[gentoo-commits] repo/gentoo:master commit in: net-analyzer/fail2ban/files/, net-analyzer/fail2ban/

["Ulrich Müller" <ulm@gentoo.org>]

commit:     9887cc1da7851677abcb7e5cc6a8bbd60f87859f
Author:     Ulrich Müller <ulm <AT> gentoo <DOT> org>
AuthorDate: Thu Sep 18 16:54:45 2025 +0000
Commit:     Ulrich Müller <ulm <AT> gentoo <DOT> org>
CommitDate: Thu Sep 18 17:22:17 2025 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9887cc1d

net-analyzer/fail2ban: Fix mdpr-ddos regex in filter.d/postfix.conf

The current regex doesn't match the following log entry:
Sep 17 18:19:20 mxhost postfix/smtpd[12345]: NOQUEUE: lost connection after CONNECT from unknown[192.0.2.25]

Closes: https://bugs.gentoo.org/963047
Acked-by: Sam James <sam <AT> gentoo.org>
Signed-off-by: Ulrich Müller <ulm <AT> gentoo.org>

 net-analyzer/fail2ban/fail2ban-1.1.0-r5.ebuild     | 151 +++++++++++++++++++++
 .../files/fail2ban-1.1.0-postfix-ddos.patch        |  38 ++++++
 2 files changed, 189 insertions(+)

diff --git a/net-analyzer/fail2ban/fail2ban-1.1.0-r5.ebuild b/net-analyzer/fail2ban/fail2ban-1.1.0-r5.ebuild
new file mode 100644
index 000000000000..05a953241bd5
--- /dev/null
+++ b/net-analyzer/fail2ban/fail2ban-1.1.0-r5.ebuild
@@ -0,0 +1,151 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{11..13} )
+
+inherit bash-completion-r1 edo python-single-r1 systemd tmpfiles
+
+DESCRIPTION="Scans log files and bans IPs that show malicious signs"
+HOMEPAGE="https://www.fail2ban.org/"
+
+if [[ ${PV} == *9999 ]] ; then
+	EGIT_REPO_URI="https://github.com/fail2ban/fail2ban"
+	inherit git-r3
+else
+	SRC_URI="https://github.com/fail2ban/fail2ban/archive/${PV}.tar.gz -> ${P}.tar.gz"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~ppc ~ppc64 ~riscv ~sparc ~x86"
+fi
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="selinux systemd test"
+RESTRICT="!test? ( test )"
+REQUIRED_USE="${PYTHON_REQUIRED_USE}"
+
+RDEPEND="
+	${PYTHON_DEPS}
+	$(python_gen_cond_dep '
+		dev-python/pyasyncore[${PYTHON_USEDEP}]
+		dev-python/pyasynchat[${PYTHON_USEDEP}]
+	' 3.12)
+	virtual/logger
+	virtual/mta
+	selinux? ( sec-policy/selinux-fail2ban )
+	systemd? (
+		$(python_gen_cond_dep '
+			dev-python/python-systemd[${PYTHON_USEDEP}]
+		')
+	)
+"
+BDEPEND="
+	$(python_gen_cond_dep '
+		dev-python/setuptools[${PYTHON_USEDEP}]
+	')
+	test? (
+		$(python_gen_cond_dep '
+			dev-python/aiosmtpd[${PYTHON_USEDEP}]
+		')
+	)
+"
+
+DOCS=( ChangeLog DEVELOP README.md THANKS TODO doc/run-rootless.txt )
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-0.11.2-adjust-apache-logs-paths.patch
+	"${FILESDIR}"/${PN}-1.0.2-umask-tests.patch
+	"${FILESDIR}"/${PN}-1.1.0-openssh-9.8.patch
+	"${FILESDIR}"/${PN}-1.1.0-openssh-9.8-fixups.patch
+	"${FILESDIR}"/${PN}-1.1.0-openrc-nftables.patch
+	"${FILESDIR}"/${PN}-1.1.0-systemd-order.patch
+	"${FILESDIR}"/${PN}-1.1.0-postfix-ddos.patch
+)
+
+src_prepare() {
+	default
+
+	# Replace /var/run with /run, but not in the top source directory
+	find . -mindepth 2 -type f -exec \
+		sed -i -e 's|/var\(/run/fail2ban\)|\1|g' {} + || die
+}
+
+src_compile() {
+	edo ${EPYTHON} setup.py build
+}
+
+src_test() {
+	# Skip testRepairDb for bug #907348 (didn't always fail..)
+	# https://github.com/fail2ban/fail2ban/issues/3586
+	bin/fail2ban-testcases \
+		--no-network \
+		--ignore databasetestcase.DatabaseTest.testRepairDb \
+		--verbosity=4 || die "Tests failed with ${EPYTHON}"
+
+	# Workaround for bug #790251
+	rm -rf fail2ban.egg-info || die
+}
+
+src_install() {
+	edo ${EPYTHON} setup.py install --prefix="${EPREFIX}/usr" --root="${D}"
+	python_fix_shebang "${ED}"/usr/bin
+	python_optimize
+
+	einstalldocs
+
+	rm -rf "${ED}"/usr/share/doc/${PN} "${ED}"/run || die
+
+	newconfd files/fail2ban-openrc.conf ${PN}
+	# These two are placed in the ${BUILD_DIR} after being "built"
+	# in install_scripts().
+	newinitd "${S}"/build/fail2ban-openrc.init ${PN}
+	systemd_dounit "${S}"/build/${PN}.service
+
+	dotmpfiles files/${PN}-tmpfiles.conf
+
+	doman man/*.{1,5}
+
+	# Use INSTALL_MASK if you do not want to touch /etc/logrotate.d.
+	# See http://thread.gmane.org/gmane.linux.gentoo.devel/35675
+	insinto /etc/logrotate.d
+	newins files/${PN}-logrotate ${PN}
+
+	keepdir /var/lib/${PN}
+
+	newbashcomp files/bash-completion ${PN}-client
+	bashcomp_alias ${PN}-client ${PN}-server ${PN}-regex
+}
+
+pkg_preinst() {
+	has_version "<${CATEGORY}/${PN}-0.7"
+	previous_less_than_0_7=$?
+}
+
+pkg_postinst() {
+	tmpfiles_process ${PN}-tmpfiles.conf
+
+	if [[ ${previous_less_than_0_7} == 0 ]] ; then
+		elog
+		elog "Configuration files are now in /etc/fail2ban/"
+		elog "You probably have to manually update your configuration"
+		elog "files before restarting Fail2Ban!"
+		elog
+		elog "Fail2Ban is not installed under /usr/lib anymore. The"
+		elog "new location is under /usr/share."
+		elog
+		elog "You are upgrading from version 0.6.x, please see:"
+		elog "http://www.fail2ban.org/wiki/index.php/HOWTO_Upgrade_from_0.6_to_0.8"
+	fi
+
+	if ! has_version dev-python/pyinotify ; then
+		elog "For most jail.conf configurations, it is recommended you install"
+		elog "dev-python/pyinotify to control how log file modifications are detected"
+	fi
+
+	if ! has_version dev-lang/python[sqlite] ; then
+		elog "If you want to use ${PN}'s persistent database, then reinstall"
+		elog "dev-lang/python with USE=sqlite. If you do not use the"
+		elog "persistent database feature, then you should set"
+		elog "dbfile = :memory: in fail2ban.conf accordingly."
+	fi
+}

diff --git a/net-analyzer/fail2ban/files/fail2ban-1.1.0-postfix-ddos.patch b/net-analyzer/fail2ban/files/fail2ban-1.1.0-postfix-ddos.patch
new file mode 100644
index 000000000000..efdc463e1fea
--- /dev/null
+++ b/net-analyzer/fail2ban/files/fail2ban-1.1.0-postfix-ddos.patch
@@ -0,0 +1,38 @@
+https://github.com/fail2ban/fail2ban/pull/4072
+https://bugs.gentoo.org/963047
+
+commit 0fee8dbe9241f8d387f064a079668457a0efd33d
+Author: Ulrich Müller <ulm@gentoo.org>
+Date:   Thu Sep 18 07:20:38 2025 +0200
+
+    filter.d/postfix.conf: Add optional "NOQUEUE:" to mdpr-ddos
+    
+    The current regex doesn't match the following log entry, seen with
+    Postfix 3.10.2:
+    
+    Sep 17 18:19:20 mxhost postfix/smtpd[12345]: NOQUEUE: lost connection after CONNECT from unknown[192.0.2.25]
+    Sep 17 18:19:20 mxhost postfix/smtpd[12345]: disconnect from unknown[192.0.2.25] commands=0/0
+
+--- a/config/filter.d/postfix.conf
++++ b/config/filter.d/postfix.conf
+@@ -38,7 +38,7 @@
+ 
+ # Includes some of the log messages described in
+ # <http://www.postfix.org/POSTSCREEN_README.html>.
+-mdpr-ddos = (?:lost connection after (?!(?:DATA|AUTH)\b)[A-Z]+|disconnect(?= from \S+(?: \S+=\d+)* auth=0/(?:[1-9]|\d\d+))|(?:PREGREET \d+|HANGUP) after \S+|COMMAND (?:TIME|COUNT|LENGTH) LIMIT)
++mdpr-ddos = (?:NOQUEUE: )?(?:lost connection after (?!(?:DATA|AUTH)\b)[A-Z]+|disconnect(?= from \S+(?: \S+=\d+)* auth=0/(?:[1-9]|\d\d+))|(?:PREGREET \d+|HANGUP) after \S+|COMMAND (?:TIME|COUNT|LENGTH) LIMIT)
+ mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:?
+ 
+ mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s)
+--- a/fail2ban/tests/files/logs/postfix
++++ b/fail2ban/tests/files/logs/postfix
+@@ -187,6 +187,9 @@
+ # failJSON: { "time": "2005-06-08T23:14:54", "match": true , "host": "192.0.2.26", "desc": "abusive clients hitting command limit (gh-3040)" }
+ Jun  8 23:14:54 proxy2 postfix/postscreen[473]: COMMAND COUNT LIMIT from [192.0.2.26]:15592 after RCPT
+ 
++# failJSON: { "time": "2004-09-17T18:19:20", "match": true , "host": "192.0.2.25" }
++Sep 17 18:19:20 mxhost postfix/smtpd[12345]: NOQUEUE: lost connection after CONNECT from unknown[192.0.2.25]
++
+ 
+ # filterOptions: [{}, {"mode": "ddos"}, {"mode": "aggressive"}]
+ # failJSON: { "match": false, "desc": "don't affect lawful data (sporadical connection aborts within DATA-phase, see gh-1813 for discussion)" }