Hello community, here is the log from the commit of package tallow for openSUSE:Leap:15.2 checked in at 2020-02-19 18:47:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/tallow (Old) and /work/SRC/openSUSE:Leap:15.2/.tallow.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tallow" Wed Feb 19 18:47:37 2020 rev:1 rq:775976 version:19+git20191106.4b071b0 Changes: -------- New Changes file: --- /dev/null 2019-12-19 10:12:34.003146842 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.tallow.new.26092/tallow.changes 2020-02-19 18:47:38.986953651 +0100 @@ -0,0 +1,82 @@ +------------------------------------------------------------------- +Thu Dec 19 14:50:26 UTC 2019 - Dominique Leuenberger <[email protected]> + +- BuildRequire pkgconfig(libsystemd) instead of systemd-devel: + Allow OBS to shortcut through the -mini flavors. + +------------------------------------------------------------------- +Thu Nov 28 12:58:54 UTC 2019 - Thorsten Kukuk <[email protected]> + +- 0001-Add-extra-path-for-firewall-cmd.patch: firewall-cmd can be + in a different path than ipset/iptables + +------------------------------------------------------------------- +Wed Nov 27 12:00:41 UTC 2019 - [email protected] + +- Update to version 19+git20191106.4b071b0: + * Need configure in this workflow. + * Fix dependency. + * Add github workflow integration. + +------------------------------------------------------------------- +Tue Nov 05 14:41:02 UTC 2019 - [email protected] + +- Update to version 19+git20191104.5dfb982: + * v19 + * Fixed signedness. + +------------------------------------------------------------------- +Tue Oct 29 10:41:22 UTC 2019 - [email protected] + +- Update to version 18+git20191028.83201e8: + * v18 + * Hide unwanted firewalld-cmd error messages. + * v17 + * Add firewalld support + * Fix command order in tallow.conf man page + * Add json-c to travis. + * make older compilers a bit happier + * add dovecot as postfix auth backend parsing + +------------------------------------------------------------------- +Sat Aug 17 12:47:00 UTC 2019 - [email protected] + +- Update to version 16+git20190425.e4b3977: + * Ensure we don't replay old events. + * Add example whitelist defaults. + +------------------------------------------------------------------- +Tue Jun 4 16:33:32 CEST 2019 - [email protected] + +- Add PreRequires for systemd macros + +------------------------------------------------------------------- +Sun Feb 24 11:07:41 UTC 2019 - [email protected] + +- Update to version 16+git20190219.35182b8: + * Force insert iptables rules as rule #1. + * Debug: print path to skipped file, not the other one. + +------------------------------------------------------------------- +Thu Feb 7 15:33:25 UTC 2019 - Jan Engelhardt <[email protected]> + +- Use noun phrase in summary. +- Wrap description. + +------------------------------------------------------------------- +Wed Feb 6 13:54:54 CET 2019 - [email protected] + +- Add requires for iptables and ipset + +------------------------------------------------------------------- +Wed Feb 06 12:17:06 UTC 2019 - [email protected] + +- Update to version 16+git20190123.0a0a912: + * Move src files to /src/. + * Move man pages to /man/ folder. + +------------------------------------------------------------------- +Wed Feb 6 13:15:52 CET 2019 - [email protected] + +- Initial version (v16) + New: ---- 0001-Add-extra-path-for-firewall-cmd.patch _service _servicedata tallow-19+git20191106.4b071b0.tar.xz tallow.changes tallow.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tallow.spec ++++++ # # spec file for package tallow # # Copyright (c) 2019 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: tallow Version: 19+git20191106.4b071b0 Release: 0 Summary: Temporary IP address ban issuance daemon License: GPL-3.0-or-later Group: Productivity/Security URL: https://github.com/clearlinux/tallow Source: tallow-%{version}.tar.xz Patch: 0001-Add-extra-path-for-firewall-cmd.patch Requires: ipset Requires: iptables #For systemd macros: PreReq: coreutils BuildRequires: autoconf BuildRequires: automake BuildRequires: libjson-c-devel BuildRequires: pcre-devel BuildRequires: pkgconfig BuildRequires: pkgconfig(libsystemd) BuildRequires: rubygem(ronn) %description Tallow is a fail2ban/lard replacement that uses systemd's native journal API to scan for attempted SSH logins, and issues temporary IP address bans for clients that violate certain login patterns. This is not a security application! Tallow is meant to reduce log clutter and system resource usage at the cost of denying access to potentially valid users. %prep %setup -q %patch -p1 %build ./autogen.sh %configure export LANG=en_US.UTF-8 make %{?_smp_mflags} %install %make_install mkdir -p %{buildroot}%{_sysconfdir} touch %{buildroot}%{_sysconfdir}/tallow.conf rm -rf %{buildroot}%{_datadir}/doc/tallow mkdir -p %{buildroot}%{_prefix}/lib/systemd/system install -m 644 data/tallow.service %{buildroot}%{_prefix}/lib/systemd/system/ ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rctallow # For customer provided *.json files: mkdir -p %{buildroot}%{_sysconfdir}/tallow %pre %service_add_pre tallow.service %post %service_add_post tallow.service %preun %service_del_preun tallow.service %postun %service_del_postun tallow.service %files %license COPYING %doc README.md tallow.conf %dir %{_sysconfdir}/tallow %{_sbindir}/tallow %{_sbindir}/rctallow %{_prefix}/lib/systemd/system/tallow.service %{_mandir}/man1/tallow.1%{?ext_man} %{_mandir}/man5/tallow.conf.5%{?ext_man} %dir %{_datadir}/tallow %{_datadir}/tallow/sshd.json %ghost %{_sysconfdir}/tallow.conf %changelog ++++++ 0001-Add-extra-path-for-firewall-cmd.patch ++++++ From 05fcf5541fdd7f89c23cbcf85be78e0327519b74 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk <[email protected]> Date: Thu, 28 Nov 2019 13:24:14 +0100 Subject: [PATCH] Add extra path for firewall-cmd --- man/tallow.conf.5.md | 12 ++++++++---- src/tallow.c | 28 ++++++++++++++++------------ tallow.conf | 1 + 3 files changed, 25 insertions(+), 16 deletions(-) diff --git a/man/tallow.conf.5.md b/man/tallow.conf.5.md index 549e284..79edacd 100644 --- a/man/tallow.conf.5.md +++ b/man/tallow.conf.5.md @@ -19,10 +19,14 @@ tallow will operate with built-in defaults. ## OPTIONS +`fwcmd_path`=`<string>` +Specifies the location of the ipset(1) firewall-cmd(1) programs. By +default, tallow will look in "/usr/bin" for them. + `ipt_path`=`<string>` -Specifies the location of the ipset(1) program and iptables(1), -ip6tables(1), or firewall-cmd(1) programs. By default, tallow will -look in "/usr/sbin" for them. +Specifies the location of the ipset(1) program and iptables(1) or +ip6tables(1) programs. By default, tallow will look in "/usr/sbin" +for them. `expires`=`<int>` The number of seconds that IP addresses are blocked for. Note that @@ -58,7 +62,7 @@ default, tallow will create new firewall-cmd(1) or iptables(1) and ip6tables(1) rules when needed automatically. If set to `1`, `tallow(1)` will not create any new firewall DROP rules or ipset sets that are needed work. You should create them manually before tallow starts up and remove them afterwards using the sets -of commands below. +of commands below. Use the following commands if you're using iptables(1): diff --git a/src/tallow.c b/src/tallow.c index 3ba4158..58e0fb4 100644 --- a/src/tallow.c +++ b/src/tallow.c @@ -35,6 +35,7 @@ #define MAX_OFFSETS 30 static char ipt_path[PATH_MAX]; +static char fwcmd_path[PATH_MAX]; static int expires = 3600; static int has_ipv6 = 0; static bool nocreate = false; @@ -71,17 +72,17 @@ static void ext_ignore(char *fmt, ...) static void reset_rules(void) { /* reset all rules in case the running fw changes */ - ext_ignore("%s/firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 1 -m set --match-set tallow src -j DROP 2> /dev/null", ipt_path); - ext_ignore("%s/firewall-cmd --permanent --delete-ipset=tallow 2> /dev/null", ipt_path); + ext_ignore("%s/firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 1 -m set --match-set tallow src -j DROP 2> /dev/null", fwcmd_path); + ext_ignore("%s/firewall-cmd --permanent --delete-ipset=tallow 2> /dev/null", fwcmd_path); /* delete iptables ref to set before the ipset! */ ext_ignore("%s/iptables -t filter -D INPUT -m set --match-set tallow src -j DROP 2> /dev/null", ipt_path); ext_ignore("%s/ipset destroy tallow 2> /dev/null", ipt_path); if (has_ipv6) { - ext_ignore("%s/firewall-cmd --permanent --direct --remove-rule ipv6 filter INPUT 1 -m set --match-set tallow6 src -j DROP 2> /dev/null", ipt_path); - ext_ignore("%s/firewall-cmd --permanent --delete-ipset=tallow6 2> /dev/null", ipt_path); - + ext_ignore("%s/firewall-cmd --permanent --direct --remove-rule ipv6 filter INPUT 1 -m set --match-set tallow6 src -j DROP 2> /dev/null", fwcmd_path); + ext_ignore("%s/firewall-cmd --permanent --delete-ipset=tallow6 2> /dev/null", fwcmd_path); + /* delete iptables ref to set before the ipset! */ ext_ignore("%s/ip6tables -t filter -D INPUT -m set --match-set tallow6 src -j DROP 2> /dev/null", ipt_path); ext_ignore("%s/ipset destroy tallow6 2> /dev/null", ipt_path); @@ -100,39 +101,39 @@ static void setup(void) /* firewalld */ char *fwd_path; - if (asprintf(&fwd_path, "%s/firewall-cmd", ipt_path) < 0) { + if (asprintf(&fwd_path, "%s/firewall-cmd", fwcmd_path) < 0) { exit(EXIT_FAILURE); } - if ((access(fwd_path, X_OK) == 0) && ext("%s/firewall-cmd --state --quiet", ipt_path) == 0) { + if ((access(fwd_path, X_OK) == 0) && ext("%s/firewall-cmd --state --quiet", fwcmd_path) == 0) { fprintf(stdout, "firewalld is running and will be used by tallow.\n"); reset_rules(); /* create ipv4 rule and ipset */ - if (ext("%s/firewall-cmd --permanent --quiet --new-ipset=tallow --type=hash:ip --family=inet --option=timeout=%d", ipt_path, expires)) { + if (ext("%s/firewall-cmd --permanent --quiet --new-ipset=tallow --type=hash:ip --family=inet --option=timeout=%d", fwcmd_path, expires)) { fprintf(stderr, "Unable to create ipv4 ipset with firewall-cmd.\n"); exit(EXIT_FAILURE); } - if (ext("%s/firewall-cmd --permanent --direct --quiet --add-rule ipv4 filter INPUT 1 -m set --match-set tallow src -j DROP", ipt_path)) { + if (ext("%s/firewall-cmd --permanent --direct --quiet --add-rule ipv4 filter INPUT 1 -m set --match-set tallow src -j DROP", fwcmd_path)) { fprintf(stderr, "Unable to create ipv4 firewalld rule.\n"); exit(EXIT_FAILURE); } /* create ipv6 rule and ipset */ if (has_ipv6) { - if (ext("%s/firewall-cmd --permanent --quiet --new-ipset=tallow6 --type=hash:ip --family=inet6 --option=timeout=%d", ipt_path, expires)) { + if (ext("%s/firewall-cmd --permanent --quiet --new-ipset=tallow6 --type=hash:ip --family=inet6 --option=timeout=%d", fwcmd_path, expires)) { fprintf(stderr, "Unable to create ipv6 ipset with firewall-cmd.\n"); exit(EXIT_FAILURE); } - if (ext("%s/firewall-cmd --permanent --direct --quiet --add-rule ipv6 filter INPUT 1 -m set --match-set tallow6 src -j DROP ", ipt_path)) { + if (ext("%s/firewall-cmd --permanent --direct --quiet --add-rule ipv6 filter INPUT 1 -m set --match-set tallow6 src -j DROP ", fwcmd_path)) { fprintf(stderr, "Unable to create ipv6 firewalld rule.\n"); exit(EXIT_FAILURE); } } /* reload firewalld for ipsets to load */ - if (ext("%s/firewall-cmd --reload --quiet", ipt_path, expires)) { + if (ext("%s/firewall-cmd --reload --quiet", fwcmd_path, expires)) { fprintf(stderr, "Unable to reload firewalld rules.\n"); exit(EXIT_FAILURE); } @@ -292,6 +293,7 @@ int main(void) json_load_patterns(); strcpy(ipt_path, "/usr/sbin"); + strcpy(fwcmd_path, "/usr/bin"); #ifdef DEBUG fprintf(stderr, "Debug output enabled. Send SIGUSR1 to dump internal state table\n"); @@ -331,6 +333,8 @@ int main(void) // todo: filter leading/trailing whitespace if (!strcmp(key, "ipt_path")) strncpy(ipt_path, val, PATH_MAX - 1); + if (!strcmp(key, "fwcmd_path")) + strncpy(fwcmd_path, val, PATH_MAX - 1); if (!strcmp(key, "expires")) expires = atoi(val); if (!strcmp(key, "whitelist")) diff --git a/tallow.conf b/tallow.conf index bf61c0a..df0ffb4 100644 --- a/tallow.conf +++ b/tallow.conf @@ -1,6 +1,7 @@ # tallow.conf - see `man tallow.conf` for more information +#fwcmd_path=/usr/bin #ipt_path=/usr/sbin #expires=3600 #whitelist=127.0.0.1 -- 2.16.4 ++++++ _service ++++++ <services> <service name="tar_scm" mode="disabled"> <param name="version">18</param> <param name="versionformat">19+git%cd.%h</param> <param name="url">git://github.com/clearlinux/tallow.git</param> <param name="scm">git</param> <param name="changesgenerate">enable</param> <param name="changesauthor">[email protected]</param> </service> <service name="recompress" mode="disabled"> <param name="compression">xz</param> <param name="file">*.tar</param> </service> <service name="set_version" mode="disabled"/> </services> ++++++ _servicedata ++++++ <servicedata> <service name="tar_scm"> <param name="url">git://github.com/clearlinux/tallow.git</param> <param name="changesrevision">4b071b01f65317f99077277efe6a31e52d942e29</param> </service> </servicedata>
