element inet f2b-table addr6-set-j-w-nft-ap \{ 2001:db8:: \}`)
zI`nft delete element inet f2b-table addr6-set-j-w-nft-ap \{ 2001:db8:: \}`zj-dummyzodummy[name=%(__name__)s, init="=='<family>/<ip>'==bt:<bantime>==bc:<bancount>==", target="/tmp/fail2ban.dummy"])
z
family: inet4)
z
family: inet6)z$`printf %b "=='/'==bt:600==bc:0==\n"z7`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- started"`)
z9`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- clear all"`)
z7`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- stopped"`)
zP`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- banned 192.0.2.1 (family: inet4)"`)
zR`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- unbanned 192.0.2.1 (family: inet4)"`)
zQ`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- banned 2001:db8:: (family: inet6)"`)
zS`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- unbanned 2001:db8:: (family: inet6)"`)	r�r�r�r�rwr�r�r�r�zj-hostsdenyzPhostsdeny[name=%(__name__)s, actionstop="rm <file>", file="/tmp/fail2ban.dummy"])
z5`printf %b "ALL: 192.0.2.1\n" >> /tmp/fail2ban.dummy`)
z^`IP=$(echo "192.0.2.1" | sed 's/[][\.]/\\\0/g') && sed -i "/^ALL: $IP$/d" /tmp/fail2ban.dummy`)
z8`printf %b "ALL: [2001:db8::]\n" >> /tmp/fail2ban.dummy`)
za`IP=$(echo "[2001:db8::]" | sed 's/[][\.]/\\\0/g') && sed -i "/^ALL: $IP$/d" /tmp/fail2ban.dummy`)r�r�r�r�r�r�zj-w-iptables-mpzwiptables-multiport[name=%(__name__)s, bantime="10m", port="http,https", protocol="tcp,udp,sctp", chain="<known/chain>"])�
`iptables �icmp-port-unreachable)�`ip6tables �icmp6-port-unreachable)r�r�)z�`{ iptables -w -C f2b-j-w-iptables-mp -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-j-w-iptables-mp || true; iptables -w -A f2b-j-w-iptables-mp -j RETURN; }`z�`{ iptables -w -C INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp; }`)z�`{ ip6tables -w -C f2b-j-w-iptables-mp -j RETURN >/dev/null 2>&1; } || { ip6tables -w -N f2b-j-w-iptables-mp || true; ip6tables -w -A f2b-j-w-iptables-mp -j RETURN; }`zq`{ ip6tables -w -C INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp >/dev/null 2>&1; } || z]{ ip6tables -w -I INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp; }`)�$`iptables -w -F f2b-j-w-iptables-mp`�%`ip6tables -w -F f2b-j-w-iptables-mp`)zX`iptables -w -D INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp`r�z$`iptables -w -X f2b-j-w-iptables-mp`zY`ip6tables -w -D INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp`r�z%`ip6tables -w -X f2b-j-w-iptables-mp`)
zX`iptables -w -C INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp`)
zY`ip6tables -w -C INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp`)
za`iptables -w -I f2b-j-w-iptables-mp 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)
z_`iptables -w -D f2b-j-w-iptables-mp -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)
zd`ip6tables -w -I f2b-j-w-iptables-mp 1 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)
zb`ip6tables -w -D f2b-j-w-iptables-mp -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)
r�r��*-start-stop-checkr�r�r�rwr�r�r�r�r�r�zj-w-iptables-apzciptables-allports[name=%(__name__)s, bantime="10m", protocol="tcp,udp,sctp", chain="<known/chain>"])z�`{ iptables -w -C f2b-j-w-iptables-ap -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-j-w-iptables-ap || true; iptables -w -A f2b-j-w-iptables-ap -j RETURN; }`zO`{ iptables -w -C INPUT -p $proto -j f2b-j-w-iptables-ap >/dev/null 2>&1; } || z;{ iptables -w -I INPUT -p $proto -j f2b-j-w-iptables-ap; }`)z�`{ ip6tables -w -C f2b-j-w-iptables-ap -j RETURN >/dev/null 2>&1; } || { ip6tables -w -N f2b-j-w-iptables-ap || true; ip6tables -w -A f2b-j-w-iptables-ap -j RETURN; }`zP`{ ip6tables -w -C INPUT -p $proto -j f2b-j-w-iptables-ap >/dev/null 2>&1; } || z<{ ip6tables -w -I INPUT -p $proto -j f2b-j-w-iptables-ap; }`)�$`iptables -w -F f2b-j-w-iptables-ap`�%`ip6tables -w -F f2b-j-w-iptables-ap`)z7`iptables -w -D INPUT -p $proto -j f2b-j-w-iptables-ap`r�z$`iptables -w -X f2b-j-w-iptables-ap`z8`ip6tables -w -D INPUT -p $proto -j f2b-j-w-iptables-ap`r�z%`ip6tables -w -X f2b-j-w-iptables-ap`)
z7`iptables -w -C INPUT -p $proto -j f2b-j-w-iptables-ap`)
z8`ip6tables -w -C INPUT -p $proto -j f2b-j-w-iptables-ap`)
za`iptables -w -I f2b-j-w-iptables-ap 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)
z_`iptables -w -D f2b-j-w-iptables-ap -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)
zd`ip6tables -w -I f2b-j-w-iptables-ap 1 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)
zb`ip6tables -w -D f2b-j-w-iptables-ap -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`zj-w-iptables-ipsetz\iptables-ipset-proto6[name=%(__name__)s, port="http", protocol="tcp", chain="<known/chain>"])
z f2b-j-w-iptables-ipset )
z f2b-j-w-iptables-ipset6 )z0`for proto in $(echo 'tcp' | sed 's/,/ /g'); do`r�)z?`ipset -exist create f2b-j-w-iptables-ipset hash:ip timeout 0 `aJ
`{ iptables -w -C INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable; }`)zL`ipset -exist create f2b-j-w-iptables-ipset6 hash:ip timeout 0 family inet6`aP
`{ ip6tables -w -C INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable >/dev/null 2>&1; } || { ip6tables -w -I INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable; }`)�$`ipset flush f2b-j-w-iptables-ipset`�%`ipset flush f2b-j-w-iptables-ipset6`)z�`iptables -w -D INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable`r�z&`ipset destroy f2b-j-w-iptables-ipset`z�`ip6tables -w -D INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`r�z'`ipset destroy f2b-j-w-iptables-ipset6`)
z�`iptables -w -C INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable`)
z�`ip6tables -w -C INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`)
z=`ipset -exist add f2b-j-w-iptables-ipset 192.0.2.1 timeout 0`)
z3`ipset -exist del f2b-j-w-iptables-ipset 192.0.2.1`)
z?`ipset -exist add f2b-j-w-iptables-ipset6 2001:db8:: timeout 0`)
z5`ipset -exist del f2b-j-w-iptables-ipset6 2001:db8::`zj-w-iptables-ipset-apzHiptables-ipset-proto6-allports[name=%(__name__)s, chain="<known/chain>"])
z f2b-j-w-iptables-ipset-ap )
z f2b-j-w-iptables-ipset-ap6 )zB`ipset -exist create f2b-j-w-iptables-ipset-ap hash:ip timeout 0 `a
`{ iptables -w -C INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable; })zO`ipset -exist create f2b-j-w-iptables-ipset-ap6 hash:ip timeout 0 family inet6`a
`{ ip6tables -w -C INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable >/dev/null 2>&1; } || { ip6tables -w -I INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable; })�'`ipset flush f2b-j-w-iptables-ipset-ap`�(`ipset flush f2b-j-w-iptables-ipset-ap6`)z`iptables -w -D INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`r�z)`ipset destroy f2b-j-w-iptables-ipset-ap`z�`ip6tables -w -D INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`r�z*`ipset destroy f2b-j-w-iptables-ipset-ap6`)
z`iptables -w -C INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`)
z�`ip6tables -w -C INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`)
z@`ipset -exist add f2b-j-w-iptables-ipset-ap 192.0.2.1 timeout 0`)
z6`ipset -exist del f2b-j-w-iptables-ipset-ap 192.0.2.1`)
zB`ipset -exist add f2b-j-w-iptables-ipset-ap6 2001:db8:: timeout 0`)
z8`ipset -exist del f2b-j-w-iptables-ipset-ap6 2001:db8::`zj-w-iptablesz^iptables[name=%(__name__)s, bantime="10m", port="http", protocol="tcp", chain="<known/chain>"])z�`{ iptables -w -C f2b-j-w-iptables -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-j-w-iptables || true; iptables -w -A f2b-j-w-iptables -j RETURN; }z�`{ iptables -w -C INPUT -p $proto --dport http -j f2b-j-w-iptables >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto --dport http -j f2b-j-w-iptables; }`)z�`{ ip6tables -w -C f2b-j-w-iptables -j RETURN >/dev/null 2>&1; } || { ip6tables -w -N f2b-j-w-iptables || true; ip6tables -w -A f2b-j-w-iptables -j RETURN; }z�`{ ip6tables -w -C INPUT -p $proto --dport http -j f2b-j-w-iptables >/dev/null 2>&1; } || { ip6tables -w -I INPUT -p $proto --dport http -j f2b-j-w-iptables; }`)�!`iptables -w -F f2b-j-w-iptables`�"`ip6tables -w -F f2b-j-w-iptables`)zA`iptables -w -D INPUT -p $proto --dport http -j f2b-j-w-iptables`r�z!`iptables -w -X f2b-j-w-iptables`zB`ip6tables -w -D INPUT -p $proto --dport http -j f2b-j-w-iptables`r�z"`ip6tables -w -X f2b-j-w-iptables`)
zA`iptables -w -C INPUT -p $proto --dport http -j f2b-j-w-iptables`)
zB`ip6tables -w -C INPUT -p $proto --dport http -j f2b-j-w-iptables`)
z^`iptables -w -I f2b-j-w-iptables 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)
z\`iptables -w -D f2b-j-w-iptables -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)
za`ip6tables -w -I f2b-j-w-iptables 1 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)
z_`ip6tables -w -D f2b-j-w-iptables -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`zj-w-iptables-newzbiptables-new[name=%(__name__)s, bantime="10m", port="http", protocol="tcp", chain="<known/chain>"])z�`{ iptables -w -C f2b-j-w-iptables-new -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-j-w-iptables-new || true; iptables -w -A f2b-j-w-iptables-new -j RETURN; }`z�`{ iptables -w -C INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new >/dev/null 2>&1; } || { iptables -w -I INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new; }`)z�`{ ip6tables -w -C f2b-j-w-iptables-new -j RETURN >/dev/null 2>&1; } || { ip6tables -w -N f2b-j-w-iptables-new || true; ip6tables -w -A f2b-j-w-iptables-new -j RETURN; }`z�`{ ip6tables -w -C INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new >/dev/null 2>&1; } || { ip6tables -w -I INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new; }`)�%`iptables -w -F f2b-j-w-iptables-new`�&`ip6tables -w -F f2b-j-w-iptables-new`)zZ`iptables -w -D INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new`r�z%`iptables -w -X f2b-j-w-iptables-new`z[`ip6tables -w -D INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new`r�z&`ip6tables -w -X f2b-j-w-iptables-new`)
zZ`iptables -w -C INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new`)
z[`ip6tables -w -C INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new`)
zb`iptables -w -I f2b-j-w-iptables-new 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)
z``iptables -w -D f2b-j-w-iptables-new -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)
ze`ip6tables -w -I f2b-j-w-iptables-new 1 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)
zc`ip6tables -w -D f2b-j-w-iptables-new -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`zj-w-iptables-xtrezPiptables-xt_recent-echo[name=%(__name__)s, bantime="10m", chain="<known/chain>"])r�z/f2b-j-w-iptables-xtre`)r�z/f2b-j-w-iptables-xtre6`)
a"
`{ iptables -w -C INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre -j REJECT --reject-with icmp-port-unreachable >/dev/null 2>&1; } || { iptables -w -I INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre -j REJECT --reject-with icmp-port-unreachable; }`)
a(
`{ ip6tables -w -C INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre6 -j REJECT --reject-with icmp6-port-unreachable >/dev/null 2>&1; } || { ip6tables -w -I INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre6 -j REJECT --reject-with icmp6-port-unreachable; }`)z4`echo / > /proc/net/xt_recent/f2b-j-w-iptables-xtre`�`if [ `id -u` -eq 0 ];then`z�`iptables -w -D INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre -j REJECT --reject-with icmp-port-unreachable;`�`fi`z5`echo / > /proc/net/xt_recent/f2b-j-w-iptables-xtre6`r�z�`ip6tables -w -D INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre6 -j REJECT --reject-with icmp6-port-unreachable;`r�)
z�`{ iptables -w -C INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre -j REJECT --reject-with icmp-port-unreachable; } && test -e /proc/net/xt_recent/f2b-j-w-iptables-xtre`)
z�`{ ip6tables -w -C INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre6 -j REJECT --reject-with icmp6-port-unreachable; } && test -e /proc/net/xt_recent/f2b-j-w-iptables-xtre6`)
z=`echo +192.0.2.1 > /proc/net/xt_recent/f2b-j-w-iptables-xtre`)
z=`echo -192.0.2.1 > /proc/net/xt_recent/f2b-j-w-iptables-xtre`)
z?`echo +2001:db8:: > /proc/net/xt_recent/f2b-j-w-iptables-xtre6`)
z?`echo -2001:db8:: > /proc/net/xt_recent/f2b-j-w-iptables-xtre6`)r�r�r�r�rwr�r�r�r�r�r�zj-w-pfz2pf[name=%(__name__)s, actionstart_on_demand=false]r!)zF`echo "table <f2b-j-w-pf> persist counters" | pfctl -a f2b/j-w-pf -f-`z
port="<port>"z\`echo "block quick proto tcp from <f2b-j-w-pf> to any port $port" | pfctl -a f2b/j-w-pf -f-`)
�,`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T flush`)zT`pfctl -a f2b/j-w-pf -sr 2>/dev/null | grep -v f2b-j-w-pf | pfctl -a f2b/j-w-pf -f-`r�z+`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T kill`)
z.`pfctl -a f2b/j-w-pf -sr | grep -q f2b-j-w-pf`)
z4`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T add 192.0.2.1`)
z7`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T delete 192.0.2.1`)
z5`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T add 2001:db8::`)
z8`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T delete 2001:db8::`)r�r�r�r�rwr�r�r�r�r�r�z	j-w-pf-mpz@pf[actiontype=<multiport>][name=%(__name__)s, port="http,https"])zL`echo "table <f2b-j-w-pf-mp> persist counters" | pfctl -a f2b/j-w-pf-mp -f-`zport="http,https"zb`echo "block quick proto tcp from <f2b-j-w-pf-mp> to any port $port" | pfctl -a f2b/j-w-pf-mp -f-`)
�2`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T flush`)z]`pfctl -a f2b/j-w-pf-mp -sr 2>/dev/null | grep -v f2b-j-w-pf-mp | pfctl -a f2b/j-w-pf-mp -f-`r�z1`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T kill`)
z4`pfctl -a f2b/j-w-pf-mp -sr | grep -q f2b-j-w-pf-mp`)
z:`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T add 192.0.2.1`)
z=`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T delete 192.0.2.1`)
z;`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T add 2001:db8::`)
z>`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T delete 2001:db8::`z	j-w-pf-apzHpf[actiontype=<allports>, actionstart_on_demand=true][name=%(__name__)s])zL`echo "table <f2b-j-w-pf-ap> persist counters" | pfctl -a f2b/j-w-pf-ap -f-`zW`echo "block quick proto tcp from <f2b-j-w-pf-ap> to any" | pfctl -a f2b/j-w-pf-ap -f-`)
�2`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T flush`)z]`pfctl -a f2b/j-w-pf-ap -sr 2>/dev/null | grep -v f2b-j-w-pf-ap | pfctl -a f2b/j-w-pf-ap -f-`r�z1`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T kill`)
z4`pfctl -a f2b/j-w-pf-ap -sr | grep -q f2b-j-w-pf-ap`)
z:`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T add 192.0.2.1`)
z=`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T delete 192.0.2.1`)
z;`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T add 2001:db8::`)
z>`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T delete 2001:db8::`)r�r�r�r�r�rwr�r�r�r�r�r�zj-w-fwcmd-mpzqfirewallcmd-multiport[name=%(__name__)s, bantime="10m", port="http,https", protocol="tcp", chain="<known/chain>"])z ipv4 r�)z ipv6 r�)z@`firewall-cmd --direct --add-chain ipv4 filter f2b-j-w-fwcmd-mp`zN`firewall-cmd --direct --add-rule ipv4 filter f2b-j-w-fwcmd-mp 1000 -j RETURN`z�`firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -m conntrack --ctstate NEW -p tcp -m multiport --dports http,https -j f2b-j-w-fwcmd-mp`)z@`firewall-cmd --direct --add-chain ipv6 filter f2b-j-w-fwcmd-mp`zN`firewall-cmd --direct --add-rule ipv6 filter f2b-j-w-fwcmd-mp 1000 -j RETURN`z�`firewall-cmd --direct --add-rule ipv6 filter INPUT_direct 0 -m conntrack --ctstate NEW -p tcp -m multiport --dports http,https -j f2b-j-w-fwcmd-mp`)z�`firewall-cmd --direct --remove-rule ipv4 filter INPUT_direct 0 -m conntrack --ctstate NEW -p tcp -m multiport --dports http,https -j f2b-j-w-fwcmd-mp`zC`firewall-cmd --direct --remove-rules ipv4 filter f2b-j-w-fwcmd-mp`zC`firewall-cmd --direct --remove-chain ipv4 filter f2b-j-w-fwcmd-mp`z�`firewall-cmd --direct --remove-rule ipv6 filter INPUT_direct 0 -m conntrack --ctstate NEW -p tcp -m multiport --dports http,https -j f2b-j-w-fwcmd-mp`zC`firewall-cmd --direct --remove-rules ipv6 filter f2b-j-w-fwcmd-mp`zC`firewall-cmd --direct --remove-chain ipv6 filter f2b-j-w-fwcmd-mp`)
zc`firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-j-w-fwcmd-mp$'`)
zc`firewall-cmd --direct --get-chains ipv6 filter | sed -e 's, ,\n,g' | grep -q '^f2b-j-w-fwcmd-mp$'`)
z|`firewall-cmd --direct --add-rule ipv4 filter f2b-j-w-fwcmd-mp 0 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)
z`firewall-cmd --direct --remove-rule ipv4 filter f2b-j-w-fwcmd-mp 0 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)
z~`firewall-cmd --direct --add-rule ipv6 filter f2b-j-w-fwcmd-mp 0 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)
z�`firewall-cmd --direct --remove-rule ipv6 filter f2b-j-w-fwcmd-mp 0 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`zj-w-fwcmd-apz]firewallcmd-allports[name=%(__name__)s, bantime="10m", protocol="tcp", chain="<known/chain>"])z@`firewall-cmd --direct --add-chain ipv4 filter f2b-j-w-fwcmd-ap`zN`firewall-cmd --direct --add-rule ipv4 filter f2b-j-w-fwcmd-ap 1000 -j RETURN`zQ`firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -j f2b-j-w-fwcmd-ap`)z@`firewall-cmd --direct --add-chain ipv6 filter f2b-j-w-fwcmd-ap`zN`firewall-cmd --direct --add-rule ipv6 filter f2b-j-w-fwcmd-ap 1000 -j RETURN`zQ`firewall-cmd --direct --add-rule ipv6 filter INPUT_direct 0 -j f2b-j-w-fwcmd-ap`)zT`firewall-cmd --direct --remove-rule ipv4 filter INPUT_direct 0 -j f2b-j-w-fwcmd-ap`zC`firewall-cmd --direct --remove-rules ipv4 filter f2b-j-w-fwcmd-ap`zC`firewall-cmd --direct --remove-chain ipv4 filter f2b-j-w-fwcmd-ap`zT`firewall-cmd --direct --remove-rule ipv6 filter INPUT_direct 0 -j f2b-j-w-fwcmd-ap`zC`firewall-cmd --direct --remove-rules ipv6 filter f2b-j-w-fwcmd-ap`zC`firewall-cmd --direct --remove-chain ipv6 filter f2b-j-w-fwcmd-ap`)
zc`firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-j-w-fwcmd-ap$'`)
zc`firewall-cmd --direct --get-chains ipv6 filter | sed -e 's, ,\n,g' | grep -q '^f2b-j-w-fwcmd-ap$'`)
z|`firewall-cmd --direct --add-rule ipv4 filter f2b-j-w-fwcmd-ap 0 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)
z`firewall-cmd --direct --remove-rule ipv4 filter f2b-j-w-fwcmd-ap 0 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)
z~`firewall-cmd --direct --add-rule ipv6 filter f2b-j-w-fwcmd-ap 0 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)
z�`firewall-cmd --direct --remove-rule ipv6 filter f2b-j-w-fwcmd-ap 0 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`zj-w-fwcmd-ipsetzXfirewallcmd-ipset[name=%(__name__)s, port="http", protocol="tcp", chain="<known/chain>"])
z f2b-j-w-fwcmd-ipset )
z f2b-j-w-fwcmd-ipset6 )z<`ipset -exist create f2b-j-w-fwcmd-ipset hash:ip timeout 0 `z�`firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports http -m set --match-set f2b-j-w-fwcmd-ipset src -j REJECT --reject-with icmp-port-unreachable`)zI`ipset -exist create f2b-j-w-fwcmd-ipset6 hash:ip timeout 0 family inet6`z�`firewall-cmd --direct --add-rule ipv6 filter INPUT_direct 0 -p tcp -m multiport --dports http -m set --match-set f2b-j-w-fwcmd-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`)�!`ipset flush f2b-j-w-fwcmd-ipset`�"`ipset flush f2b-j-w-fwcmd-ipset6`)z�`firewall-cmd --direct --remove-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports http -m set --match-set f2b-j-w-fwcmd-ipset src -j REJECT --reject-with icmp-port-unreachable`r�z#`ipset destroy f2b-j-w-fwcmd-ipset`z�`firewall-cmd --direct --remove-rule ipv6 filter INPUT_direct 0 -p tcp -m multiport --dports http -m set --match-set f2b-j-w-fwcmd-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`r�z$`ipset destroy f2b-j-w-fwcmd-ipset6`)
z:`ipset -exist add f2b-j-w-fwcmd-ipset 192.0.2.1 timeout 0`)
z0`ipset -exist del f2b-j-w-fwcmd-ipset 192.0.2.1`)
z<`ipset -exist add f2b-j-w-fwcmd-ipset6 2001:db8:: timeout 0`)
z2`ipset -exist del f2b-j-w-fwcmd-ipset6 2001:db8::`)
r�r�r�r�r�rwr�r�r�r�zj-w-fwcmd-ipset-apzbfirewallcmd-ipset[name=%(__name__)s, actiontype=<allports>, protocol="tcp", chain="<known/chain>"])
z f2b-j-w-fwcmd-ipset-ap )
z f2b-j-w-fwcmd-ipset-ap6 )z?`ipset -exist create f2b-j-w-fwcmd-ipset-ap hash:ip timeout 0 `z�`firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m set --match-set f2b-j-w-fwcmd-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`)zL`ipset -exist create f2b-j-w-fwcmd-ipset-ap6 hash:ip timeout 0 family inet6`z�`firewall-cmd --direct --add-rule ipv6 filter INPUT_direct 0 -p tcp -m set --match-set f2b-j-w-fwcmd-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`)�$`ipset flush f2b-j-w-fwcmd-ipset-ap`�%`ipset flush f2b-j-w-fwcmd-ipset-ap6`)z�`firewall-cmd --direct --remove-rule ipv4 filter INPUT_direct 0 -p tcp -m set --match-set f2b-j-w-fwcmd-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`r�z&`ipset destroy f2b-j-w-fwcmd-ipset-ap`z�`firewall-cmd --direct --remove-rule ipv6 filter INPUT_direct 0 -p tcp -m set --match-set f2b-j-w-fwcmd-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`r�z'`ipset destroy f2b-j-w-fwcmd-ipset-ap6`)
z=`ipset -exist add f2b-j-w-fwcmd-ipset-ap 192.0.2.1 timeout 0`)
z3`ipset -exist del f2b-j-w-fwcmd-ipset-ap 192.0.2.1`)
z?`ipset -exist add f2b-j-w-fwcmd-ipset-ap6 2001:db8:: timeout 0`)
z5`ipset -exist del f2b-j-w-fwcmd-ipset-ap6 2001:db8::`z
j-fwcmd-rrz4firewallcmd-rich-rules[port="22:24", protocol="tcp"])z
family='ipv4'r�)z
family='ipv6'r�)
z�`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`)
z�`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`)
z� `ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`)
z�`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`z
j-fwcmd-rlz6firewallcmd-rich-logging[port="22:24", protocol="tcp"])
a

`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`)
a

`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`)
a

 `ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`)
a
`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`rrcrdrerfr�r�r�r�rgrWr�r�r�r�rhr�rirXr�r�rjr�r�z# === check ipv4 ===�familyz*-checkr�z# === check ipv6 ===r�z# === flush ===rkrw)r�r�ryrr8r}r�rMrLr�rarrQrRrlr�r�r\rmrTrnr�r�rEr�r

r�
r�
�_invariantCheckr�rw)r#�testJailsActionsr7r9rrRr��testsr~rNrgr�rf
rorr�
s                r&�testCheckStockCommandActionsz4ServerConfigReaderTests.testCheckStockCommandActions?s9��
�,�,���d��+��e�(�1P�����
�������Y
/h
�/�b
�L�(�1P�����
�������S
,O
�,�\
�E��&8���
�����+G��4�e��&8�����h
�� �Q�2�;d��
���
�������]
1S�1�f
�|�2�;d��
���
�������]
1
�1�f
�x�(�1O��
�
�
�
�������Y
/{
�/�b
�g�+�4U��
�
�
�
�������Y
/j
�/�b
�t�2�;d��
���
�������]
1w
�1�f
�|�2�;d��
���
�������]
1
�1�f
�k�4�=h���	
�������C
$n
�$�L

�B�
�b��
�
�
E
�D�J�M�K�N�)E
��.�S�
�b��
�
�
K
�J�P�S�Q�T�)V
��.�[�
�b����
�
K
�J�P�S�Q�T�)^
��.�H�.�7[��
�

�������G
&J�&�P
�s�.�7[��
�

�������G
&v
�&�P
�q�%�.I����
�����?"t
�"�H
�~�(�1O����
�����?"A�"�H
�H�6�?k�����K
�� �J�6�?k�����M
��Y[��x�<�&��!�!�&��2�2�*�*�
��d�C���%�%�d�C�0�6���s��~�~�c�"�H�C�����S�!���
��
�
�%�� � �"�&�*�>j
��d�C���$�K���<j
�q�
�4�[�
 �
 ��
#�F�
�L�L�"�#�
�L�L��$��,����"=�>�
�L�L�"�#��O�O�J�v�x�'=�'=�>�?��(�(�F���M�M�#�$�
�L�L�N��y�y����T����g��1�D�1�	���;�	�E�I�I�k�$:��T���5��-�e�K�.@�@�K�d�K��M�M�&�'�
�J�J�v�f�~���y�y���0�t�0�0�%�)�)�I�u�y�y�Qe�gi�Gj�2k�lq�r}�l~�2~� J�EI� J��y�y���3�t�3�3�U�;�5G�R�T�R��D���u�Y�'�2�T�2��D���%��,�1�D�1��M�M�(�)�
�L�L���� ��D���u�[�)�4�t�4��D���%��,�1�D�1��M�M�&�'�
�J�J�v�f�~���y�y���0�t�0�0�%�)�)�I�u�y�y�Qe�gi�Gj�2k�lq�r}�l~�2~� J�EI� J��y�y���3�t�3�3�U�;�5G�R�T�R��D���u�Y�'�2�T�2��D���%��,�1�D�1��M�M�(�)�
�L�L���� ��D���u�[�)�4�t�4��D���%��,�1�D�1��y�y���	�]�]�)�*����F�6�N�8�4�5��T����	�	�)�U�Y�Y�7K�R�-P�Q�RW�Xc�Rd�d�o�jn�o�
�	�	�+��5��#5��{�9K�#K��d���E�+�.�9�D�9��y�y���	�]�]�)�*����F�6�N�8�4�5��T����	�	�)�U�Y�Y�7K�R�-P�Q�RW�Xc�Rd�d�o�jn�o�
�	�	�+��5��#5��{�9K�#K��d���E�+�.�9�D�9��y�y���	�]�]�$�%��\�\�^��T����g��1�D�1��M�M�"�#�
�K�K�M��y�y���+�$�+�+�U�Y�Y�7K�R�-P�QV�W]�Q^�-^�i�dh�i�y
<j
�>j
r)c�
�|
}t
|
t�r|
d
}tjdd|�}tjdd�|d�}t
|
t�r||
d
<n|}
tj
j
|
|��S)Nrz\)\s*\|\s*(\S*mail\b[^\n]*)z$) | cat; printf "\\n... | "; echo \1z\bADDRESSES=\$\(dig\s[^\n]+c
��y
)Nz@ADDRESSES="abuse-1@abuse-test-server, abuse-2@abuse-test-server"r!)
�
ms
 r&r�z9ServerConfigReaderTests._executeMailCmd.<locals>.<lambda>s�r)r)
r�
)r�r_�re�subr\rmrn)r#rSr�
rNs    r&�_executeMailCmdz'ServerConfigReaderTests._executeMailCmdvs����#�����	���3�
���-�*�C�
	1�#�	���-�O���	�#������7�1�:�
�7�	�	�	�	*�	*�7�G�	*�	D�Dr)c
� �tjjd
��

ddtjjtd�zdzdztjjtd�zd	zd
di
fdd
tjjtd�zdzdztjjtd�zd	zd
di
fddtjjtd�zdzdztjjtd�zdzddd�fddddd�ff}
t�}|j}|j}|
D]E\}}}|j||�}|D](}	|j|	�
\}
}|j|
d�
�*�G|j}td�
}
td�
}t�}|
D�
];\}}}||j D�
]!}||j |}t"j%d�

t"j%d|dz|j&z�
t"j%d�

|j(|_d
|
fd|ffD]�\}}|j-|�
s
�|j/d |z�

t1|�
}|j3d!�

|j5d"d#g�

t6j8j;||�}|j=|�

|j>||d$d
i
�

���
�$�
�>y)%NTrrzj-mail-whois-linesz\mail-whois-lines[name=%(__name__)s, grepopts="-m 1", grepmax=2, mailcmd="mail -s", logpath="r.
rNz	         ztestcase01a.logz8", _whois_command="echo '-- information about <ip> --'"]r�)�;The IP 87.142.124.10 has just been banned by Fail2Ban afterz(100 attempts against j-mail-whois-lines.�.Here is more information about 87.142.124.10 :�%-- information about 87.142.124.10 --�2Lines containing failures of 87.142.124.10 (max 2)�etestcase01.log:Dec 31 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 87.142.124.10�etestcase01a.log:Dec 31 11:55:01 [sshd] error: PAM: Authentication failure for test from 87.142.124.10zj-sendmail-whois-lineszxsendmail-whois-lines[name=%(__name__)s, grepopts="-m 1", grepmax=2, mailcmd='testmail -f "<sender>" "<dest>"', logpath=")r�z,100 attempts against j-sendmail-whois-lines.r�r�r�r�r�zj-complain-abusez�complain[name=%(__name__)s, grepopts="-m 1", grepmax=2, mailcmd="mail -s 'Hostname: <ip-host>, family: <family>' - ",debug=1,logpath="z", ])�6try to resolve 10.124.142.87.abuse-contacts.abusix.orgr�r�r�zymail -s Hostname: test-host, family: inet4 - Abuse from 87.142.124.10 abuse-1@abuse-test-server abuse-2@abuse-test-server)�htry to resolve 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.abuse-contacts.abusix.orgz0Lines containing failures of 2001:db8::1 (max 2)zwmail -s Hostname: test-host, family: inet6 - Abuse from 2001:db8::1 abuse-1@abuse-test-server abuse-2@abuse-test-server)r�r�zj-xarf-abusezIxarf-login-attack[name=%(__name__)s, mailcmd="mail", mailargs="",debug=1])r�z8We have detected abuse from the IP address 87.142.124.10�VDec 31 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 87.142.124.10�UDec 31 11:55:01 [sshd] error: PAM: Authentication failure for test from 87.142.124.10�8mail abuse-1@abuse-test-server abuse-2@abuse-test-server)r�z6We have detected abuse from the IP address 2001:db8::1r�rz
87.142.124.10z2001:db8::1rcrdrer�z# === %s ===r�r�r�r�) r�r�ryr�r4
r5
r6
rr8r}r�rMrLr�rrrrQrRrlr�rnrEr�r�
setAttempt�
setMatchesr\rm
r]r�
r�)r#r�r7r9rrRr�r�r~rNrgr�rf
rWrXr^rr�
�testr
r`s                     r&�testComplexMailActionMultiLogz5ServerConfigReaderTests.testComplexMailActionMultiLog�sy��
�,�,���d��+����G�G�L�L��1A�B�C
�F
J
�J
��	��W�W�\�\�.�2C�D�	E
�H

�	
���
��(���G�G�L�L��1A�B�C
�F
J
�J
��	��W�W�\�\�.�2C�D�	E
�H

�	
���
��(��
�G�G�L�L��1A�B�C
�
F
J
�J
��
��W�W�\�\�.�2C�D�
E
�
H

�

�����8�
����
�M^
��~�<�&��!�!�&��2�2�*�*�
��d�C���%�%�d�C�0�6���s��~�~�c�"�H�C�����S�!���
��
�
�%�	��	 �$�	�
�	�$��K�'�*�/��d�C���$�K���/�q�
�4�[�
 �
 ��
#�F�
�L�L�"�#�
�L�L��$��,����"=�>�
�L�L�"�#��,�,�F��!�4�(�9�d�*;�<�/�
��r��I�I�d�O�X�	�]�]�>�D�(�)���m�V����s�����^�]������)�)�&�'�:�V��Z�Z����T����d��.��.�/�/�/r))
r�)r,r-r.rHr5rBrTrarpr�r�r�r�r�r�rmrns
@r&rFrF�sF�����
2��� �D
1!�f

�!�(uj
�nE
�$K/r)rF)A�
__author__�
__copyright__�__license__r�r�r�r�r�r5r�
�server.failregexrrrr7rr\�
server.serverr	�server.ipdnsr
r�server.jailr�server.jailthreadr
�
server.ticketr�server.utilsr�	dummyjailr�utilsrrr�helpersrrrrP
rrr~
r4
r5
�dirname�__file__r6
r<rQrr0rpr�
�TestCaserrr'r+�clientreadertestcaserBrCrDrFr!r)r&�<module>r�
s@
�


�.�
�2�
������	�	�
��?�?�(�"�+��*�%� � �<�<�;�;��
�
#������b�g�g�o�o�h�7��A����	�:�	��
��
�[

�(�[

�|u
*�/�u
*�p{

N
��{

N
�|
(��!�!�
(�R

J
��"�"�R

J
�j
1��
1�
'
�%�'
�T

H
�G�m
/�0�m
/��i#�

���

�s�:E
�
E�

E