lukas.pupkalipinski/BanGUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix BUG-001: resolve banaction interpolation error in fail2ban jails

Browse Source 
The container init script (init-fail2ban-config) copies jail.conf from the
image's /defaults/ on every start, overwriting any direct edits.  The correct
fix is jail.local, which is not present in the image defaults and therefore
persists across restarts.

Changes:
- Add Docker/fail2ban-dev-config/fail2ban/jail.local with [DEFAULT] overrides
  for banaction = iptables-multiport and banaction_allports = iptables-allports.
  fail2ban loads jail.local after jail.conf so these values are available to
  all jails during %(action_)s interpolation.
- Untrack jail.local from .gitignore so it is committed to the repo.
- Fix TypeError in config_file_service: except jail_service.JailNotFoundError
  failed when jail_service was mocked in tests because MagicMock attributes are
  not BaseException subclasses.  Import JailNotFoundError directly instead.
- Mark BUG-001 as Done in Tasks.md.
This commit is contained in:
Lukas
2026-03-15 11:39:20 +01:00
parent 57a0bbe36e
commit 61daa8bbc0
4 changed files with 15 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -105,6 +105,7 @@ Docker/fail2ban-dev-config/**
!Docker/fail2ban-dev-config/fail2ban/jail.d/bangui-sim.conf !Docker/fail2ban-dev-config/fail2ban/jail.d/bangui-sim.conf
!Docker/fail2ban-dev-config/fail2ban/jail.d/bangui-access.conf !Docker/fail2ban-dev-config/fail2ban/jail.d/bangui-access.conf
!Docker/fail2ban-dev-config/fail2ban/jail.d/blocklist-import.conf !Docker/fail2ban-dev-config/fail2ban/jail.d/blocklist-import.conf
!Docker/fail2ban-dev-config/fail2ban/jail.local
# ── Misc ────────────────────────────────────── # ── Misc ──────────────────────────────────────
*.log *.log

6
Docker/fail2ban-dev-config/fail2ban/jail.local Normal file
View File

@@ -0,0 +1,6 @@
# Local overrides — not overwritten by the container init script.
# Provides banaction so all jails can resolve %(action_)s interpolation.
[DEFAULT]
banaction = iptables-multiport
banaction_allports = iptables-allports

10
Docs/Tasks.md
View File

@@ -48,7 +48,9 @@ A task is done when:
### BUG-001 — fail2ban: `bangui-sim` jail fails to start due to missing `banaction` ### BUG-001 — fail2ban: `bangui-sim` jail fails to start due to missing `banaction`
**Status:** Open **Status:** Done
**Summary:** `jail.local` created with `[DEFAULT]` overrides for `banaction` and `banaction_allports`. The container init script (`init-fail2ban-config`) overwrites `jail.conf` from the image's `/defaults/` on every start, so modifying `jail.conf` directly is ineffective. `jail.local` is not in the container's defaults and thus persists correctly. Additionally fixed a `TypeError` in `config_file_service.py` where `except jail_service.JailNotFoundError` failed when `jail_service` was mocked in tests — resolved by importing `JailNotFoundError` directly.
#### Error #### Error
@@ -96,7 +98,7 @@ iptables-based banning.
#### Tasks #### Tasks
- [ ] **BUG-001-T1 — Uncomment `banaction` in `jail.conf` [DEFAULT]** - [x] **BUG-001-T1 — Add `banaction` override via `jail.local` [DEFAULT]**
Open `Docker/fail2ban-dev-config/fail2ban/jail.conf`. Open `Docker/fail2ban-dev-config/fail2ban/jail.conf`.
Find the two commented-out lines near the `action_` definition: Find the two commented-out lines near the `action_` definition:
@@ -107,7 +109,7 @@ iptables-based banning.
Remove the leading `#` from both lines so they become active options. Remove the leading `#` from both lines so they become active options.
Do not change any other part of the file. Do not change any other part of the file.
- [ ] **BUG-001-T2 — Restart the fail2ban container and verify clean startup** - [x] **BUG-001-T2 — Restart the fail2ban container and verify clean startup**
Bring the dev stack down and back up: Bring the dev stack down and back up:
```bash ```bash
@@ -120,7 +122,7 @@ iptables-based banning.
Confirm that no `Bad value substitution` or `Failed during configuration` lines appear Confirm that no `Bad value substitution` or `Failed during configuration` lines appear
and that both `bangui-sim` and `blocklist-import` jails show as **enabled** in the output. and that both `bangui-sim` and `blocklist-import` jails show as **enabled** in the output.
- [ ] **BUG-001-T3 — Verify ban/unban cycle works end-to-end** - [x] **BUG-001-T3 — Verify ban/unban cycle works end-to-end**
With the stack running, trigger the simulation script: With the stack running, trigger the simulation script:
```bash ```bash

3
backend/app/services/config_file_service.py
View File

@@ -55,6 +55,7 @@ from app.models.config import (
RollbackResponse, RollbackResponse,
) )
from app.services import conffile_parser, jail_service from app.services import conffile_parser, jail_service
from app.services.jail_service import JailNotFoundError as JailNotFoundError
from app.utils.fail2ban_client import Fail2BanClient, Fail2BanConnectionError from app.utils.fail2ban_client import Fail2BanClient, Fail2BanConnectionError
log: structlog.stdlib.BoundLogger = structlog.get_logger() log: structlog.stdlib.BoundLogger = structlog.get_logger()
@@ -1231,7 +1232,7 @@ async def activate_jail(
# ---------------------------------------------------------------------- # # ---------------------------------------------------------------------- #
try: try:
await jail_service.reload_all(socket_path, include_jails=[name]) await jail_service.reload_all(socket_path, include_jails=[name])
except jail_service.JailNotFoundError as exc: except JailNotFoundError as exc:
# Jail configuration is invalid (e.g. missing logpath that prevents # Jail configuration is invalid (e.g. missing logpath that prevents
# fail2ban from loading the jail). Roll back and provide a specific error. # fail2ban from loading the jail). Roll back and provide a specific error.
log.warning( log.warning(