Lukas
f62785aaf2
This commit implements fixes for three independent bugs in the fail2ban configuration and integration layer: 1. Task 1: Detect UnknownJailException and prevent silent failures - Added JailNotFoundError detection in jail_service.reload_all() - Enhanced error handling in config_file_service to catch JailNotFoundError - Added specific error message with logpath validation hints - Added rollback test for this scenario 2. Task 2: Fix iptables-allports exit code 4 (xtables lock contention) - Added global banaction setting in jail.conf with -w 5 lockingopt - Removed redundant per-jail banaction overrides from bangui-sim and blocklist-import - Added production compose documentation note 3. Task 3: Suppress log noise from unsupported backend/idle commands - Implemented capability detection to cache command support status - Double-check locking to minimize lock contention - Avoids sending unsupported get <jail> backend/idle commands - Returns default values without socket calls when unsupported All changes include comprehensive tests and maintain backward compatibility.
26 lines
1.0 KiB
Plaintext
26 lines
1.0 KiB
Plaintext
# ──────────────────────────────────────────────────────────────
|
|
# BanGUI — Blocklist-import jail
|
|
#
|
|
# Dedicated jail for IPs banned via the BanGUI blocklist import
|
|
# feature. This is a manual-ban jail: it does not watch any log
|
|
# file. All bans are injected programmatically via
|
|
# fail2ban-client set blocklist-import banip <ip>
|
|
# which the BanGUI backend uses through its fail2ban socket
|
|
# client.
|
|
# ──────────────────────────────────────────────────────────────
|
|
|
|
[blocklist-import]
|
|
|
|
enabled = true
|
|
# No log-based detection — only manual banip commands are used.
|
|
filter =
|
|
logpath = /dev/null
|
|
backend = auto
|
|
maxretry = 1
|
|
findtime = 1d
|
|
# Block imported IPs for one week.
|
|
bantime = 1w
|
|
|
|
# Never ban the Docker bridge network or localhost.
|
|
ignoreip = 127.0.0.0/8 ::1 172.16.0.0/12
|