fail2ban: enable network bans (#2818)

CHANGELOG.md

@@ -6,6 +6,10 @@ All notable changes to this project will be documented in this file. The format
 
 > **Note**: Changes and additions listed here are contained in the `:edge` image tag. These changes may not be as stable as released changes.
 
+### Added
+
+- **scripts**: fail2ban - enable network bans ([#2818](https://github.com/docker-mailserver/docker-mailserver/pull/2818))
+
 ### Fixed
 
 - **scripts**: Run `user-patches.sh` right before starting daemons ([#2817](https://github.com/docker-mailserver/docker-mailserver/pull/2817))

Dockerfile

@@ -19,13 +19,14 @@ SHELL ["/bin/bash", "-e", "-o", "pipefail", "-c"]
 # --- Install Basic Software --------------------
 # -----------------------------------------------
 
-COPY target/scripts/build/* /build/
-COPY target/scripts/helpers/log.sh /usr/local/bin/helpers/log.sh
-RUN /bin/bash /build/packages.sh
-
 COPY target/bin/sedfile /usr/local/bin/sedfile
 RUN chmod +x /usr/local/bin/sedfile
 
+COPY target/scripts/build/* /build/
+COPY target/scripts/helpers/log.sh /usr/local/bin/helpers/log.sh
+
+RUN /bin/bash /build/packages.sh
+
 # -----------------------------------------------
 # --- ClamAV & FeshClam -------------------------
 # -----------------------------------------------

target/scripts/build/packages.sh

@@ -146,6 +146,11 @@ function _install_fail2ban
 
   dpkg -i fail2ban.deb 2>&1
   rm fail2ban.deb fail2ban.deb.asc
+
+  _log 'debug' 'Patching Fail2ban to enable network bans'
+  # Enable network bans
+  # https://github.com/docker-mailserver/docker-mailserver/issues/2669
+  sedfile -i -r 's/^_nft_add_set = .+/_nft_add_set = <nftables> add set <table_family> <table> <addr_set> \\{ type <addr_type>\\; flags interval\\; \\}/' /etc/fail2ban/action.d/nftables.conf
 }
 
 function _post_installation_steps

test/mail_fail2ban.bats

@@ -118,6 +118,7 @@ function teardown_file() {
 }
 
 @test "checking fail2ban ban" {
+  # Ban single IP address
   run docker exec mail_fail2ban fail2ban ban 192.0.66.7
   assert_success
   assert_output "Banned custom IP: 1"
@@ -136,6 +137,26 @@ function teardown_file() {
 
   run docker exec mail_fail2ban nft list set inet f2b-table addr-set-custom
   refute_output --partial "192.0.66.7"
+
+  # Ban IP network
+  run docker exec mail_fail2ban fail2ban ban 192.0.66.0/24
+  assert_success
+  assert_output "Banned custom IP: 1"
+
+  run docker exec mail_fail2ban fail2ban
+  assert_success
+  assert_output --regexp "Banned in custom:.*192\.0\.66\.0/24"
+
+  run docker exec mail_fail2ban nft list set inet f2b-table addr-set-custom
+  assert_success
+  assert_output --partial "elements = { 192.0.66.0/24 }"
+
+  run docker exec mail_fail2ban fail2ban unban 192.0.66.0/24
+  assert_success
+  assert_output --partial "Unbanned IP from custom: 1"
+
+  run docker exec mail_fail2ban nft list set inet f2b-table addr-set-custom
+  refute_output --partial "192.0.66.0/24"
 }
 
 @test "checking FAIL2BAN_BLOCKTYPE is really set to drop" {