diff --git a/manifests/jail.pp b/manifests/jail.pp index 68512b9..9837817 100644 --- a/manifests/jail.pp +++ b/manifests/jail.pp @@ -15,6 +15,7 @@ # Defaults to true # $filter - The filter rule to use. # If empty, defaults to == $jailname. +# $ignoreip - Don't ban a host which matches an address in this list. # $port - The port to filter. It can be an array of ports. # $logpath - The log file to monitor # $maxretry - How many fails are acceptable @@ -29,6 +30,7 @@ define fail2ban::jail ( $order = '', $status = '', $filter = '', + $ignoreip = '', $port = '', $action = '', $logpath = '', @@ -62,6 +64,14 @@ define fail2ban::jail ( default => $filter, } + $array_ignoreip = is_array($ignoreip) ? { + false => $ignoreip ? { + '' => [], + default => [$ignoreip], + }, + default => $ignoreip, + } + $array_port = is_array($port) ? { false => $port ? { '' => [], diff --git a/spec/defines/fail2ban_jail_spec.rb b/spec/defines/fail2ban_jail_spec.rb index cfb1884..4824155 100644 --- a/spec/defines/fail2ban_jail_spec.rb +++ b/spec/defines/fail2ban_jail_spec.rb @@ -39,6 +39,7 @@ filter = fail2ban::jail :port => ['42', '43'], :logpath => '/path/to/somelog', :enable => true, + :ignoreip => [ '10.3.2.0/24', '192.168.56.0/24' ], :findtime => '9000', :maxretry => '5', :bantime => '3600', @@ -53,6 +54,7 @@ filter = fail2ban::jail [fail2ban::jail] enabled = true filter = fail2ban::jail +ignoreip = 10.3.2.0/24 192.168.56.0/24 port = 42,43 action = iptables[name=SSH, port=ssh, protocol=tcp] mail-whois[name=SSH, dest=yourmail@mail.com] diff --git a/templates/concat/jail.local-stanza.erb b/templates/concat/jail.local-stanza.erb index 381b808..2849cc5 100644 --- a/templates/concat/jail.local-stanza.erb +++ b/templates/concat/jail.local-stanza.erb @@ -4,6 +4,9 @@ enabled = <%= @real_status %> <% if @real_filter != '' -%> filter = <%= @real_filter %> <% end -%> +<% if @array_ignoreip != [] -%> +ignoreip = <%= @array_ignoreip * ' ' %> +<% end -%> <% if @array_port != [] -%> port = <%= @array_port * ',' %> <% end -%>