diff -Naur a/config/action.d/iptables.conf b/config/action.d/iptables.conf --- a/config/action.d/iptables.conf 2022-11-09 21:46:15.000000000 +0600 +++ b/config/action.d/iptables.conf 2023-10-19 18:28:48.120087718 +0600 @@ -139,12 +139,13 @@ # in iptables 1.4.20, so might be absent on older systems # See https://github.com/fail2ban/fail2ban/issues/1122 # Values: STRING -lockingopt = -w +# lockingopt = -w # Option: iptables # Notes.: Actual command to be executed, including common to all calls options # Values: STRING -iptables = iptables +# iptables = iptables +iptables = iptables [Init?family=inet6] @@ -159,4 +160,5 @@ # Option: iptables (ipv6) # Notes.: Actual command to be executed, including common to all calls options # Values: STRING -iptables = ip6tables +#iptables = ip6tables +iptables = ip6tables diff -Naur a/fail2ban/tests/actiontestcase.py b/fail2ban/tests/actiontestcase.py --- a/fail2ban/tests/actiontestcase.py 2022-11-09 21:46:15.000000000 +0600 +++ b/fail2ban/tests/actiontestcase.py 2023-10-19 18:46:47.308950813 +0600 @@ -92,8 +92,7 @@ ('name', 'any'), ('bantime', '600'), ('ipsetfamily', 'inet'), - ('iptables', 'iptables '), - ('lockingopt', '-w'), + ('iptables', 'iptables'), ('chain', 'INPUT'), ('actiontype', ''), ('multiport', '-p -m multiport --dports -m set --match-set src -j '), @@ -102,13 +101,12 @@ ('blocktype', 'REJECT',), )) ), OrderedDict(( - ('actionstart', 'ipset create f2b-any hash:ip timeout 600 family inet\niptables -w -I INPUT -p tcp -m multiport --dports ssh -m set --match-set f2b-any src -j REJECT'), + ('actionstart', 'ipset create f2b-any hash:ip timeout 600 family inet\niptables -I INPUT -p tcp -m multiport --dports ssh -m set --match-set f2b-any src -j REJECT'), ('ipmset', 'f2b-any'), ('name', 'any'), ('bantime', '600'), ('ipsetfamily', 'inet'), - ('iptables', 'iptables -w'), - ('lockingopt', '-w'), + ('iptables', 'iptables'), ('chain', 'INPUT'), ('actiontype', '-p tcp -m multiport --dports ssh -m set --match-set f2b-any src -j REJECT'), ('multiport', '-p tcp -m multiport --dports ssh -m set --match-set f2b-any src -j REJECT'), diff -Naur a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py --- a/fail2ban/tests/servertestcase.py 2022-11-09 21:46:15.000000000 +0600 +++ b/fail2ban/tests/servertestcase.py 2023-10-19 18:29:23.349860177 +0600 @@ -1495,46 +1495,46 @@ r"`done`", ), 'ip4-start': ( - "`{ iptables -w -C f2b-j-w-iptables-mp -j RETURN >/dev/null 2>&1; } || " - "{ iptables -w -N f2b-j-w-iptables-mp || true; iptables -w -A f2b-j-w-iptables-mp -j RETURN; }`", - "`{ iptables -w -C INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp >/dev/null 2>&1; } || " - "{ iptables -w -I INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp; }`", + "`{ iptables -C f2b-j-w-iptables-mp -j RETURN >/dev/null 2>&1; } || " + "{ iptables -N f2b-j-w-iptables-mp || true; iptables -A f2b-j-w-iptables-mp -j RETURN; }`", + "`{ iptables -C INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp >/dev/null 2>&1; } || " + "{ iptables -I INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp; }`", ), 'ip6-start': ( - "`{ ip6tables -w -C f2b-j-w-iptables-mp -j RETURN >/dev/null 2>&1; } || " - "{ ip6tables -w -N f2b-j-w-iptables-mp || true; ip6tables -w -A f2b-j-w-iptables-mp -j RETURN; }`", - "`{ ip6tables -w -C INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp >/dev/null 2>&1; } || ", - "{ ip6tables -w -I INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp; }`", + "`{ ip6tables -C f2b-j-w-iptables-mp -j RETURN >/dev/null 2>&1; } || " + "{ ip6tables -N f2b-j-w-iptables-mp || true; ip6tables -A f2b-j-w-iptables-mp -j RETURN; }`", + "`{ ip6tables -C INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp >/dev/null 2>&1; } || ", + "{ ip6tables -I INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp; }`", ), 'flush': ( - "`iptables -w -F f2b-j-w-iptables-mp`", - "`ip6tables -w -F f2b-j-w-iptables-mp`", + "`iptables -F f2b-j-w-iptables-mp`", + "`ip6tables -F f2b-j-w-iptables-mp`", ), 'stop': ( - "`iptables -w -D INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp`", - "`iptables -w -F f2b-j-w-iptables-mp`", - "`iptables -w -X f2b-j-w-iptables-mp`", - "`ip6tables -w -D INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp`", - "`ip6tables -w -F f2b-j-w-iptables-mp`", - "`ip6tables -w -X f2b-j-w-iptables-mp`", + "`iptables -D INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp`", + "`iptables -F f2b-j-w-iptables-mp`", + "`iptables -X f2b-j-w-iptables-mp`", + "`ip6tables -D INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp`", + "`ip6tables -F f2b-j-w-iptables-mp`", + "`ip6tables -X f2b-j-w-iptables-mp`", ), 'ip4-check': ( - r"""`iptables -w -C INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp`""", + r"""`iptables -C INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp`""", ), 'ip6-check': ( - r"""`ip6tables -w -C INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp`""", + r"""`ip6tables -C INPUT -p $proto -m multiport --dports http,https -j f2b-j-w-iptables-mp`""", ), 'ip4-ban': ( - r"`iptables -w -I f2b-j-w-iptables-mp 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`", + r"`iptables -I f2b-j-w-iptables-mp 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`", ), 'ip4-unban': ( - r"`iptables -w -D f2b-j-w-iptables-mp -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`", + r"`iptables -D f2b-j-w-iptables-mp -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`", ), 'ip6-ban': ( - r"`ip6tables -w -I f2b-j-w-iptables-mp 1 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`", + r"`ip6tables -I f2b-j-w-iptables-mp 1 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`", ), 'ip6-unban': ( - r"`ip6tables -w -D f2b-j-w-iptables-mp -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`", + r"`ip6tables -D f2b-j-w-iptables-mp -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`", ), }), # iptables-allports -- @@ -1546,46 +1546,46 @@ r"`done`", ), 'ip4-start': ( - "`{ iptables -w -C f2b-j-w-iptables-ap -j RETURN >/dev/null 2>&1; } || " - "{ iptables -w -N f2b-j-w-iptables-ap || true; iptables -w -A f2b-j-w-iptables-ap -j RETURN; }`", - "`{ iptables -w -C INPUT -p $proto -j f2b-j-w-iptables-ap >/dev/null 2>&1; } || ", - "{ iptables -w -I INPUT -p $proto -j f2b-j-w-iptables-ap; }`", + "`{ iptables -C f2b-j-w-iptables-ap -j RETURN >/dev/null 2>&1; } || " + "{ iptables -N f2b-j-w-iptables-ap || true; iptables -A f2b-j-w-iptables-ap -j RETURN; }`", + "`{ iptables -C INPUT -p $proto -j f2b-j-w-iptables-ap >/dev/null 2>&1; } || ", + "{ iptables -I INPUT -p $proto -j f2b-j-w-iptables-ap; }`", ), 'ip6-start': ( - "`{ ip6tables -w -C f2b-j-w-iptables-ap -j RETURN >/dev/null 2>&1; } || " - "{ ip6tables -w -N f2b-j-w-iptables-ap || true; ip6tables -w -A f2b-j-w-iptables-ap -j RETURN; }`", - "`{ ip6tables -w -C INPUT -p $proto -j f2b-j-w-iptables-ap >/dev/null 2>&1; } || ", - "{ ip6tables -w -I INPUT -p $proto -j f2b-j-w-iptables-ap; }`", + "`{ ip6tables -C f2b-j-w-iptables-ap -j RETURN >/dev/null 2>&1; } || " + "{ ip6tables -N f2b-j-w-iptables-ap || true; ip6tables -A f2b-j-w-iptables-ap -j RETURN; }`", + "`{ ip6tables -C INPUT -p $proto -j f2b-j-w-iptables-ap >/dev/null 2>&1; } || ", + "{ ip6tables -I INPUT -p $proto -j f2b-j-w-iptables-ap; }`", ), 'flush': ( - "`iptables -w -F f2b-j-w-iptables-ap`", - "`ip6tables -w -F f2b-j-w-iptables-ap`", + "`iptables -F f2b-j-w-iptables-ap`", + "`ip6tables -F f2b-j-w-iptables-ap`", ), 'stop': ( - "`iptables -w -D INPUT -p $proto -j f2b-j-w-iptables-ap`", - "`iptables -w -F f2b-j-w-iptables-ap`", - "`iptables -w -X f2b-j-w-iptables-ap`", - "`ip6tables -w -D INPUT -p $proto -j f2b-j-w-iptables-ap`", - "`ip6tables -w -F f2b-j-w-iptables-ap`", - "`ip6tables -w -X f2b-j-w-iptables-ap`", + "`iptables -D INPUT -p $proto -j f2b-j-w-iptables-ap`", + "`iptables -F f2b-j-w-iptables-ap`", + "`iptables -X f2b-j-w-iptables-ap`", + "`ip6tables -D INPUT -p $proto -j f2b-j-w-iptables-ap`", + "`ip6tables -F f2b-j-w-iptables-ap`", + "`ip6tables -X f2b-j-w-iptables-ap`", ), 'ip4-check': ( - r"""`iptables -w -C INPUT -p $proto -j f2b-j-w-iptables-ap`""", + r"""`iptables -C INPUT -p $proto -j f2b-j-w-iptables-ap`""", ), 'ip6-check': ( - r"""`ip6tables -w -C INPUT -p $proto -j f2b-j-w-iptables-ap`""", + r"""`ip6tables -C INPUT -p $proto -j f2b-j-w-iptables-ap`""", ), 'ip4-ban': ( - r"`iptables -w -I f2b-j-w-iptables-ap 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`", + r"`iptables -I f2b-j-w-iptables-ap 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`", ), 'ip4-unban': ( - r"`iptables -w -D f2b-j-w-iptables-ap -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`", + r"`iptables -D f2b-j-w-iptables-ap -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`", ), 'ip6-ban': ( - r"`ip6tables -w -I f2b-j-w-iptables-ap 1 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`", + r"`ip6tables -I f2b-j-w-iptables-ap 1 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`", ), 'ip6-unban': ( - r"`ip6tables -w -D f2b-j-w-iptables-ap -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`", + r"`ip6tables -D f2b-j-w-iptables-ap -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`", ), }), # iptables-ipset-proto6 -- @@ -1598,31 +1598,31 @@ ), 'ip4-start': ( "`ipset -exist create f2b-j-w-iptables-ipset hash:ip timeout 0 `", - "`{ iptables -w -C INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable >/dev/null 2>&1; } || " - "{ iptables -w -I INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable; }`", + "`{ iptables -C INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable >/dev/null 2>&1; } || " + "{ iptables -I INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable; }`", ), 'ip6-start': ( "`ipset -exist create f2b-j-w-iptables-ipset6 hash:ip timeout 0 family inet6`", - "`{ ip6tables -w -C INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable >/dev/null 2>&1; } || " - "{ ip6tables -w -I INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable; }`", + "`{ ip6tables -C INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable >/dev/null 2>&1; } || " + "{ ip6tables -I INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable; }`", ), 'flush': ( "`ipset flush f2b-j-w-iptables-ipset`", "`ipset flush f2b-j-w-iptables-ipset6`", ), 'stop': ( - "`iptables -w -D INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable`", + "`iptables -D INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable`", "`ipset flush f2b-j-w-iptables-ipset`", "`ipset destroy f2b-j-w-iptables-ipset`", - "`ip6tables -w -D INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`", + "`ip6tables -D INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`", "`ipset flush f2b-j-w-iptables-ipset6`", "`ipset destroy f2b-j-w-iptables-ipset6`", ), 'ip4-check': ( - r"""`iptables -w -C INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable`""", + r"""`iptables -C INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable`""", ), 'ip6-check': ( - r"""`ip6tables -w -C INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`""", + r"""`ip6tables -C INPUT -p $proto -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`""", ), 'ip4-ban': ( r"`ipset -exist add f2b-j-w-iptables-ipset 192.0.2.1 timeout 0`", @@ -1647,31 +1647,31 @@ ), 'ip4-start': ( "`ipset -exist create f2b-j-w-iptables-ipset-ap hash:ip timeout 0 `", - "`{ iptables -w -C INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable >/dev/null 2>&1; } || " - "{ iptables -w -I INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable; }", + "`{ iptables -C INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable >/dev/null 2>&1; } || " + "{ iptables -I INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable; }", ), 'ip6-start': ( "`ipset -exist create f2b-j-w-iptables-ipset-ap6 hash:ip timeout 0 family inet6`", - "`{ ip6tables -w -C INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable >/dev/null 2>&1; } || " - "{ ip6tables -w -I INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable; }", + "`{ ip6tables -C INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable >/dev/null 2>&1; } || " + "{ ip6tables -I INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable; }", ), 'flush': ( "`ipset flush f2b-j-w-iptables-ipset-ap`", "`ipset flush f2b-j-w-iptables-ipset-ap6`", ), 'stop': ( - "`iptables -w -D INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`", + "`iptables -D INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`", "`ipset flush f2b-j-w-iptables-ipset-ap`", "`ipset destroy f2b-j-w-iptables-ipset-ap`", - "`ip6tables -w -D INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`", + "`ip6tables -D INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`", "`ipset flush f2b-j-w-iptables-ipset-ap6`", "`ipset destroy f2b-j-w-iptables-ipset-ap6`", ), 'ip4-check': ( - r"""`iptables -w -C INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`""", + r"""`iptables -C INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`""", ), 'ip6-check': ( - r"""`ip6tables -w -C INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`""", + r"""`ip6tables -C INPUT -p $proto -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`""", ), 'ip4-ban': ( r"`ipset -exist add f2b-j-w-iptables-ipset-ap 192.0.2.1 timeout 0`", @@ -1695,46 +1695,46 @@ "`done`", ), 'ip4-start': ( - "`{ iptables -w -C f2b-j-w-iptables -j RETURN >/dev/null 2>&1; } || " - "{ iptables -w -N f2b-j-w-iptables || true; iptables -w -A f2b-j-w-iptables -j RETURN; }", - "`{ iptables -w -C INPUT -p $proto --dport http -j f2b-j-w-iptables >/dev/null 2>&1; } || " - "{ iptables -w -I INPUT -p $proto --dport http -j f2b-j-w-iptables; }`", + "`{ iptables -C f2b-j-w-iptables -j RETURN >/dev/null 2>&1; } || " + "{ iptables -N f2b-j-w-iptables || true; iptables -A f2b-j-w-iptables -j RETURN; }", + "`{ iptables -C INPUT -p $proto --dport http -j f2b-j-w-iptables >/dev/null 2>&1; } || " + "{ iptables -I INPUT -p $proto --dport http -j f2b-j-w-iptables; }`", ), 'ip6-start': ( - "`{ ip6tables -w -C f2b-j-w-iptables -j RETURN >/dev/null 2>&1; } || " - "{ ip6tables -w -N f2b-j-w-iptables || true; ip6tables -w -A f2b-j-w-iptables -j RETURN; }", - "`{ ip6tables -w -C INPUT -p $proto --dport http -j f2b-j-w-iptables >/dev/null 2>&1; } || " - "{ ip6tables -w -I INPUT -p $proto --dport http -j f2b-j-w-iptables; }`", + "`{ ip6tables -C f2b-j-w-iptables -j RETURN >/dev/null 2>&1; } || " + "{ ip6tables -N f2b-j-w-iptables || true; ip6tables -A f2b-j-w-iptables -j RETURN; }", + "`{ ip6tables -C INPUT -p $proto --dport http -j f2b-j-w-iptables >/dev/null 2>&1; } || " + "{ ip6tables -I INPUT -p $proto --dport http -j f2b-j-w-iptables; }`", ), 'flush': ( - "`iptables -w -F f2b-j-w-iptables`", - "`ip6tables -w -F f2b-j-w-iptables`", + "`iptables -F f2b-j-w-iptables`", + "`ip6tables -F f2b-j-w-iptables`", ), 'stop': ( - "`iptables -w -D INPUT -p $proto --dport http -j f2b-j-w-iptables`", - "`iptables -w -F f2b-j-w-iptables`", - "`iptables -w -X f2b-j-w-iptables`", - "`ip6tables -w -D INPUT -p $proto --dport http -j f2b-j-w-iptables`", - "`ip6tables -w -F f2b-j-w-iptables`", - "`ip6tables -w -X f2b-j-w-iptables`", + "`iptables -D INPUT -p $proto --dport http -j f2b-j-w-iptables`", + "`iptables -F f2b-j-w-iptables`", + "`iptables -X f2b-j-w-iptables`", + "`ip6tables -D INPUT -p $proto --dport http -j f2b-j-w-iptables`", + "`ip6tables -F f2b-j-w-iptables`", + "`ip6tables -X f2b-j-w-iptables`", ), 'ip4-check': ( - r"""`iptables -w -C INPUT -p $proto --dport http -j f2b-j-w-iptables`""", + r"""`iptables -C INPUT -p $proto --dport http -j f2b-j-w-iptables`""", ), 'ip6-check': ( - r"""`ip6tables -w -C INPUT -p $proto --dport http -j f2b-j-w-iptables`""", + r"""`ip6tables -C INPUT -p $proto --dport http -j f2b-j-w-iptables`""", ), 'ip4-ban': ( - r"`iptables -w -I f2b-j-w-iptables 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`", + r"`iptables -I f2b-j-w-iptables 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`", ), 'ip4-unban': ( - r"`iptables -w -D f2b-j-w-iptables -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`", + r"`iptables -D f2b-j-w-iptables -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`", ), 'ip6-ban': ( - r"`ip6tables -w -I f2b-j-w-iptables 1 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`", + r"`ip6tables -I f2b-j-w-iptables 1 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`", ), 'ip6-unban': ( - r"`ip6tables -w -D f2b-j-w-iptables -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`", + r"`ip6tables -D f2b-j-w-iptables -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`", ), }), # iptables-new -- @@ -1746,72 +1746,72 @@ "`done`", ), 'ip4-start': ( - "`{ iptables -w -C f2b-j-w-iptables-new -j RETURN >/dev/null 2>&1; } || " - "{ iptables -w -N f2b-j-w-iptables-new || true; iptables -w -A f2b-j-w-iptables-new -j RETURN; }`", - "`{ iptables -w -C INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new >/dev/null 2>&1; } || " - "{ iptables -w -I INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new; }`", + "`{ iptables -C f2b-j-w-iptables-new -j RETURN >/dev/null 2>&1; } || " + "{ iptables -N f2b-j-w-iptables-new || true; iptables -A f2b-j-w-iptables-new -j RETURN; }`", + "`{ iptables -C INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new >/dev/null 2>&1; } || " + "{ iptables -I INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new; }`", ), 'ip6-start': ( - "`{ ip6tables -w -C f2b-j-w-iptables-new -j RETURN >/dev/null 2>&1; } || " - "{ ip6tables -w -N f2b-j-w-iptables-new || true; ip6tables -w -A f2b-j-w-iptables-new -j RETURN; }`", - "`{ ip6tables -w -C INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new >/dev/null 2>&1; } || " - "{ ip6tables -w -I INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new; }`", + "`{ ip6tables -C f2b-j-w-iptables-new -j RETURN >/dev/null 2>&1; } || " + "{ ip6tables -N f2b-j-w-iptables-new || true; ip6tables -A f2b-j-w-iptables-new -j RETURN; }`", + "`{ ip6tables -C INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new >/dev/null 2>&1; } || " + "{ ip6tables -I INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new; }`", ), 'flush': ( - "`iptables -w -F f2b-j-w-iptables-new`", - "`ip6tables -w -F f2b-j-w-iptables-new`", + "`iptables -F f2b-j-w-iptables-new`", + "`ip6tables -F f2b-j-w-iptables-new`", ), 'stop': ( - "`iptables -w -D INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new`", - "`iptables -w -F f2b-j-w-iptables-new`", - "`iptables -w -X f2b-j-w-iptables-new`", - "`ip6tables -w -D INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new`", - "`ip6tables -w -F f2b-j-w-iptables-new`", - "`ip6tables -w -X f2b-j-w-iptables-new`", + "`iptables -D INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new`", + "`iptables -F f2b-j-w-iptables-new`", + "`iptables -X f2b-j-w-iptables-new`", + "`ip6tables -D INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new`", + "`ip6tables -F f2b-j-w-iptables-new`", + "`ip6tables -X f2b-j-w-iptables-new`", ), 'ip4-check': ( - r"""`iptables -w -C INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new`""", + r"""`iptables -C INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new`""", ), 'ip6-check': ( - r"""`ip6tables -w -C INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new`""", + r"""`ip6tables -C INPUT -m state --state NEW -p $proto --dport http -j f2b-j-w-iptables-new`""", ), 'ip4-ban': ( - r"`iptables -w -I f2b-j-w-iptables-new 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`", + r"`iptables -I f2b-j-w-iptables-new 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`", ), 'ip4-unban': ( - r"`iptables -w -D f2b-j-w-iptables-new -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`", + r"`iptables -D f2b-j-w-iptables-new -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`", ), 'ip6-ban': ( - r"`ip6tables -w -I f2b-j-w-iptables-new 1 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`", + r"`ip6tables -I f2b-j-w-iptables-new 1 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`", ), 'ip6-unban': ( - r"`ip6tables -w -D f2b-j-w-iptables-new -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`", + r"`ip6tables -D f2b-j-w-iptables-new -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`", ), }), # iptables-xt_recent-echo -- ('j-w-iptables-xtre', 'iptables-xt_recent-echo[name=%(__name__)s, bantime="10m", chain=""]', { 'ip4': ('`iptables ', '/f2b-j-w-iptables-xtre`'), 'ip6': ('`ip6tables ', '/f2b-j-w-iptables-xtre6`'), 'ip4-start': ( - "`{ iptables -w -C INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre -j REJECT --reject-with icmp-port-unreachable >/dev/null 2>&1; } || { iptables -w -I INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre -j REJECT --reject-with icmp-port-unreachable; }`", + "`{ iptables -C INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre -j REJECT --reject-with icmp-port-unreachable >/dev/null 2>&1; } || { iptables -I INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre -j REJECT --reject-with icmp-port-unreachable; }`", ), 'ip6-start': ( - "`{ ip6tables -w -C INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre6 -j REJECT --reject-with icmp6-port-unreachable >/dev/null 2>&1; } || { ip6tables -w -I INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre6 -j REJECT --reject-with icmp6-port-unreachable; }`", + "`{ ip6tables -C INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre6 -j REJECT --reject-with icmp6-port-unreachable >/dev/null 2>&1; } || { ip6tables -I INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre6 -j REJECT --reject-with icmp6-port-unreachable; }`", ), 'stop': ( "`echo / > /proc/net/xt_recent/f2b-j-w-iptables-xtre`", "`if [ `id -u` -eq 0 ];then`", - "`iptables -w -D INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre -j REJECT --reject-with icmp-port-unreachable;`", + "`iptables -D INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre -j REJECT --reject-with icmp-port-unreachable;`", "`fi`", "`echo / > /proc/net/xt_recent/f2b-j-w-iptables-xtre6`", "`if [ `id -u` -eq 0 ];then`", - "`ip6tables -w -D INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre6 -j REJECT --reject-with icmp6-port-unreachable;`", + "`ip6tables -D INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre6 -j REJECT --reject-with icmp6-port-unreachable;`", "`fi`", ), 'ip4-check': ( - r"`{ iptables -w -C INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre -j REJECT --reject-with icmp-port-unreachable; } && test -e /proc/net/xt_recent/f2b-j-w-iptables-xtre`", + r"`{ iptables -C INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre -j REJECT --reject-with icmp-port-unreachable; } && test -e /proc/net/xt_recent/f2b-j-w-iptables-xtre`", ), 'ip6-check': ( - r"`{ ip6tables -w -C INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre6 -j REJECT --reject-with icmp6-port-unreachable; } && test -e /proc/net/xt_recent/f2b-j-w-iptables-xtre6`", + r"`{ ip6tables -C INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre6 -j REJECT --reject-with icmp6-port-unreachable; } && test -e /proc/net/xt_recent/f2b-j-w-iptables-xtre6`", ), 'ip4-ban': ( r"`echo +192.0.2.1 > /proc/net/xt_recent/f2b-j-w-iptables-xtre`",