Hello community,
here is the log from the commit of package tallow for openSUSE:Factory checked in at 2019-11-07 23:15:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tallow (Old)
and /work/SRC/openSUSE:Factory/.tallow.new.2990 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tallow"
Thu Nov 7 23:15:15 2019 rev:5 rq:745515 version:19+git20191104.5dfb982
Changes:
--------
--- /work/SRC/openSUSE:Factory/tallow/tallow.changes 2019-08-19 20:58:43.096956631 +0200
+++ /work/SRC/openSUSE:Factory/.tallow.new.2990/tallow.changes 2019-11-07 23:15:18.492454712 +0100
@@ -1,0 +2,20 @@
+Tue Nov 05 14:41:02 UTC 2019 - kukuk@suse.de
+
+- Update to version 19+git20191104.5dfb982:
+ * v19
+ * Fixed signedness.
+
+-------------------------------------------------------------------
+Tue Oct 29 10:41:22 UTC 2019 - kukuk@suse.de
+
+- Update to version 18+git20191028.83201e8:
+ * v18
+ * Hide unwanted firewalld-cmd error messages.
+ * v17
+ * Add firewalld support
+ * Fix command order in tallow.conf man page
+ * Add json-c to travis.
+ * make older compilers a bit happier
+ * add dovecot as postfix auth backend parsing
+
+-------------------------------------------------------------------
Old:
----
tallow-16+git20190425.e4b3977.tar.xz
New:
----
tallow-19+git20191104.5dfb982.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ tallow.spec ++++++
--- /var/tmp/diff_new_pack.3mT2jf/_old 2019-11-07 23:15:19.172455457 +0100
+++ /var/tmp/diff_new_pack.3mT2jf/_new 2019-11-07 23:15:19.180455465 +0100
@@ -17,7 +17,7 @@
Name: tallow
-Version: 16+git20190425.e4b3977
+Version: 19+git20191104.5dfb982
Release: 0
Summary: Temporary IP address ban issuance daemon
License: GPL-3.0-or-later
++++++ _service ++++++
--- /var/tmp/diff_new_pack.3mT2jf/_old 2019-11-07 23:15:19.228455518 +0100
+++ /var/tmp/diff_new_pack.3mT2jf/_new 2019-11-07 23:15:19.232455523 +0100
@@ -1,7 +1,7 @@
<services>
<service name="tar_scm" mode="disabled">
- <param name="version">4</param>
- <param name="versionformat">16+git%cd.%h</param>
+ <param name="version">18</param>
+ <param name="versionformat">19+git%cd.%h</param>
<param name="url">git://github.com/clearlinux/tallow.git</param>
<param name="scm">git</param>
<param name="changesgenerate">enable</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.3mT2jf/_old 2019-11-07 23:15:19.252455545 +0100
+++ /var/tmp/diff_new_pack.3mT2jf/_new 2019-11-07 23:15:19.256455549 +0100
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param name="url">git://github.com/clearlinux/tallow.git</param>
- <param name="changesrevision">e4b39777048b1ccfc815189fdb51019c5e8de903</param>
+ <param name="changesrevision">5dfb9821e328920b871f205285e9040ea20ad63d</param>
</service>
</servicedata>
\ No newline at end of file
++++++ tallow-16+git20190425.e4b3977.tar.xz -> tallow-19+git20191104.5dfb982.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tallow-16+git20190425.e4b3977/.travis.yml new/tallow-19+git20191104.5dfb982/.travis.yml
--- old/tallow-16+git20190425.e4b3977/.travis.yml 2019-04-25 22:23:03.000000000 +0200
+++ new/tallow-19+git20191104.5dfb982/.travis.yml 2019-11-04 23:18:38.000000000 +0100
@@ -16,6 +16,7 @@
- valgrind
- autoconf
- automake
+ - libjson-c-dev
script:
- ./configure && make && make distcheck
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tallow-16+git20190425.e4b3977/README.md new/tallow-19+git20191104.5dfb982/README.md
--- old/tallow-16+git20190425.e4b3977/README.md 2019-04-25 22:23:03.000000000 +0200
+++ new/tallow-19+git20191104.5dfb982/README.md 2019-11-04 23:18:38.000000000 +0100
@@ -16,7 +16,9 @@
/usr/sbin/sshd. The messages are matched against rules and the IP
address is extracted from the message. For each IP address that is
extracted, the last timestamp and count is kept. Once the count exceeds
-a threshold, iptables is executed to set a IP-based blocking rule.
+a threshold, the offending IP address is added to an ipset and blocked
+with a corresponding firewall rule. It will use firewalld or
+iptables / ip6tables.
The timestamp is kept for pruning. Records are pruned from the list
if the IP address hasn't been seen by tallow for longer than the
@@ -66,4 +68,4 @@
Be very careful if you deploy tallow on systems that expect valid
users to log on from many random source addresses. If your user
-mistypes their username, they could find themselves denied access.
+mistypes their username, they could find themselves denied access.
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tallow-16+git20190425.e4b3977/configure.ac new/tallow-19+git20191104.5dfb982/configure.ac
--- old/tallow-16+git20190425.e4b3977/configure.ac 2019-04-25 22:23:03.000000000 +0200
+++ new/tallow-19+git20191104.5dfb982/configure.ac 2019-11-04 23:18:38.000000000 +0100
@@ -2,7 +2,7 @@
# Process this file with autoconf to produce a configure script.
AC_PREREQ([2.64])
-AC_INIT([tallow], [16], [auke-jan.h.kok@intel.com])
+AC_INIT([tallow], [19], [auke-jan.h.kok@intel.com])
AM_INIT_AUTOMAKE([foreign -Wall -Werror -Wno-portability silent-rules subdir-objects color-tests
no-dist-gzip dist-xz])
AC_CONFIG_FILES([Makefile])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tallow-16+git20190425.e4b3977/data/dovecot.json new/tallow-19+git20191104.5dfb982/data/dovecot.json
--- old/tallow-16+git20190425.e4b3977/data/dovecot.json 1970-01-01 01:00:00.000000000 +0100
+++ new/tallow-19+git20191104.5dfb982/data/dovecot.json 2019-11-04 23:18:38.000000000 +0100
@@ -0,0 +1,12 @@
+[
+ {
+ "filter": "SYSLOG_IDENTIFIER=auth",
+ "items": [
+ {
+ "ban": 50,
+ "score": 0.6,
+ "pattern": "MESSAGE=pam_unix[(]dovecot:auth[)]: authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=.*@.* rhost=([0-9a-z:.]+)"
+ }
+ ]
+ }
+]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tallow-16+git20190425.e4b3977/man/tallow.conf.5 new/tallow-19+git20191104.5dfb982/man/tallow.conf.5
--- old/tallow-16+git20190425.e4b3977/man/tallow.conf.5 2019-04-25 22:23:03.000000000 +0200
+++ new/tallow-19+git20191104.5dfb982/man/tallow.conf.5 2019-11-04 23:18:38.000000000 +0100
@@ -1,7 +1,7 @@
.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
-.TH "TALLOW" "5" "February 2019" "" ""
+.TH "TALLOW" "5" "October 2019" "" ""
.
.SH "NAME"
\fBtallow\fR
@@ -19,7 +19,7 @@
This file is read on startup by the tallow(1) daemon, and can be used to provide options to the tallow daemon\. If not present, tallow will operate with built\-in defaults\.
.
.SH "OPTIONS"
-\fBipt_path\fR=\fB<string>\fR Specifies the location of the ipset(1), iptables(1) or ip6tables(1) program\. By default, tallow will look in "/usr/sbin" for them\.
+\fBipt_path\fR=\fB<string>\fR Specifies the location of the ipset(1) program and iptables(1), ip6tables(1), or firewall\-cmd(1) programs\. By default, tallow will look in "/usr/sbin" for them\.
.
.P
\fBexpires\fR=\fB<int>\fR The number of seconds that IP addresses are blocked for\. Note that due to the implementation, IP addresses may be blocked for much longer than this period\. If IP addresses are seen, but not blocked within this period, they are also removed from the watch list\. Defaults to 3600s\.
@@ -34,17 +34,37 @@
\fBipv6\fR=\fB<0|1>\fR Enable or disable ipv6 (ip6tables) support\. Ipv6 is disabled automatically on systems that do not appear to have ipv6 support and enabled when ipv6 is present\. Use this option to explicitly disable ipv6 support if your system does not have ipv6 or is missing ip6tables\. Even with ipv6 disabled, tallow will track and log ipv6 addresses\.
.
.P
-\fBnocreate\fR=\fB<0|1>\fR Disable the creation of iptables rules and ipset sets\. By default, tallow will create new iptables(1) and ip6tables(1) rules when needed automatically\. If set to \fB1\fR, \fBtallow(1)\fR will not create any new iptables rules or ipset sets to work\. You should create them manually before tallow starts up and remove them afterwards\. To create them manually, you can use the following commands:
+\fBnocreate\fR=\fB<0|1>\fR Disable the creation of firewall rules and ipset sets\. By default, tallow will create new firewall\-cmd(1) or iptables(1) and ip6tables(1) rules when needed automatically\. If set to \fB1\fR, \fBtallow(1)\fR will not create any new firewall DROP rules or ipset sets that are needed work\. You should create them manually before tallow starts up and remove them afterwards using the sets of commands below\.
+.
+.P
+Use the following commands if you\'re using iptables(1):
.
.IP "" 4
.
.nf
- iptables \-t filter \-I INPUT 1 \-m set \-\-match\-set tallow src \-j DROP
ipset create tallow hash:ip family inet timeout 3600
+ iptables \-t filter \-I INPUT 1 \-m set \-\-match\-set tallow src \-j DROP
- ip6tables \-t filter \-I INPUT 1 \-m set \-\-match\-set tallow6 src \-j DROP
ipset create tallow6 hash:ip family inet6 timeout 3600
+ ip6tables \-t filter \-I INPUT 1 \-m set \-\-match\-set tallow6 src \-j DROP
+.
+.fi
+.
+.IP "" 0
+.
+.P
+Use the following commands if you\'re using firewalld(1):
+.
+.IP "" 4
+.
+.nf
+
+ firewall\-cmd \-\-permanent \-\-new\-ipset=tallow \-\-type=hash:ip \-\-family=inet \-\-option=timeout=3600
+ firewall\-cmd \-\-permanent \-\-direct \-\-add\-rule ipv4 filter INPUT 1 \-m set \-\-match\-set tallow src \-j DROP
+
+ firewall\-cmd \-\-permanent \-\-new\-ipset=tallow6 \-\-type=hash:ip \-\-family=inet6 \-\-option=timeout=3600
+ firewall\-cmd \-\-permanent \-\-direct \-\-add\-rule ipv6 filter INPUT 1 \-m set \-\-match\-set tallow6 src \-j DROP
.
.fi
.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tallow-16+git20190425.e4b3977/man/tallow.conf.5.md new/tallow-19+git20191104.5dfb982/man/tallow.conf.5.md
--- old/tallow-16+git20190425.e4b3977/man/tallow.conf.5.md 2019-04-25 22:23:03.000000000 +0200
+++ new/tallow-19+git20191104.5dfb982/man/tallow.conf.5.md 2019-11-04 23:18:38.000000000 +0100
@@ -20,8 +20,9 @@
## OPTIONS
`ipt_path`=`<string>`
-Specifies the location of the ipset(1), iptables(1) or ip6tables(1)
-program. By default, tallow will look in "/usr/sbin" for them.
+Specifies the location of the ipset(1) program and iptables(1),
+ip6tables(1), or firewall-cmd(1) programs. By default, tallow will
+look in "/usr/sbin" for them.
`expires`=`<int>`
The number of seconds that IP addresses are blocked for. Note that
@@ -52,20 +53,32 @@
missing ip6tables. Even with ipv6 disabled, tallow will track
and log ipv6 addresses.
-`nocreate`=`<0|1>`
-Disable the creation of iptables rules and ipset sets. By default,
-tallow will create new iptables(1) and ip6tables(1) rules when needed
-automatically. If set to `1`, `tallow(1)` will not create any new
-iptables rules or ipset sets to work. You should create them manually
-before tallow starts up and remove them afterwards. To create them
-manually, you can use the following commands:
+`nocreate`=`<0|1>` Disable the creation of firewall rules and ipset sets. By
+default, tallow will create new firewall-cmd(1) or iptables(1) and ip6tables(1)
+rules when needed automatically. If set to `1`, `tallow(1)` will not create any
+new firewall DROP rules or ipset sets that are needed work. You should create
+them manually before tallow starts up and remove them afterwards using the sets
+of commands below.
+
+Use the following commands if you're using iptables(1):
```
- iptables -t filter -I INPUT 1 -m set --match-set tallow src -j DROP
ipset create tallow hash:ip family inet timeout 3600
+ iptables -t filter -I INPUT 1 -m set --match-set tallow src -j DROP
- ip6tables -t filter -I INPUT 1 -m set --match-set tallow6 src -j DROP
ipset create tallow6 hash:ip family inet6 timeout 3600
+ ip6tables -t filter -I INPUT 1 -m set --match-set tallow6 src -j DROP
+ ```
+
+Use the following commands if you're using firewalld(1):
+
+```
+ firewall-cmd --permanent --new-ipset=tallow --type=hash:ip --family=inet --option=timeout=3600
+ firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -m set --match-set tallow src -j DROP
+
+ firewall-cmd --permanent --new-ipset=tallow6 --type=hash:ip --family=inet6 --option=timeout=3600
+ firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 1 -m set --match-set tallow6 src -j DROP
+
```
## SEE ALSO
@@ -75,4 +88,3 @@
## AUTHOR
Auke Kok