28 changed files with 311 additions and 1982 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -0,0 +1,2 @@
 fail2ban-FAIL2BAN-0_8.tar.bz2
 fail2ban-0.8.4.tar.bz2
--- a/.gitignore
+++ b/.gitignore
@ -1 +0,0 @@
 /fail2ban-*/
--- a/0001-BF-anchoring-regex-for-IP-with-at-the-end.patch
+++ b/0001-BF-anchoring-regex-for-IP-with-at-the-end.patch
@ -0,0 +1,30 @@
 From a8f963a2803acef984c66cd1910631eb06363ac1 Mon Sep 17 00:00:00 2001
 From: Yaroslav Halchenko <debian@onerussian.com>
 Date: Wed, 4 Feb 2009 15:38:11 -0500
 Subject: [PATCH] BF: anchoring regex for IP with " *$" at the end
 to forbid matching IP encoded in the hostname prior doing actual DNS
 lookup.
 It is quite important and actually security hazard: DoS is easy to
 perform...
 ---
 server/filter.py |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
 diff --git a/server/filter.py b/server/filter.py
 index 457bb03..77042ad 100644
 --- a/server/filter.py
 +++ b/server/filter.py
@@ -492,7 +492,7 @@ import socket, struct
 class DNSUtils:
 -	IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3}")
 +	IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3} *$")
 	#@staticmethod
 	def dnsToIp(dns):
 -- 
 1.5.6.5
--- a/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch
+++ b/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch
@ -1,60 +0,0 @@
 From 04ff4c060cdc233af9a6deeb85a6523da0416f31 Mon Sep 17 00:00:00 2001
 From: Nic Boet <nic@boet.cc>
 Date: Fri, 13 Jun 2025 16:44:57 -0500
 Subject: [PATCH] Dovecot 2.4 filter support
 Dovecot 2.4 release is a major upgrade
 Logger event structure has changed, all messages are now
 prefixed with:
        "Login aborted: " <reason> "auth failed"
 Maintain 2.3 support as many folks have yet to migrate,
 community edition is still receiving cretial security patches
 Dovecot 2.4.1
 Python 3.12.10
 Signed-off-by: Nic Boet <nic@boet.cc>
 ---
 config/filter.d/dovecot.conf      | 2 ++
 fail2ban/tests/files/logs/dovecot | 6 ++++++
 2 files changed, 8 insertions(+)
 diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf
 index dc3ebbcd42..f49eebe726 100644
 --- a/config/filter.d/dovecot.conf
 +++ b/config/filter.d/dovecot.conf
@@ -17,6 +17,7 @@ prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_a
 failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
             ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
 +            ^(?:Login aborted):\s*%(_bypass_reject_reason)s.*?\((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\)(?:\s*\([^)]+\))?:\s*(?:user=<<F-USER>[^>]*</F-USER>>,?\s*)?(?:,?\s*method=\S+,\s*)?rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
             ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \([Pp]assword mismatch\?\)|Permission denied)\s*$
             ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:[Uu]nknown user|[Ii]nvalid credentials|[Pp]assword mismatch)
             <mdre-<mode>>
@@ -43,6 +44,7 @@ datepattern = {^LN-BEG}TAI64N
 # DEV Notes:
 # * the first regex is essentially a copy of pam-generic.conf
 # * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)
 +# * Dovecot version 2.4 changed event log structure, line prior needed to maintain 2.3 support
 #
 # Author: Martin Waschbuesch
 #         Daniel Black (rewrote with begin and end anchors)
 diff --git a/fail2ban/tests/files/logs/dovecot b/fail2ban/tests/files/logs/dovecot
 index 0e33296129..4f5a0b7867 100644
 --- a/fail2ban/tests/files/logs/dovecot
 +++ b/fail2ban/tests/files/logs/dovecot
@@ -22,6 +22,12 @@ Jun 14 00:48:21 platypus dovecot: imap-login: Disconnected (auth failed, 1 attem
 # failJSON: { "time": "2005-06-23T00:52:43", "match": true , "host": "193.95.245.163" }
 Jun 23 00:52:43 vhost1-ua dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=<info>, method=PLAIN, rip=193.95.245.163, lip=176.214.13.210
 +# Dovecot version 2.4
 +# failJSON: { "time": "2005-06-12T19:07:29", "match": true , "host": "192.0.2.241" }
 +Jun 12 19:07:29 hostname dovecot[241]: imap-login: Login aborted: Connection closed (auth failed, 3 attempts in 16 secs) (auth_failed): user=<test>, method=PLAIN, rip=192.0.2.241, lip=203.0.113.104, TLS, session=<9ZHq02g3J8S60fan>
 +# failJSON: { "time": "2005-06-13T16:35:56", "match": true , "host": "192.0.2.241" }
 +Jun 13 16:35:56 mx dovecot[241]: managesieve-login: Login aborted: Logged out (auth failed, 1 attempts in 10 secs) (auth_failed): user=<user@domain>, method=PLAIN, rip=192.0.2.241, lip=203.0.113.104, TLS, session=<Dp8j1Ho3suQYdo+k>
 +
 # failJSON: { "time": "2005-07-02T13:49:31", "match": true , "host": "192.51.100.13" }
 Jul 02 13:49:31 hostname dovecot[442]: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=<test>, method=PLAIN, rip=192.51.100.13, lip=203.0.113.17, session=<YADINsQCDs5BH8Pg>
--- a/3728.patch
+++ b/3728.patch
@ -1,160 +0,0 @@
 From a763fbbdfd6486e372965b4009eb3fe5db346718 Mon Sep 17 00:00:00 2001
 From: Branch Vincent <branchevincent@gmail.com>
 Date: Sat, 27 Apr 2024 10:24:01 -0700
 Subject: [PATCH 1/3] replace distutils for python 3.12
 ---
 doc/conf.py                        | 5 +----
 fail2ban/server/filterpyinotify.py | 3 +--
 fail2ban/server/filtersystemd.py   | 3 +--
 3 files changed, 3 insertions(+), 8 deletions(-)
 diff --git a/doc/conf.py b/doc/conf.py
 index 20845a5a0e..48d27f7062 100644
 --- a/doc/conf.py
 +++ b/doc/conf.py
@@ -47,12 +47,9 @@
 #
 from fail2ban.version import version as fail2ban_version
 -from distutils.version import LooseVersion
 -
 -fail2ban_loose_version = LooseVersion(fail2ban_version)
 # The short X.Y version.
 -version = ".".join(str(_) for _ in fail2ban_loose_version.version[:2])
 +version = ".".join(str(_) for _ in fail2ban_version.split(".")[:2])
 # The full version, including alpha/beta/rc tags.
 release = fail2ban_version
 diff --git a/fail2ban/server/filterpyinotify.py b/fail2ban/server/filterpyinotify.py
 index 81bc7de393..c6972ced3f 100644
 --- a/fail2ban/server/filterpyinotify.py
 +++ b/fail2ban/server/filterpyinotify.py
@@ -24,7 +24,6 @@
 __license__ = "GPL"
 import logging
 -from distutils.version import LooseVersion
 import os
 from os.path import dirname, sep as pathsep
@@ -38,7 +37,7 @@
 if not hasattr(pyinotify, '__version__') \
 -  or LooseVersion(pyinotify.__version__) < '0.8.3': # pragma: no cover
 +  or pyinotify.__version__.split(".") < '0.8.3'.split("."): # pragma: no cover
   raise ImportError("Fail2Ban requires pyinotify >= 0.8.3")
 # Verify that pyinotify is functional on this system
 diff --git a/fail2ban/server/filtersystemd.py b/fail2ban/server/filtersystemd.py
 index 5aea9fdadc..2d4f862b97 100644
 --- a/fail2ban/server/filtersystemd.py
 +++ b/fail2ban/server/filtersystemd.py
@@ -24,10 +24,9 @@
 import os
 import time
 -from distutils.version import LooseVersion
 from systemd import journal
 -if LooseVersion(getattr(journal, '__version__', "0")) < '204':
 +if getattr(journal, "__version__", "0").split(".") < "204".split("."):
 	raise ImportError("Fail2Ban requires systemd >= 204")
 from .failmanager import FailManagerEmpty
 From ed20a9a5b9039319dd8913dfecf640e6eafee28b Mon Sep 17 00:00:00 2001
 From: sebres <info@sebres.de>
 Date: Tue, 7 May 2024 12:51:14 +0200
 Subject: [PATCH 2/3] there is no systemd < 204 and pyinotify < 0.8.3 for
 supported python3 versions anymore
 ---
 fail2ban/server/filterpyinotify.py | 4 ----
 fail2ban/server/filtersystemd.py   | 2 --
 2 files changed, 6 deletions(-)
 diff --git a/fail2ban/server/filterpyinotify.py b/fail2ban/server/filterpyinotify.py
 index c6972ced3f..f2f31e6fb5 100644
 --- a/fail2ban/server/filterpyinotify.py
 +++ b/fail2ban/server/filterpyinotify.py
@@ -36,10 +36,6 @@
 from ..helpers import getLogger
 -if not hasattr(pyinotify, '__version__') \
 -  or pyinotify.__version__.split(".") < '0.8.3'.split("."): # pragma: no cover
 -  raise ImportError("Fail2Ban requires pyinotify >= 0.8.3")
 -
 # Verify that pyinotify is functional on this system
 # Even though imports -- might be dysfunctional, e.g. as on kfreebsd
 try:
 diff --git a/fail2ban/server/filtersystemd.py b/fail2ban/server/filtersystemd.py
 index 2d4f862b97..abd66e1f76 100644
 --- a/fail2ban/server/filtersystemd.py
 +++ b/fail2ban/server/filtersystemd.py
@@ -26,8 +26,6 @@
 import time
 from systemd import journal
 -if getattr(journal, "__version__", "0").split(".") < "204".split("."):
 -	raise ImportError("Fail2Ban requires systemd >= 204")
 from .failmanager import FailManagerEmpty
 from .filter import JournalFilter, Filter
 From 0185e1c7d5e6534ab212462dd2aeab6f89e2fb50 Mon Sep 17 00:00:00 2001
 From: sebres <info@sebres.de>
 Date: Tue, 7 May 2024 13:06:50 +0200
 Subject: [PATCH 3/3] setup.py: no distutils anymore
 ---
 setup.py | 25 ++++++-------------------
 1 file changed, 6 insertions(+), 19 deletions(-)
 diff --git a/setup.py b/setup.py
 index 9f7bd8fb59..ee9ea4df82 100755
 --- a/setup.py
 +++ b/setup.py
@@ -24,23 +24,10 @@
 import platform
 -try:
 -	import setuptools
 -	from setuptools import setup
 -	from setuptools.command.install import install
 -	from setuptools.command.install_scripts import install_scripts
 -	from setuptools.command.build_py import build_py
 -	build_scripts = None
 -except ImportError:
 -	setuptools = None
 -	from distutils.core import setup
 -
 -# older versions
 -if setuptools is None:
 -	from distutils.command.build_py import build_py
 -	from distutils.command.build_scripts import build_scripts
 -	from distutils.command.install import install
 -	from distutils.command.install_scripts import install_scripts
 +import setuptools
 +from setuptools import setup
 +from setuptools.command.install import install
 +from setuptools.command.install_scripts import install_scripts
 import os
 from os.path import isfile, join, isdir, realpath
@@ -207,9 +194,9 @@ def run(self):
 	url = "http://www.fail2ban.org",
 	license = "GPL",
 	platforms = "Posix",
 -	cmdclass = dict({'build_py': build_py, 'build_scripts': build_scripts} if build_scripts else {}, **{
 +	cmdclass = {
 		'install_scripts': install_scripts_f2b, 'install': install_command_f2b
 -	}),
 +	},
 	scripts = [
 		'bin/fail2ban-client',
 		'bin/fail2ban-server',
--- a/3782.patch
+++ b/3782.patch
@ -1,94 +0,0 @@
 From 2fed408c05ac5206b490368d94599869bd6a056d Mon Sep 17 00:00:00 2001
 From: Fabian Dellwing <fabian.dellwing@mbconnectline.de>
 Date: Tue, 2 Jul 2024 07:54:15 +0200
 Subject: [PATCH 1/5] Adjust sshd filter for OpenSSH 9.8 new daemon name
 ---
 config/filter.d/sshd.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
 index 1c8a02deb5..a1fd749aed 100644
 --- a/config/filter.d/sshd.conf
 +++ b/config/filter.d/sshd.conf
@@ -16,7 +16,7 @@ before = common.conf
 [DEFAULT]
 -_daemon = sshd
 +_daemon = (?:sshd(?:-session)?)
 # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
 __pref = (?:(?:error|fatal): (?:PAM: )?)?
 From 7b335f47ea112e2a36e59287582e613aef2fa0a3 Mon Sep 17 00:00:00 2001
 From: "Sergey G. Brester" <serg.brester@sebres.de>
 Date: Wed, 3 Jul 2024 19:09:28 +0200
 Subject: [PATCH 2/5] sshd: add test coverage for new format, gh-3782
 ---
 fail2ban/tests/files/logs/sshd | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd
 index ed54ded4d4..7d3948ed80 100644
 --- a/fail2ban/tests/files/logs/sshd
 +++ b/fail2ban/tests/files/logs/sshd
@@ -20,6 +20,9 @@ Feb 25 14:34:10 belka sshd[31603]: Failed password for invalid user ROOT from aa
 # failJSON: { "time": "2005-02-25T14:34:11", "match": true , "host": "aaaa:bbbb:cccc:1234::1:1" }
 Feb 25 14:34:11 belka sshd[31603]: Failed password for invalid user ROOT from aaaa:bbbb:cccc:1234::1:1
 +# failJSON: { "time": "2005-07-03T14:59:17", "match": true , "host": "192.0.2.1", "desc": "new log with session in daemon prefix, gh-3782" }
 +Jul  3 14:59:17 host sshd-session[1571]: Failed password for root from 192.0.2.1 port 56502 ssh2
 +
 #3
 # failJSON: { "time": "2005-01-05T01:31:41", "match": true , "host": "1.2.3.4" }
 Jan  5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4
 From 8360776ce1b119d519a842069c73bec7f5e24fad Mon Sep 17 00:00:00 2001
 From: "Sergey G. Brester" <serg.brester@sebres.de>
 Date: Wed, 3 Jul 2024 19:33:39 +0200
 Subject: [PATCH 3/5] zzz-sshd-obsolete-multiline.conf: adjusted to new
 sshd-session log format
 ---
 fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
 index ad8adeb69f..14256ba68c 100644
 --- a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
 +++ b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
@@ -9,7 +9,7 @@ before = ../../../../config/filter.d/common.conf
 [DEFAULT]
 -_daemon = sshd
 +_daemon = sshd(?:-session)?
 # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
 __pref = (?:(?:error|fatal): (?:PAM: )?)?
 From 50ff131a0fd8f54fdeb14b48353f842ee8ae8c1a Mon Sep 17 00:00:00 2001
 From: "Sergey G. Brester" <serg.brester@sebres.de>
 Date: Wed, 3 Jul 2024 19:35:28 +0200
 Subject: [PATCH 4/5] filter.d/sshd.conf: ungroup (unneeded for _daemon)
 ---
 config/filter.d/sshd.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
 index a1fd749aed..3a84b1ba52 100644
 --- a/config/filter.d/sshd.conf
 +++ b/config/filter.d/sshd.conf
@@ -16,7 +16,7 @@ before = common.conf
 [DEFAULT]
 -_daemon = (?:sshd(?:-session)?)
 +_daemon = sshd(?:-session)?
 # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
 __pref = (?:(?:error|fatal): (?:PAM: )?)?
--- a/54c0effceb998b73545073ac59c479d9d9bf19a4.patch
+++ b/54c0effceb998b73545073ac59c479d9d9bf19a4.patch
@ -1,23 +0,0 @@
 From 54c0effceb998b73545073ac59c479d9d9bf19a4 Mon Sep 17 00:00:00 2001
 From: sebres <info@sebres.de>
 Date: Sun, 11 Aug 2024 12:10:12 +0200
 Subject: [PATCH] filter.d/sshd.conf: amend to #3747/#3812 (new ssh version
 would log with `_COMM=sshd-session`)
 ---
 config/filter.d/sshd.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
 index 206b913a78..595e957f0b 100644
 --- a/config/filter.d/sshd.conf
 +++ b/config/filter.d/sshd.conf
@@ -126,7 +126,7 @@ ignoreregex =
 maxlines = 1
 -journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
 +journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd + _COMM=sshd-session
 # DEV Notes:
 #
--- a/37
+++ b/37
@ -1,26 +1,21 @@
-TARGET?=fail2ban
+# Makefile for source rpm: fail2ban
-MODULES?=${TARGET:=.pp.bz2}
+# $Id$
-SHAREDIR?=/usr/share
+NAME := fail2ban
 SPECFILE = $(firstword $(wildcard *.spec))
-all: ${TARGET:=.pp.bz2}
+define find-makefile-common
 for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
 endef
-%.pp.bz2: %.pp
+MAKEFILE_COMMON := $(shell $(find-makefile-common))
 	@echo Compressing $^ -\> $@
 	bzip2 -9 $^
-%.pp: %.te
+ifeq ($(MAKEFILE_COMMON),)
-	make -f ${SHAREDIR}/selinux/devel/Makefile $@
+# attept a checkout
 define checkout-makefile-common
 test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
 endef
-clean:
+MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
-	rm -f *~  *.tc *.pp *.pp.bz2
+endif
 	rm -rf tmp *.tar.gz
-man: install-policy
+include $(MAKEFILE_COMMON)
 	sepolicy manpage --path . --domain ${TARGET}_t
 install-policy: all
 	semodule -i ${TARGET}.pp.bz2
 install: man
 	install -D -m 644 ${TARGET}.pp.bz2 ${DESTDIR}${SHAREDIR}/selinux/packages/${TARGET}.pp.bz2
 	install -D -m 644 ${TARGET}_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/
--- a/ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch
+++ b/ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch
@ -1,148 +0,0 @@
 From ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b Mon Sep 17 00:00:00 2001
 From: sebres <info@sebres.de>
 Date: Fri, 14 Jun 2024 14:31:21 +0200
 Subject: [PATCH] beautifier detect whether it can use unicode chars in stats
 table; asciified output of beautifier in test suite; closes gh-3750
 ---
 fail2ban/client/beautifier.py              | 51 ++++++++++++++--------
 fail2ban/tests/clientbeautifiertestcase.py | 22 ++++++----
 2 files changed, 45 insertions(+), 28 deletions(-)
 diff --git a/fail2ban/client/beautifier.py b/fail2ban/client/beautifier.py
 index 7ef173a655..21c49b9483 100644
 --- a/fail2ban/client/beautifier.py
 +++ b/fail2ban/client/beautifier.py
@@ -21,8 +21,10 @@
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2013- Yaroslav Halchenko"
 __license__ = "GPL"
 +import sys
 +
 from ..exceptions import UnknownJailException, DuplicateJailException
 -from ..helpers import getLogger, logging
 +from ..helpers import getLogger, logging, PREFER_ENC
 # Gets the instance of the logger.
 logSys = getLogger(__name__)
@@ -36,6 +38,11 @@
 class Beautifier:
 +	stdoutEnc = PREFER_ENC
 +	if sys.stdout and sys.stdout.encoding is not None:
 +		stdoutEnc = sys.stdout.encoding
 +	encUtf = 1 if stdoutEnc.lower() == 'utf-8' else 0
 +
 	def __init__(self, cmd = None):
 		self.__inputCmd = cmd
@@ -104,7 +111,11 @@ def jail_stat(response, pref=""):
 							jail_stat(j, "      " if i == len(jstat) else "   |  ")
 				msg = "\n".join(msg)
 			elif inC[0:1] == ['stats'] or inC[0:1] == ['statistics']:
 -				def _statstable(response):
 +				chrTable = [
 +					['|', '-', '|', 'x', 'x', '-', '|', '-'], ## ascii
 +					["\u2551", "\u2550", "\u255F", "\u256B", "\u256C", "\u2569", "\u2502", "\u2500"] ## utf-8
 +				];
 +				def _statstable(response, ct):
 					tophead = ["Jail", "Backend", "Filter", "Actions"]
 					headers = ["", "", "cur", "tot", "cur", "tot"]
 					minlens = [8, 8, 3, 3, 3, 3]
@@ -120,29 +131,31 @@ def _statstable(response):
 						f = "%%%ds" if ralign[i] else "%%-%ds"
 						rfmt.append(f % lens[i])
 						hfmt.append(f % lens[i])
 -					rfmt = [rfmt[0], rfmt[1], "%s \u2502 %s" % (rfmt[2], rfmt[3]), "%s \u2502 %s" % (rfmt[4], rfmt[5])]
 -					hfmt = [hfmt[0], hfmt[1], "%s \u2502 %s" % (hfmt[2], hfmt[3]), "%s \u2502 %s" % (hfmt[4], hfmt[5])]
 +					rfmt = [rfmt[0], rfmt[1], "%s %s %s" % (rfmt[2], ct[6], rfmt[3]), "%s %s %s" % (rfmt[4], ct[6], rfmt[5])]
 +					hfmt = [hfmt[0], hfmt[1], "%s %s %s" % (hfmt[2], ct[6], hfmt[3]), "%s %s %s" % (hfmt[4], ct[6], hfmt[5])]
 					tlens = [lens[0], lens[1], 3 + lens[2] + lens[3], 3 + lens[4] + lens[5]]
 					tfmt = [hfmt[0], hfmt[1], "%%-%ds" % (tlens[2],), "%%-%ds" % (tlens[3],)]
 					tsep = tfmt[0:2]
 -					rfmt = " \u2551 ".join(rfmt)
 -					hfmt = " \u2551 ".join(hfmt)
 -					tfmt = " \u2551 ".join(tfmt)
 -					tsep = " \u2551 ".join(tsep)
 -					separator = ((tsep % tuple(tophead[0:2])) + " \u255F\u2500" + 
 -						("\u2500\u256B\u2500".join(['\u2500' * n for n in tlens[2:]])) + '\u2500')
 +					rfmt = (" "+ct[0]+" ").join(rfmt)
 +					hfmt = (" "+ct[0]+" ").join(hfmt)
 +					tfmt = (" "+ct[0]+" ").join(tfmt)
 +					tsep = (" "+ct[0]+" ").join(tsep)
 +					separator = ((tsep % tuple(tophead[0:2])) + " "+ct[2]+ct[7] + 
 +						((ct[7]+ct[3]+ct[7]).join([ct[7] * n for n in tlens[2:]])) + ct[7])
 					ret = []
 -					ret.append(tfmt % tuple(["", ""]+tophead[2:]))
 -					ret.append(separator)
 -					ret.append(hfmt % tuple(headers))
 -					separator = "\u2550\u256C\u2550".join(['\u2550' * n for n in tlens]) + '\u2550'
 -					ret.append(separator)
 +					ret.append(" "+tfmt % tuple(["", ""]+tophead[2:]))
 +					ret.append(" "+separator)
 +					ret.append(" "+hfmt % tuple(headers))
 +					separator = (ct[1]+ct[4]+ct[1]).join([ct[1] * n for n in tlens]) + ct[1]
 +					ret.append(ct[1]+separator)
 					for row in rows:
 -						ret.append(rfmt % tuple(row))
 -					separator = "\u2550\u2569\u2550".join(['\u2550' * n for n in tlens]) + '\u2550'
 -					ret.append(separator)
 +						ret.append(" "+rfmt % tuple(row))
 +					separator = (ct[1]+ct[5]+ct[1]).join([ct[1] * n for n in tlens]) + ct[1]
 +					ret.append(ct[1]+separator)
 					return ret
 -				msg = "\n".join(_statstable(response))
 +				if not response:
 +					return "No jails found."
 +				msg = "\n".join(_statstable(response, chrTable[self.encUtf]))
 			elif len(inC) < 2:
 				pass # to few cmd args for below
 			elif inC[1] == "syslogsocket":
 diff --git a/fail2ban/tests/clientbeautifiertestcase.py b/fail2ban/tests/clientbeautifiertestcase.py
 index defedbe1bf..5fcb240479 100644
 --- a/fail2ban/tests/clientbeautifiertestcase.py
 +++ b/fail2ban/tests/clientbeautifiertestcase.py
@@ -34,6 +34,7 @@ def setUp(self):
 		""" Call before every test case """
 		super(BeautifierTest, self).setUp()
 		self.b = Beautifier()
 +		self.b.encUtf = 0; ## we prefer ascii in test suite (see #3750)
 	def tearDown(self):
 		""" Call after every test case """
@@ -170,22 +171,25 @@ def testStatus(self):
 	def testStatusStats(self):
 		self.b.setInputCmd(["stats"])
 +		## no jails:
 +		self.assertEqual(self.b.beautify({}), "No jails found.")
 +		## 3 jails:
 		response = {
 			"ssh": ["systemd", (3, 6), (12, 24)],
 			"exim4": ["pyinotify", (6, 12), (20, 20)],
 			"jail-with-long-name": ["polling", (0, 0), (0, 0)]
 		}
 		output = (""
 -			+ "                    ?           ? Filter    ? Actions  \n"
 -			+ "Jail                ? Backend   ????????????????????????\n"
 -			+ "                    ?           ? cur ? tot ? cur ? tot\n"
 -			+ "????????????????????????????????????????????????????????\n"
 -			+ "ssh                 ? systemd   ?   3 ?   6 ?  12 ?  24\n"
 -			+ "exim4               ? pyinotify ?   6 ?  12 ?  20 ?  20\n"
 -			+ "jail-with-long-name ? polling   ?   0 ?   0 ?   0 ?   0\n"
 -			+ "????????????????????????????????????????????????????????"
 +			+ "                     |           | Filter    | Actions  \n"
 +			+ " Jail                | Backend   |-----------x-----------\n"
 +			+ "                     |           | cur | tot | cur | tot\n"
 +			+ "---------------------x-----------x-----------x-----------\n"
 +			+ " ssh                 | systemd   |   3 |   6 |  12 |  24\n"
 +			+ " exim4               | pyinotify |   6 |  12 |  20 |  20\n"
 +			+ " jail-with-long-name | polling   |   0 |   0 |   0 |   0\n"
 +			+ "---------------------------------------------------------"
 		)
 -		response = self.b.beautify(response).encode('ascii', 'replace').decode('ascii')
 +		response = self.b.beautify(response)
 		self.assertEqual(response, output)
--- a/asyncserver.start_selinux.patch
+++ b/asyncserver.start_selinux.patch
@ -0,0 +1,35 @@
 From 20c717c25c5d180b720bec6902475f07b02f8b87 Mon Sep 17 00:00:00 2001
 From: Jonathan G. Underwood <jonathan.underwood@gmail.com>
 Date: Sun, 3 Jan 2010 02:16:09 +0000
 Subject: [PATCH] Set socket file descriptor in AsyncServer.start to be CLOEXEC
 https://bugzilla.redhat.com/show_bug.cgi?id=522767
 ---
 server/asyncserver.py |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)
 diff --git a/server/asyncserver.py b/server/asyncserver.py
 index 35cebf1..96b62d0 100644
 --- a/server/asyncserver.py
 +++ b/server/asyncserver.py
@@ -26,7 +26,7 @@ __license__ = "GPL"
 from pickle import dumps, loads, HIGHEST_PROTOCOL
 from common import helpers
 -import asyncore, asynchat, socket, os, logging, sys, traceback
 +import asyncore, asynchat, socket, os, logging, sys, traceback, fcntl
 # Gets the instance of the logger.
 logSys = logging.getLogger("fail2ban.server")
@@ -126,6 +126,8 @@ class AsyncServer(asyncore.dispatcher):
 				raise AsyncServerException("Server already running")
 		# Creates the socket.
 		self.create_socket(socket.AF_UNIX, socket.SOCK_STREAM)
 +		fd = self.fileno()
 +		fcntl.fcntl(fd, fcntl.F_SETFD, fd | fcntl.FD_CLOEXEC)
 		self.set_reuse_addr()
 		try:
 			self.bind(sock)
 -- 
 1.6.5.2
--- a/fail2ban-0.8-sshd-filter.diff
+++ b/fail2ban-0.8-sshd-filter.diff
@ -0,0 +1,18 @@
 --- fail2ban-0.8.0/config/filter.d/sshd.conf.upstream	2007-06-20 11:56:18.000000000 +0100
 +++ fail2ban-0.8.0/config/filter.d/sshd.conf	2007-06-20 11:53:36.000000000 +0100
@@ -14,10 +14,11 @@
 #          (?:::f{4,6}:)?(?P<host>\S+)
 # Values:  TEXT
 #
 -failregex = Authentication failure for .* from <HOST>
 -            Failed [-/\w]+ for .* from <HOST>
 -            ROOT LOGIN REFUSED .* FROM <HOST>
 -            [iI](?:llegal|nvalid) user .* from <HOST>
 +failregex = Authentication failure for .* from <HOST>$
 +            Failed [-/\w]+ for .* from <HOST>$
 +            ROOT LOGIN REFUSED .* FROM <HOST>$
 +            [iI](?:llegal|nvalid) user .* from <HOST>$
 +            User .* from <HOST> not allowed because not listed in AllowUsers$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/fail2ban-0.8.1-sock.patch
+++ b/fail2ban-0.8.1-sock.patch
@ -0,0 +1,30 @@
 diff -up fail2ban-0.8.1/server/ssocket.py.sock fail2ban-0.8.1/server/ssocket.py
 --- fail2ban-0.8.1/server/ssocket.py.sock	2008-01-31 22:44:43.000000000 +0000
 +++ fail2ban-0.8.1/server/ssocket.py	2008-01-31 22:45:31.000000000 +0000
@@ -41,11 +41,11 @@ class SSocket(Thread):
 		Thread.__init__(self)
 		self.__transmit = transmitter
 		self.__isRunning = False
 -		self.__socket = "/tmp/fail2ban.sock"
 +		self.__socket = "/var/run/fail2ban.sock"
 		self.__ssock = None
 		logSys.debug("Created SSocket")
 -	def initialize(self, sock = "/tmp/fail2ban.sock", force = False):
 +	def initialize(self, sock = "/var/run/fail2ban.sock", force = False):
 		self.__socket = sock
 		# Remove socket
 		if os.path.exists(sock):
 diff -up fail2ban-0.8.1/config/fail2ban.conf.sock fail2ban-0.8.1/config/fail2ban.conf
 --- fail2ban-0.8.1/config/fail2ban.conf.sock	2008-01-31 22:46:01.000000000 +0000
 +++ fail2ban-0.8.1/config/fail2ban.conf	2008-01-31 22:46:23.000000000 +0000
@@ -28,7 +28,7 @@ logtarget = /var/log/fail2ban.log
 # Notes.: Set the socket file. This is used to communicate with the daemon. Do
 #         not remove this file when Fail2ban runs. It will not be possible to
 #         communicate with the server afterwards.
 -# Values: FILE  Default:  /tmp/fail2ban.sock
 +# Values: FILE  Default:  /var/run/fail2ban.sock
 #
 -socket = /tmp/fail2ban.sock
 +socket = /var/run/fail2ban.sock
--- a/fail2ban-0.8.1-sshd.patch
+++ b/fail2ban-0.8.1-sshd.patch
@ -0,0 +1,17 @@
 --- fail2ban-0.8.1/config/jail.conf.sshd	2007-08-09 00:49:59.000000000 +0200
 +++ fail2ban-0.8.1/config/jail.conf	2007-08-15 21:41:33.000000000 +0200
@@ -42,11 +42,11 @@
 [ssh-iptables]
 -enabled  = false
 +enabled  = true
 filter   = sshd
 action   = iptables[name=SSH, port=ssh, protocol=tcp]
 -           sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
 -logpath  = /var/log/sshd.log
 +           sendmail-whois[name=SSH, dest=root, sender=fail2ban@mail.com]
 +logpath  = /var/log/secure
 maxretry = 5
 [proftpd-iptables]
--- a/fail2ban-0.8.2-fd_cloexec.patch
+++ b/fail2ban-0.8.2-fd_cloexec.patch
@ -0,0 +1,22 @@
 --- fail2ban-0.8.2/server/filter.py.orig	2008-03-27 16:26:59.000000000 +0000
 +++ fail2ban-0.8.2/server/filter.py	2008-03-27 15:29:48.000000000 +0000
@@ -428,6 +428,7 @@
 # is computed and compared to the previous hash of this line.
 import md5
 +import fcntl
 class FileContainer:
@@ -455,6 +456,11 @@
 	def open(self):
 		self.__handler = open(self.__filename)
 +
 +		# Set the file descriptor to be FD_CLOEXEC
 +		fd = self.__handler.fileno()
 +		fcntl.fcntl (self.__handler.fileno(), fcntl.F_SETFD, fd | fcntl.FD_CLOEXEC)
 +
 		firstLine = self.__handler.readline()
 		# Computes the MD5 of the first line.
 		myHash = md5.new(firstLine).digest()
--- a/fail2ban-0.8.3-init.patch
+++ b/fail2ban-0.8.3-init.patch
@ -0,0 +1,20 @@
 --- fail2ban-0.8.3/files/redhat-initd.init	2008-03-10 23:36:22.000000000 +0100
 +++ fail2ban-0.8.3/files/redhat-initd	2008-08-24 20:46:01.000000000 +0200
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
 -# chkconfig: 345 92 08
 +# chkconfig: - 92 08
 # description: Fail2ban daemon
 #              http://fail2ban.sourceforge.net/wiki/index.php/Main_Page
 # process name: fail2ban-server
@@ -27,8 +27,7 @@
     echo -n $"Starting fail2ban: "
     getpid
     if [ -z "$pid" ]; then
 -	rm -rf /var/run/fail2ban/fail2ban.sock # in case of unclean shutdown
 -        $FAIL2BAN start > /dev/null
 +        $FAIL2BAN -x start > /dev/null
         RETVAL=$?
     fi
     if [ $RETVAL -eq 0 ]; then
--- a/fail2ban-0.8.3-inodecheck.patch
+++ b/fail2ban-0.8.3-inodecheck.patch
@ -0,0 +1,35 @@
 --- fail2ban-0.8.3/server/filter.py.inodecheck	2009-08-27 20:50:22.000000000 +0200
 +++ fail2ban-0.8.3/server/filter.py	2009-08-27 20:50:22.000000000 +0200
@@ -31,7 +31,7 @@
 from mytime import MyTime
 from failregex import FailRegex, Regex, RegexException
 -import logging, re
 +import logging, re, os
 # Gets the instance of the logger.
 logSys = logging.getLogger("fail2ban.filter")
@@ -438,6 +438,8 @@
 		self.__handler = None
 		# Try to open the file. Raises an exception if an error occured.
 		handler = open(filename)
 +		stats = os.fstat(handler.fileno())
 +		self.__ino = stats.st_ino
 		try:
 			firstLine = handler.readline()
 			# Computes the MD5 of the first line.
@@ -464,10 +466,12 @@
 		firstLine = self.__handler.readline()
 		# Computes the MD5 of the first line.
 		myHash = md5.new(firstLine).digest()
 -		# Compare hash.
 -		if not self.__hash == myHash:
 +		stats = os.fstat(self.__handler.fileno())
 +		# Compare hash and inode
 +		if self.__hash != myHash or self.__ino != stats.st_ino:
 			logSys.info("Log rotation detected for %s" % self.__filename)
 			self.__hash = myHash
 +			self.__ino = stats.st_ino
 			self.__pos = 0
 		# Sets the file pointer to the last position.
 		self.__handler.seek(self.__pos)
--- a/fail2ban-0.8.3-log2syslog.patch
+++ b/fail2ban-0.8.3-log2syslog.patch
@ -0,0 +1,11 @@
 --- fail2ban-0.8.3/config/fail2ban.conf~	2008-02-27 22:44:55.000000000 +0100
 +++ fail2ban-0.8.3/config/fail2ban.conf	2009-08-27 20:48:25.000000000 +0200
@@ -22,7 +22,7 @@
 #          Only one log target can be specified.
 # Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
 #
 -logtarget = /var/log/fail2ban.log
 +logtarget = SYSLOG
 # Option: socket
 # Notes.: Set the socket file. This is used to communicate with the daemon. Do
--- a/fail2ban-1.1.0.tar.gz.asc
+++ b/fail2ban-1.1.0.tar.gz.asc
@ -1,11 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQEzBAABCgAdFiEEhzhVnib2cd+eLG2eaDvxvr0KiCwFAmYqzEoACgkQaDvxvr0K
 iCwMfQf9GcxsuVs/LiHeDYmmvFOxCmS2zO4K5pzDuX1JmtSzKCj9HbPSxUWbIZIc
 yJv+x8t6QNBPBMnxI70TP+RcxKpCO4Fc2WRcrYS5B6gDTKy9Ty0fHorHlA4QQthu
 ywoqxf1eddQKcwlk+lw/wI1QPwZ1xA93BkasJht/bTnhAvXJBeN1Tgf+jZ23bHHf
 9FIGV8zt8fvaAIG8lB22AD/+PhSYEkp1TRuRx9VEuBbkH00u1i054I0cHTrsu3Fr
 jTIljf5TgpmFyXHBCA6JT6nnGn0jsaNDT/lBNxUmw5BmMxGWUTv4SlKbcjKjgXRH
 MTZipOHHYPx/7IyKJJvB1p1gvmOxyg==
 =qvry
 -----END PGP SIGNATURE-----
--- a/9
+++ b/9
@ -0,0 +1,9 @@
 /var/log/fail2ban.log {
    missingok
    notifempty
    size 30k
    create 0600 root root
    postrotate
        /usr/bin/fail2ban-client set logtarget SYSLOG 2> /dev/null || true
    endscript
 }
--- a/fail2ban-nftables.patch
+++ b/fail2ban-nftables.patch
@ -1,62 +0,0 @@
 Index: fail2ban-1.0.2/config/action.d/firewallcmd-rich-rules.conf
 ===================================================================
 --- fail2ban-1.0.2.orig/config/action.d/firewallcmd-rich-rules.conf
 +++ fail2ban-1.0.2/config/action.d/firewallcmd-rich-rules.conf
@@ -37,8 +37,8 @@ actioncheck =
 fwcmd_rich_rule = rule family='<family>' source address='<ip>' port port='$p' protocol='<protocol>' %(rich-suffix)s
 -actionban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done
 +actionban = ports="<port>"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done
 -actionunban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; done
 +actionunban = ports="<port>"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; done
 -rich-suffix = <rich-blocktype>
 \ No newline at end of file
 +rich-suffix = <rich-blocktype>
 Index: fail2ban-1.0.2/fail2ban/tests/servertestcase.py
 ===================================================================
 --- fail2ban-1.0.2.orig/fail2ban/tests/servertestcase.py
 +++ fail2ban-1.0.2/fail2ban/tests/servertestcase.py
@@ -2051,32 +2051,32 @@ class ServerConfigReaderTests(LogCapture
 			('j-fwcmd-rr', 'firewallcmd-rich-rules[port="22:24", protocol="tcp"]', {
 				'ip4': ("family='ipv4'", "icmp-port-unreachable",), 'ip6': ("family='ipv6'", 'icmp6-port-unreachable',),
 				'ip4-ban': (
 -					"""`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`""",
 +					"""`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`""",
 				),
 				'ip4-unban': (
 -					"""`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`""",
 +					"""`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`""",
 				),
 				'ip6-ban': (
 -					""" `ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`""",
 +					""" `ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`""",
 				),
 				'ip6-unban': (
 -					"""`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`""",
 +					"""`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`""",
 				),					
 			}),
 			# firewallcmd-rich-logging --
 			('j-fwcmd-rl', 'firewallcmd-rich-logging[port="22:24", protocol="tcp"]', {
 				'ip4': ("family='ipv4'", "icmp-port-unreachable",), 'ip6': ("family='ipv6'", 'icmp6-port-unreachable',),
 				'ip4-ban': (
 -					"""`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`""",
 +					"""`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`""",
 				),
 				'ip4-unban': (
 -					"""`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`""",
 +					"""`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`""",
 				),
 				'ip6-ban': (
 -					""" `ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`""",
 +					""" `ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`""",
 				),
 				'ip6-unban': (
 -					"""`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`""",
 +					"""`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`""",
 				),					
 			}),
 		)
--- a/fail2ban-partof.patch
+++ b/fail2ban-partof.patch
@ -1,12 +0,0 @@
 diff -up fail2ban-0.10.5/files/fail2ban.service.in.partof fail2ban-0.10.5/files/fail2ban.service.in
 --- fail2ban-0.10.5/files/fail2ban.service.in.partof	2020-01-10 05:34:46.000000000 -0700
 +++ fail2ban-0.10.5/files/fail2ban.service.in	2020-01-11 16:13:53.372316861 -0700
@@ -2,7 +2,7 @@
 Description=Fail2Ban Service
 Documentation=man:fail2ban(1)
 After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service
 -PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service
 +PartOf=firewalld.service
 [Service]
 Type=simple
--- a/fail2ban.fc
+++ b/fail2ban.fc
@ -1,10 +0,0 @@
 #/etc/rc\.d/init\.d/fail2ban	--	gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0)
 /usr/bin/fail2ban	--	gen_context(system_u:object_r:fail2ban_exec_t,s0)
 /usr/bin/fail2ban-client	--	gen_context(system_u:object_r:fail2ban_client_exec_t,s0)
 /usr/bin/fail2ban-server	--	gen_context(system_u:object_r:fail2ban_exec_t,s0)
 /var/lib/fail2ban(/.*)?	gen_context(system_u:object_r:fail2ban_var_lib_t,s0)
 /var/log/fail2ban\.log.*	--	gen_context(system_u:object_r:fail2ban_log_t,s0)
 /run/fail2ban(/.*)?				gen_context(system_u:object_r:fail2ban_var_run_t,s0)
--- a/fail2ban.if
+++ b/fail2ban.if
@ -1,313 +0,0 @@
 ## <summary>Update firewall filtering to ban IP addresses with too many password failures.</summary>
 ########################################
 ## <summary>
 ##	Execute a domain transition to run fail2ban.
 ## </summary>
 ## <param name="domain">
 ## <summary>
 ##	Domain allowed to transition.
 ## </summary>
 ## </param>
 #
 interface(`fail2ban_domtrans',`
 	gen_require(`
 		type fail2ban_t, fail2ban_exec_t;
 	')
 	corecmd_search_bin($1)
 	domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
 ')
 #######################################
 ## <summary>
 ##  Execute the fail2ban client in
 ##  the fail2ban client domain.
 ## </summary>
 ## <param name="domain">
 ##  <summary>
 ##  Domain allowed to transition.
 ##  </summary>
 ## </param>
 #
 interface(`fail2ban_domtrans_client',`
    gen_require(`
        type fail2ban_client_t, fail2ban_client_exec_t;
    ')
    corecmd_search_bin($1)
    domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
 ')
 #######################################
 ## <summary>
 ##  Execute fail2ban client in the
 ##  fail2ban client domain, and allow
 ##  the specified role the fail2ban
 ##  client domain.
 ## </summary>
 ## <param name="domain">
 ##  <summary>
 ##  Domain allowed to transition.
 ##  </summary>
 ## </param>
 ## <param name="role">
 ##  <summary>
 ##  Role allowed access.
 ##  </summary>
 ## </param>
 #
 interface(`fail2ban_run_client',`
    gen_require(`
        attribute_role fail2ban_client_roles;
    ')
    fail2ban_domtrans_client($1)
    roleattribute $2 fail2ban_client_roles;
 ')
 #####################################
 ## <summary>
 ##	Connect to fail2ban over a unix domain
 ##	stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`fail2ban_stream_connect',`
 	gen_require(`
 		type fail2ban_t, fail2ban_var_run_t;
 	')
 	files_search_pids($1)
 	stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
 ')
 ########################################
 ## <summary>
 ##	Read and write inherited temporary files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`fail2ban_rw_inherited_tmp_files',`
 	gen_require(`
 		type fail2ban_tmp_t;
 	')
 	files_search_tmp($1)
 	allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
 ')
 ########################################
 ## <summary>
 ##	Read and write to an fail2ba unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`fail2ban_rw_stream_sockets',`
 	gen_require(`
 		type fail2ban_t;
 	')
 	allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
 ')
 #######################################
 ## <summary>
 ##  Do not audit attempts to use
 ##  fail2ban file descriptors.
 ## </summary>
 ## <param name="domain">
 ##  <summary>
 ##  Domain to not audit.
 ##  </summary>
 ## </param>
 #
 interface(`fail2ban_dontaudit_use_fds',`
    gen_require(`
        type fail2ban_t;
    ')
    dontaudit $1 fail2ban_t:fd use;
 ')
 #######################################
 ## <summary>
 ##  Do not audit attempts to read and
 ##  write fail2ban unix stream sockets
 ## </summary>
 ## <param name="domain">
 ##  <summary>
 ##  Domain to not audit.
 ##  </summary>
 ## </param>
 #
 interface(`fail2ban_dontaudit_rw_stream_sockets',`
    gen_require(`
        type fail2ban_t;
    ')
    dontaudit $1 fail2ban_t:unix_stream_socket { read write };
 ')
 ########################################
 ## <summary>
 ##	Read fail2ban lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`fail2ban_read_lib_files',`
 	gen_require(`
 		type fail2ban_var_lib_t;
 	')
 	files_search_var_lib($1)
 	read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t)
 ')
 ########################################
 ## <summary>
 ##	Allow the specified domain to read fail2ban's log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`fail2ban_read_log',`
 	gen_require(`
 		type fail2ban_log_t;
 	')
 	logging_search_logs($1)
 	allow $1 fail2ban_log_t:dir list_dir_perms;
 	allow $1 fail2ban_log_t:file read_file_perms;
 ')
 ########################################
 ## <summary>
 ##	Allow the specified domain to append
 ##	fail2ban log files.
 ## </summary>
 ## <param name="domain">
 ## 	<summary>
 ##	Domain allowed access.
 ## 	</summary>
 ## </param>
 #
 interface(`fail2ban_append_log',`
 	gen_require(`
 		type fail2ban_log_t;
 	')
 	logging_search_logs($1)
 	allow $1 fail2ban_log_t:dir list_dir_perms;
 	allow $1 fail2ban_log_t:file append_file_perms;
 ')
 ########################################
 ## <summary>
 ##	Read fail2ban PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`fail2ban_read_pid_files',`
 	gen_require(`
 		type fail2ban_var_run_t;
 	')
 	files_search_pids($1)
 	allow $1 fail2ban_var_run_t:file read_file_perms;
 ')
 ########################################
 ## <summary>
 ##	dontaudit read and write leaked file descriptors
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
 interface(`fail2ban_dontaudit_leaks',`
 	gen_require(`
 		type fail2ban_t;
 	')
 	dontaudit $1 fail2ban_t:tcp_socket { read write };
 	dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
 	dontaudit $1 fail2ban_t:unix_stream_socket { read write };
 ')
 ########################################
 ## <summary>
 ##	All of the rules required to administrate 
 ##	a fail2ban environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
 ##	<summary>
 ##	The role to be allowed to manage the fail2ban domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`fail2ban_admin',`
 	gen_require(`
 		type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
 		type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t;
 		type fail2ban_client_t;
 	')
 	allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
 	ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
 	tunable_policy(`deny_ptrace',`',`
 		allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
 	')
 	init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 fail2ban_initrc_exec_t system_r;
 	allow $2 system_r;
 	logging_list_logs($1)
 	admin_pattern($1, fail2ban_log_t)
 	files_list_pids($1)
 	admin_pattern($1, fail2ban_var_run_t)
 	files_list_var_lib($1)
 	admin_pattern($1, fail2ban_var_lib_t)
 	files_list_tmp($1)
 	admin_pattern($1, fail2ban_tmp_t)
 	fail2ban_run_client($1, $2)
 ')
--- a/fail2ban.rpmlintrc
+++ b/fail2ban.rpmlintrc
@ -1,8 +0,0 @@
 from Config import *
 addFilter("incoherent-logrotate-file /etc/logrotate.d/fail2ban");
 addFilter("macro-in-comment %{(name|version|release)}");
 addFilter("spelling-error .* (tcp|sendmail|shorewall|sshd)");
 # Tests
 addFilter("hidden-file-or-dir .*fail2ban/tests/files/config/apache.*/\.htpasswd");
 addFilter("htaccess-file-error .*fail2ban/tests/files/config/apache.*/\.htaccess");
 addFilter("zero-length .*fail2ban/tests/files/files/");
--- a/fail2ban.spec
+++ b/fail2ban.spec
@ -1,857 +1,89 @@
-%if 0%{?rhel} >= 9
+# Not defined in Fedora's buildsystem
-%bcond_with     shorewall
+%global _initdir %{_sysconfdir}/rc.d/init.d
 %else
 %bcond_without  shorewall
 %endif
 # RHEL < 10 and Fedora < 40 use file context entries in /var/run
 %if %{defined rhel} && 0%{?rhel} < 10
 %define legacy_var_run 1
 %endif
 Summary: Ban IPs that make too many password failures
 Name: fail2ban
-Version: 1.1.0
+Version: 0.8.4
-Release: 15%{?dist}
+Release: 24%{?dist}
-Summary: Daemon to ban hosts that cause multiple authentication errors
+License: GPLv2+
-
+Group: System Environment/Daemons
-License: GPL-2.0-or-later
+URL: http://fail2ban.sourceforge.net/
-URL: https://www.fail2ban.org
+Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.bz2
-Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Source1: fail2ban-logrotate
-Source1: https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz.asc
+Patch0: fail2ban-0.8.3-init.patch
-# Releases are signed by Serg G. Brester (sebres) <info AT sebres.de>.  The
+Patch1: fail2ban-0.8.1-sshd.patch
-# fingerprint can be found in a signature file:
+Patch3: fail2ban-0.8.2-fd_cloexec.patch
-#   gpg --list-packets fail2ban-1.0.2.tar.gz.asc | grep 'issuer fpr'
+Patch6: fail2ban-0.8.3-log2syslog.patch
-#
+Patch7: asyncserver.start_selinux.patch
-# The following commands can be used to fetch the signing key via fingerprint
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
-# and extract it:
+BuildRequires: python-devel >= 2.3
 #   fpr=8738559E26F671DF9E2C6D9E683BF1BEBD0A882C
 #   gpg --receive-keys $fpr
 #   gpg -a --export-options export-minimal --export $fpr >gpgkey-$fpr.asc
 Source2: gpgkey-8738559E26F671DF9E2C6D9E683BF1BEBD0A882C.asc
 # SELinux policy
 Source3: fail2ban.fc
 Source4: fail2ban.if
 Source5: fail2ban.te
 Source6: Makefile
 # Give up being PartOf iptables and ipset for now
 # https://bugzilla.redhat.com/show_bug.cgi?id=1379141
 # https://bugzilla.redhat.com/show_bug.cgi?id=1573185
 Patch0: fail2ban-partof.patch
 # default port in jail.conf is not compatible with firewalld-cmd syntax
 # https://bugzilla.redhat.com/show_bug.cgi?id=1850164
 Patch1: fail2ban-nftables.patch
 # Work around encoding issues during tests
 Patch2: https://github.com/fail2ban/fail2ban/commit/ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2315252
 Patch3: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3782.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2295265
 Patch4: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3728.patch
 # Upstream fix to also catch sshd-session logs
 # https://bugzilla.redhat.com/show_bug.cgi?id=2332945
 Patch5: https://github.com/fail2ban/fail2ban/commit/54c0effceb998b73545073ac59c479d9d9bf19a4.patch
 # Needed for Dovecot change to loging format in 2.4, fixed in f2b version 1.1.1.
 # https://bugzilla.redhat.com/show_bug.cgi?id=2426440
 Patch6: https://github.com/fail2ban/fail2ban/commit/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch
 BuildArch: noarch
-
+Requires: iptables, tcp_wrappers, shorewall, gamin-python
-BuildRequires: python3-devel
+Requires(post): /sbin/chkconfig
-BuildRequires: python3-setuptools
+Requires(preun): /sbin/chkconfig
-# For testcases
+Requires(preun): /sbin/service
 BuildRequires: python3-inotify
 # using a python3_version-based conditional does not work here, so
 # this is a proxy for "Python version greater than 3.12". asyncore
 # and asynchat were dropped from cpython core in 3.12, these modules
 # make them available again. See:
 # https://github.com/fail2ban/fail2ban/issues/3487
 # https://bugzilla.redhat.com/show_bug.cgi?id=2219991
 %if 0%{?fedora} || 0%{?rhel} >= 10
 BuildRequires: python3-pyasyncore
 BuildRequires: python3-pyasynchat
 %endif
 BuildRequires: sqlite
 BuildRequires: systemd
 BuildRequires: selinux-policy-devel
 BuildRequires: make
 %if 0%{?fedora} || 0%{?rhel} >= 11
 BuildRequires: bash-completion-devel
 %else
 BuildRequires: bash-completion
 %endif
 BuildRequires: gnupg2
 # Default components
 Requires: %{name}-firewalld = %{version}-%{release}
 Requires: %{name}-sendmail = %{version}-%{release}
 Requires: %{name}-server = %{version}-%{release}
 %description
-Fail2Ban scans log files and bans IP addresses that makes too many password
+Fail2ban scans log files like /var/log/pwdfail or
-failures. It updates firewall rules to reject the IP address. These rules can
+/var/log/apache/error_log and bans IP that makes too many password
-be defined by the user. Fail2Ban can read multiple log files such as sshd or
+failures. It updates firewall rules to reject the IP address.
 Apache web server ones.
 Fail2Ban is able to reduce the rate of incorrect authentications attempts
 however it cannot eliminate the risk that weak authentication presents.
 Configure services to use only two factor or public/private authentication
 mechanisms if you really want to protect services.
 This is a meta-package that will install the default configuration.  Other
 sub-packages are available to install support for other actions and
 configurations.
 %package selinux
 Summary: SELinux policies for Fail2Ban
 %{?selinux_requires}
 %global modulename fail2ban
 %global selinuxtype targeted
 %description selinux
 SELinux policies for Fail2Ban.
 %package server
 Summary: Core server component for Fail2Ban
 Requires: python3-systemd
 Requires: nftables
 Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
 Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
 # see note above in BuildRequires section
 %if 0%{?fedora} || 0%{?rhel} >= 10
 Requires: python3-pyasyncore
 Requires: python3-pyasynchat
 %endif
 %description server
 This package contains the core server components for Fail2Ban with minimal
 dependencies.  You can install this directly if you want to have a small
 installation and know what you are doing.
 %package all
 Summary: Install all Fail2Ban packages and dependencies
 Requires: %{name}-firewalld = %{version}-%{release}
 Requires: %{name}-hostsdeny = %{version}-%{release}
 Requires: %{name}-mail = %{version}-%{release}
 Requires: %{name}-sendmail = %{version}-%{release}
 Requires: %{name}-server = %{version}-%{release}
 %if %{with shorewall}
 Requires: %{name}-shorewall = %{version}-%{release}
 %endif
 Requires: perl-interpreter
 Requires: python3-inotify
 Requires: /usr/bin/whois
 %description all
 This package installs all of the Fail2Ban packages and dependencies.
 %package firewalld
 Summary: Firewalld support for Fail2Ban
 Requires: %{name}-server = %{version}-%{release}
 Requires: firewalld
 %description firewalld
 This package enables support for manipulating firewalld rules.  This is the
 default firewall service in Fedora.
 %package hostsdeny
 Summary: Hostsdeny (tcp_wrappers) support for Fail2Ban
 Requires: %{name}-server = %{version}-%{release}
 Requires: ed
 Requires: tcp_wrappers
 %description hostsdeny
 This package enables support for manipulating tcp_wrapper's /etc/hosts.deny
 files.
 %package tests
 Summary: Fail2Ban testcases
 Requires: %{name}-server = %{version}-%{release}
 %description tests
 This package contains Fail2Ban's testscases and scripts.
 %package mail
 Summary: Mail actions for Fail2Ban
 Requires: %{name}-server = %{version}-%{release}
 Requires: /usr/bin/mail
 %description mail
 This package installs Fail2Ban's mail actions.  These are an alternative
 to the default sendmail actions.
 %package sendmail
 Summary: Sendmail actions for Fail2Ban
 Requires: %{name}-server = %{version}-%{release}
 Requires: /usr/sbin/sendmail
 %description sendmail
 This package installs Fail2Ban's sendmail actions.  This is the default
 mail actions for Fail2Ban.
 %if %{with shorewall}
 %package shorewall
 Summary: Shorewall support for Fail2Ban
 Requires: %{name}-server = %{version}-%{release}
 Requires: shorewall
 Conflicts: %{name}-shorewall-lite
 %description shorewall
 This package enables support for manipulating shorewall rules.
 %package shorewall-lite
 Summary: Shorewall lite support for Fail2Ban
 Requires: %{name}-server = %{version}-%{release}
 Requires: shorewall-lite
 Conflicts: %{name}-shorewall
 %description shorewall-lite
 This package enables support for manipulating shorewall rules.
 %endif
 %package systemd
 Summary: Systemd journal configuration for Fail2Ban
 Requires: %{name}-server = %{version}-%{release}
 %description systemd
 This package configures Fail2Ban to use the systemd journal for its log input
 by default.
 %prep
-%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+%setup -q
-%autosetup -p1
+%patch0 -p1 -b .init
-
+%patch1 -p1 -b .sshd
-# Use Fedora paths
+%patch3 -p1 -b .fd_cloexec
-sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf
+%patch6 -p1 -b .log2syslog
-
+%patch7 -p1 -b .fd_cloexec2
 # SELinux sources
 cp -p %SOURCE3 %SOURCE4 %SOURCE5 .
 %if %{defined legacy_var_run}
 sed -i 's|^/run/|/var/run/|' %{name}.fc
 %endif
 # 2to3 has been removed from setuptools and we already use the binary in
 # %%prep.
 sed -i "/use_2to3/d" setup.py
 %generate_buildrequires
 %pyproject_buildrequires
 %build
-%pyproject_wheel
+python setup.py build
 make -f %SOURCE6
 %install
-%pyproject_install
+rm -rf %{buildroot}
-ln -fs python3 %{buildroot}%{_bindir}/fail2ban-python
+python setup.py install -O1 --root %{buildroot}
-mv %{buildroot}%{python3_sitelib}/etc %{buildroot}
+mkdir -p %{buildroot}%{_initdir}
-mv %{buildroot}%{python3_sitelib}/%{_datadir} %{buildroot}%{_datadir}
+install -p -m 755 files/redhat-initd %{buildroot}%{_initdir}/fail2ban
-rmdir %{buildroot}%{python3_sitelib}%{_prefix}
+mkdir -p %{buildroot}%{_mandir}/man1
-
+install -p -m 644 man/fail2ban*.1 %{buildroot}%{_mandir}/man1
 mkdir -p %{buildroot}%{_unitdir}
 # Note that the tests rewrite build/fail2ban.service, but it uses build/ paths before the rewrite
 # so we will do our own modification
 sed -e 's,@BINDIR@,%{_bindir},' files/fail2ban.service.in > %{buildroot}%{_unitdir}/fail2ban.service
 mkdir -p %{buildroot}%{_mandir}/man{1,5}
 install -p -m 644 man/*.1 %{buildroot}%{_mandir}/man1
 install -p -m 644 man/*.5 %{buildroot}%{_mandir}/man5
 mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
-install -p -m 644 files/fail2ban-logrotate %{buildroot}%{_sysconfdir}/logrotate.d/fail2ban
+install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/fail2ban
-install -d -m 0755 %{buildroot}/run/fail2ban/
+mkdir -p %{buildroot}%{_localstatedir}/run/fail2ban
-install -m 0600 /dev/null %{buildroot}/run/fail2ban/fail2ban.pid
+chmod 0755 %{buildroot}%{_localstatedir}/run/fail2ban
 install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/
 mkdir -p %{buildroot}%{_tmpfilesdir}
 install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/fail2ban.conf
 mkdir -p %{buildroot}%{_sysconfdir}/%{name}/jail.d
-# Remove non-Linux actions
+%clean
-rm %{buildroot}%{_sysconfdir}/%{name}/action.d/*ipfw.conf
+rm -rf %{buildroot}
 rm %{buildroot}%{_sysconfdir}/%{name}/action.d/{ipfilter,pf,ufw}.conf
 rm %{buildroot}%{_sysconfdir}/%{name}/action.d/osx-*.conf
-# Remove config files for other distros
+%post
-rm -f %{buildroot}%{_sysconfdir}/fail2ban/paths-{arch,debian,freebsd,opensuse,osx}.conf
+/sbin/chkconfig --add %{name}
-# firewalld configuration
+%preun
-cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-firewalld.conf <<EOF
+if [ $1 = 0 ]; then
-# This file is part of the fail2ban-firewalld package to configure the use of
+  /sbin/service %{name} stop > /dev/null 2>&1
-# the firewalld actions as the default actions.  You can remove this package
+  /sbin/chkconfig --del %{name}
 # (along with the empty fail2ban meta-package) if you do not use firewalld
 [DEFAULT]
 banaction = firewallcmd-rich-rules
 banaction_allports = firewallcmd-rich-rules
 EOF
 # systemd journal configuration
 cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-systemd.conf <<EOF
 # This file is part of the fail2ban-systemd package to configure the use of
 # the systemd journal as the default backend.  You can remove this package
 # (along with the empty fail2ban meta-package) if you do not want to use the
 # journal backend
 [DEFAULT]
 backend=systemd
 EOF
 # Remove installed doc, use doc macro instead
 rm -r %{buildroot}%{_docdir}/%{name}
 # SELinux
 # install policy modules
 install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
 install -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
 #BASH completion
 COMPLETIONDIR=%{buildroot}$(pkg-config --variable=completionsdir bash-completion)
 %__mkdir_p $COMPLETIONDIR
 %__install -p -m 644 files/bash-completion $COMPLETIONDIR/fail2ban
 %check
 %python3 bin/fail2ban-testcases --verbosity=2 --no-network
 %pre selinux
 %selinux_relabel_pre -s %{selinuxtype}
 %post selinux
 %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
 %postun selinux
 if [ $1 -eq 0 ]; then
    %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
 fi
 %posttrans selinux
 %selinux_relabel_post -s %{selinuxtype}
 %post server
 %systemd_post fail2ban.service
 %preun server
 %systemd_preun fail2ban.service
 %postun server
 %systemd_postun_with_restart fail2ban.service
 %files
-
+%defattr(-,root,root,-)
-%files selinux
+%doc README TODO ChangeLog COPYING
-%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+#doc config/fail2ban.conf*
 %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
 %license COPYING
 %files server
 %doc README.md TODO ChangeLog COPYING doc/*.txt
 %{_bindir}/fail2ban-client
 %{_bindir}/fail2ban-python
 %{_bindir}/fail2ban-regex
 %{_bindir}/fail2ban-server
-%{python3_sitelib}/*
+%{_bindir}/fail2ban-client
-%exclude %{python3_sitelib}/fail2ban/tests
+%{_bindir}/fail2ban-regex
-%{_unitdir}/fail2ban.service
+%{_datadir}/fail2ban
-%{_datadir}/bash-completion/
+%{_initdir}/fail2ban
-%{_mandir}/man1/fail2ban.1*
+%{_mandir}/man1/fail2ban-*.1*
-%{_mandir}/man1/fail2ban-client.1*
+%dir %{_sysconfdir}/fail2ban
-%{_mandir}/man1/fail2ban-python.1*
+%dir %{_sysconfdir}/fail2ban/action.d
-%{_mandir}/man1/fail2ban-regex.1*
+%dir %{_sysconfdir}/fail2ban/filter.d
-%{_mandir}/man1/fail2ban-server.1*
+%config(noreplace) %{_sysconfdir}/fail2ban/fail2ban.conf
-%{_mandir}/man5/*.5*
+%config(noreplace) %{_sysconfdir}/fail2ban/jail.conf
-%config(noreplace) %{_sysconfdir}/fail2ban/
+%config(noreplace) %{_sysconfdir}/fail2ban/action.d/*.conf
-%exclude %{_sysconfdir}/fail2ban/action.d/complain.conf
+%config(noreplace) %{_sysconfdir}/fail2ban/filter.d/*.conf
 %exclude %{_sysconfdir}/fail2ban/action.d/hostsdeny.conf
 %exclude %{_sysconfdir}/fail2ban/action.d/mail.conf
 %exclude %{_sysconfdir}/fail2ban/action.d/mail-buffered.conf
 %exclude %{_sysconfdir}/fail2ban/action.d/mail-whois.conf
 %exclude %{_sysconfdir}/fail2ban/action.d/mail-whois-lines.conf
 %exclude %{_sysconfdir}/fail2ban/action.d/sendmail-*.conf
 %exclude %{_sysconfdir}/fail2ban/action.d/shorewall.conf
 %exclude %{_sysconfdir}/fail2ban/jail.d/*.conf
 %config(noreplace) %{_sysconfdir}/logrotate.d/fail2ban
-%{_tmpfilesdir}/fail2ban.conf
+%dir %{_localstatedir}/run/fail2ban
 %dir %{_localstatedir}/lib/fail2ban/
 %dir /run/%{name}/
 %ghost %verify(not size mtime md5) /run/%{name}/%{name}.pid
 %files all
 %files firewalld
 %config(noreplace) %{_sysconfdir}/fail2ban/jail.d/00-firewalld.conf
 %files hostsdeny
 %config(noreplace) %{_sysconfdir}/fail2ban/action.d/hostsdeny.conf
 %files tests
 %{_bindir}/fail2ban-testcases
 %{_mandir}/man1/fail2ban-testcases.1*
 %{python3_sitelib}/fail2ban/tests
 %files mail
 %config(noreplace) %{_sysconfdir}/fail2ban/action.d/complain.conf
 %config(noreplace) %{_sysconfdir}/fail2ban/action.d/mail.conf
 %config(noreplace) %{_sysconfdir}/fail2ban/action.d/mail-buffered.conf
 %config(noreplace) %{_sysconfdir}/fail2ban/action.d/mail-whois.conf
 %config(noreplace) %{_sysconfdir}/fail2ban/action.d/mail-whois-lines.conf
 %files sendmail
 %config(noreplace) %{_sysconfdir}/fail2ban/action.d/sendmail-*.conf
 %if %{with shorewall}
 %files shorewall
 %config(noreplace) %{_sysconfdir}/fail2ban/action.d/shorewall.conf
 %files shorewall-lite
 %config(noreplace) %{_sysconfdir}/fail2ban/action.d/shorewall.conf
 %endif
 %files systemd
 %config(noreplace) %{_sysconfdir}/fail2ban/jail.d/00-systemd.conf
 %changelog
 * Wed Dec 31 2025 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-15
 - Add patch for Dovecot 2.4 jail. Fixes BZ#2426440.
 * Sat Oct 11 2025 Orion Poplawski <orion@nwra.com> - 1.1.0-14
 - Cleanup old conditionals
 * Fri Oct 10 2025 Orion Poplawski <orion@nwra.com> - 1.1.0-13
 - Fix paths in fail2ban.service (rhbz#2399981)
 * Fri Sep 19 2025 Python Maint <python-maint@redhat.com> - 1.1.0-12
 - Rebuilt for Python 3.14.0rc3 bytecode
 * Thu Aug 21 2025 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-11
 - Move from setup.py to wheels per
  https://fedoraproject.org/wiki/Changes/DeprecateSetuppyMacros.
 * Fri Aug 15 2025 Python Maint <python-maint@redhat.com> - 1.1.0-10
 - Rebuilt for Python 3.14.0rc2 bytecode
 * Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-9
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
 * Tue Jun 03 2025 Python Maint <python-maint@redhat.com> - 1.1.0-8
 - Rebuilt for Python 3.14
 * Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
 * Thu Dec 19 2024 Orion Poplawski <orion@nwra.com> - 1.1.0-6
 - Add upstream fix for sshd filter (rhbz#2332945)
 * Wed Oct 16 2024 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-5
 - Add upstream patch for python distutils removal.
 * Sat Sep 28 2024 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-4
 - Add patch to deal with changes to OpenSSL log output.
 * Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
 * Fri Jul 12 2024 Nils Philippsen <nils@tiptoe.de> - 1.1.0-2
 - Use SPDX license identifier
 - Use https upstream URL
 * Wed Jun 12 2024 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-1
 - Update to 1.1.0 for Python 3.13 support.
 * Fri Jun 07 2024 Python Maint <python-maint@redhat.com> - 1.0.2-16
 - Rebuilt for Python 3.13
 * Sat May 11 2024 Todd Zullinger <tmz@pobox.com> - 1.0.2-15
 - Handle /var/run->/run transition in older Fedora and EPEL (RHBZ#2279054)
 * Sun May 05 2024 Richard Shaw <hobbes1069@gmail.com> - 1.0.2-14
 - Increment SELinux module version.
 - Tweak selinux regex for /run/fail2ban.
 * Thu Apr 25 2024 Richard Shaw <hobbes1069@gmail.com> - 1.0.2-13
 - Add nftables patch and fix selinux /var/run->/run issue, fixes RHBZ#1850164
  and RHBZ#2272476.
 * Thu Feb 22 2024 Orion Poplawski <orion@nwra.com> - 1.0.2-12
 - Allow watch on more logfiles
 * Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-11
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-10
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Wed Sep 27 2023 Adam Williamson <awilliam@redhat.com> - 1.0.2-9
 - Require pyasynchat and pyasyncore with Python 3.12+
 - Disable smtp tests on F39+ due to removal of smtpd from Python 3.12
 - Disable db repair test on F39+ as it's broken with sqlite 3.42.0+
 * Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
 * Mon Jun 26 2023 Todd Zullinger <tmz@pobox.com> - 1.0.2-7
 - exclude shorewall subpackage on epel9 (rhbz#2217649)
 * Wed Jun 14 2023 Python Maint <python-maint@redhat.com> - 1.0.2-6
 - Rebuilt for Python 3.12
 * Tue Apr 04 2023 Orion Poplawski <orion@nwra.com> - 1.0.2-5
 - Drop downstream python3.11 patch, upstream went with a different fix
 * Sun Apr 02 2023 Todd Zullinger <tmz@pobox.com> - 1.0.2-4
 - verify upstream source signature
 * Thu Mar 30 2023 Orion Poplawski <orion@nwra.com> - 1.0.2-3
 - Add upstream patch to remove warning about allowipv6 (bz#2160781)
 * Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
 * Sat Dec 17 2022 Richard Shaw <hobbes1069@gmail.com> - 1.0.2-1
 - Update to 1.0.2.
 * Wed Nov 02 2022 Richard Shaw <hobbes1069@gmail.com> - 1.0.1-2
 - Add patch for dovecot eating 100% CPU.
 * Sun Oct 02 2022 Richard Shaw <hobbes1069@gmail.com> - 1.0.1-1
 - Update to 1.0.1.
 * Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.2-14
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 * Wed Jun 15 2022 Python Maint <python-maint@redhat.com> - 0.11.2-13
 - Rebuilt for Python 3.11
 * Wed May 18 2022 Orion Poplawski <orion@nwra.com> - 0.11.2-12
 - Fix SELinux policy to allow watch on var_log_t (bz#2083923)
 * Fri Jan 28 2022 Orion Poplawski <orion@nwra.com> - 0.11.2-11
 - Require /usr/bin/mail instead of mailx
 * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.2-10
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
 * Sun Sep 26 2021 Mikel Olasagasti Uranga <mikel@olasagasti.info> - 0.11.2-9
 - Fix CVE-2021-32749 RHBZ#1983223
 * Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.2-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
 * Mon Jun 07 2021 Python Maint <python-maint@redhat.com> - 0.11.2-7
 - Rebuilt for Python 3.10
 * Sun Jun 06 2021 Richard Shaw <hobbes1069@gmail.com> - 0.11.2-6
 - Update selinux policy for Fedora 34+
 * Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 0.11.2-5
 - Rebuilt for Python 3.10
 * Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.11.2-4
 - Rebuilt for updated systemd-rpm-macros
  See https://pagure.io/fesco/issue/2583.
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.2-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Wed Jan 06 2021 Richard Shaw <hobbes1069@gmail.com> - 0.11.2-2
 - Add patch to deal with a new century in tests (2021).
 * Tue Nov 24 2020 Richard Shaw <hobbes1069@gmail.com> - 0.11.2-1
 - Update to 0.11.2.
 * Fri Aug 28 2020 Richard Shaw <hobbes1069@gmail.com> - 0.11.1-10.2
 - Create shorewall-lite subpackage package which conflicts with shorewall
  subpackage. Fixes RHBZ#1872759.
 * Tue Jul 28 2020 Richard Shaw <hobbes1069@gmail.com> - 0.11.1-9.2
 - Fix python2 requires for EPEL 7.
 * Mon Jul 27 2020 Richard Shaw <hobbes1069@gmail.com> - 0.11.1-9
 - Add conditonals back for EL 7 as it's being brought up to date.
 - Add patch to deal with nftables not accepting ":" as a port separator.
 * Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.1-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 0.11.1-7
 - Rebuilt for Python 3.9
 * Thu Apr 16 2020 Richard Shaw <hobbes1069@gmail.com> - 0.11.1-6
 - Change default firewalld backend from ipset to rich-rules as ipset causes
  firewalld to use legacy iptables. Fixes RHBZ#1823746.
 - Remove conditionals for EL versions less than 7.
 * Thu Mar 19 2020 Richard Shaw <hobbes1069@gmail.com> - 0.11.1-5
 - Update for Python 3.9.
 * Wed Feb 26 2020 Orion Poplawski <orion@nwra.com> - 0.11.1-4
 - Add SELinux policy
 * Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.1-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Tue Jan 21 2020 Orion Poplawski <orion@nwra.com> - 0.11.1-2
 - Move action.d/mail-whois-common.conf into fail2ban-server
 * Tue Jan 14 2020 Orion Poplawski <orion@nwra.com> - 0.11.1-1
 - Update to 0.11.1
 * Tue Jan 14 2020 Orion Poplawski <orion@nwra.com> - 0.10.5-1
 - Update to 0.10.5
 * Thu Nov 21 2019 Orion Poplawski <orion@nwra.com> - 0.10.4-8
 - Define banaction_allports for firewalld, update banaction (bz#1775175)
 - Update sendmail-reject with TLSMTA & MSA port IDs (bz#1722625)
 * Thu Oct 31 2019 Orion Poplawski <orion@nwra.com> - 0.10.4-7
 - Remove config files for other distros (bz#1533113)
 * Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 0.10.4-6
 - Rebuilt for Python 3.8.0rc1 (#1748018)
 * Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 0.10.4-5
 - Rebuilt for Python 3.8
 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.4-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.4-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Sun Nov 18 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.10.4-2
 - Drop explicit locale setting
  See https://fedoraproject.org/wiki/Changes/Remove_glibc-langpacks-all_from_buildroot
 * Fri Oct 5 2018 Orion Poplawski <orion@nwra.com> - 0.10.4-1
 - Update to 0.10.4
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.3.1-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Tue Jun 19 2018 Orion Poplawski <orion@nwra.com> - 0.10.3.1-2
 - Remove PartOf ipset.service (bug #1573185)
 * Tue Jun 19 2018 Orion Poplawski <orion@nwra.com> - 0.10.3.1-1
 - Update to 0.10.3.1
 * Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 0.10.2-2
 - Rebuilt for Python 3.7
 * Wed Mar 28 2018 Orion Poplawski <orion@nwra.com> - 0.10.2-1
 - Update to 0.10.2
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.1-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
 * Sat Dec 30 2017 Orion Poplawski <orion@nwra.com> - 0.10.1-3
 - Add upstream patch to fix ipset issue (bug #1525134)
 * Sat Dec 30 2017 Orion Poplawski <orion@nwra.com> - 0.10.1-2
 - Add upstream patch to fix buildroot issue
 * Tue Nov 14 2017 Orion Poplawski <orion@cora.nwra.com> - 0.10.1-1
 - Update to 0.10.1
 * Wed Sep 20 2017 Orion Poplawski <orion@cora.nwra.com> - 0.10.0-1
 - Update to 0.10.0
 * Wed Aug 16 2017 Orion Poplawski <orion@cora.nwra.com> - 0.9.7-4
 - Use BR /usr/bin/2to3
 * Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.7-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
 * Thu Jul 13 2017 Petr Pisar <ppisar@redhat.com> - 0.9.7-2
 - perl dependency renamed to perl-interpreter
  <https://fedoraproject.org/wiki/Changes/perl_Package_to_Install_Core_Modules>
 * Wed Jul 12 2017 Orion Poplawski <orion@cora.nwra.com> - 0.9.7-1
 - Update to 0.9.7
 * Wed Feb 15 2017 Orion Poplawski <orion@cora.nwra.com> - 0.9.6-4
 - Properly handle /run/fail2ban (bug #1422500)
 * Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.6-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
 * Tue Jan 10 2017 Orion Poplawski <orion@cora.nwra.com> - 0.9.6-2
 - Add upstream patch to fix fail2ban-regex with journal
 * Fri Jan 6 2017 Orion Poplawski <orion@cora.nwra.com> - 0.9.6-1
 - Update to 0.9.6
 - Fix sendmail-auth filter (bug #1329919)
 * Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com> - 0.9.5-5
 - Rebuild for Python 3.6
 * Fri Oct 7 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.5-4
 - %%ghost /run/fail2ban
 - Fix typo in shorewall description
 - Move tests to -tests sub-package
 * Mon Oct 3 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.5-3
 - Add journalmatch entries for sendmail (bug #1329919)
 * Mon Oct 3 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.5-2
 - Give up being PartOf iptables to allow firewalld restarts to work
  (bug #1379141)
 * Mon Oct 3 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.5-1
 - Add patch to fix failing test
 * Sun Sep 25 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.5-1
 - Update to 0.9.5
 - Drop mysql patch applied upstream
 * Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.4-6
 - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
 * Tue Apr 5 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.4-5
 - Fix python3 usage (bug #1324113)
 * Sun Mar 27 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.4-4
 - Use %%{_tmpfilesdir} for systemd tmpfile config
 * Wed Mar 9 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.4-3
 - No longer need to add After=firewalld.service (bug #1301910)
 * Wed Mar 9 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.4-2
 - Fix mariadb/mysql log handling
 * Wed Mar 9 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.4-1
 - Update to 0.9.4
 - Use mariadb log path by default
 * Tue Feb 23 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.3-3
 - Use python3 (bug #1282498)
 * Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.3-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
 * Sat Sep 12 2015 Orion Poplawski <orion@cora.nwra.com> - 0.9.3-1
 - Update to 0.9.3
 - Cleanup spec, use new python macros
 * Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.2-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
 * Thu Apr 30 2015 Orion Poplawski <orion@cora.nwra.com> - 0.9.2-1
 - Update to 0.9.2
 * Mon Mar 16 2015 Orion Poplawski <orion@cora.nwra.com> - 0.9.1-4
 - Do not load user paths for fail2ban-{client,server} (bug #1202151)
 * Sun Feb 22 2015 Orion Poplawski <orion@cora.nwra.com> - 0.9.1-3
 - Do not use systemd by default
 * Fri Nov 28 2014 Orion Poplawski <orion@cora.nwra.com> - 0.9.1-2
 - Fix php-url-fopen logpath (bug #1169026)
 * Tue Oct 28 2014 Orion Poplawski <orion@cora.nwra.com> - 0.9.1-1
 - Update to 0.9.1
 * Fri Aug 15 2014 Orion Poplawski <orion@cora.nwra.com> - 0.9-8
 - Add patch to fix tests
 * Fri Aug 8 2014 Orion Poplawski <orion@cora.nwra.com> - 0.9-8
 - Fix log paths for some jails (bug #1128152)
 * Mon Jul 21 2014 Orion Poplawski <orion@cora.nwra.com> - 0.9-7
 - Use systemd for EL7
 * Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
 * Thu Mar 20 2014 Orion Poplawski <orion@cora.nwra.com> - 0.9-5
 - Require mailx for /usr/bin/mail
 * Thu Mar 20 2014 Orion Poplawski <orion@cora.nwra.com> - 0.9-4
 - Need empty %%files to produce main and -all package
 * Wed Mar 19 2014 Orion Poplawski <orion@cora.nwra.com> - 0.9-3
 - Split into sub-packages for different components
 - Enable journal filter by default (bug #985567)
 - Enable firewalld action by default (bug #1046816)
 - Add upstream patch to fix setting loglevel in fail2ban.conf
 - Add upstream patches to fix tests in mock, run tests
 * Tue Mar 18 2014 Orion Poplawski <orion@cora.nwra.com> - 0.9-2
 - Use Fedora paths
 - Start after firewalld (bug #1067147)
 * Mon Mar 17 2014 Orion Poplawski <orion@cora.nwra.com> - 0.9-1
 - Update to 0.9
 * Tue Sep 24 2013 Orion Poplawski <orion@cora.nwra.com> - 0.9-0.3.git1f1a561
 - Update to current 0.9 git branch
 - Rebase init patch, drop jail.d and notmp patch applied upstream
 * Fri Aug 9 2013 Orion Poplawski <orion@cora.nwra.com> - 0.9-0.2.gitd529151
 - Ship jail.conf(5) man page
 - Ship empty /etc/fail2ban/jail.d directory
 * Thu Aug 8 2013 Orion Poplawski <orion@cora.nwra.com> - 0.9-0.1.gitd529151
 - Update to 0.9 git branch
 - Rebase patches
 - Require systemd-python for journal support
 * Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.10-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
 * Wed Jun 12 2013 Orion Poplawski <orion@cora.nwra.com> - 0.8.10-1
 - Update to 0.8.10 security release
 - Use upstream provided systemd files
 - Drop upstreamed patches, rebase log2syslog and notmp patches
 * Fri Mar 15 2013 Orion Poplawski <orion@cora.nwra.com> - 0.8.8-4
 - Use systemd init for Fedora 19+ (bug #883158)
 * Thu Feb 14 2013 Orion Poplawski <orion@cora.nwra.com> - 0.8.8-3
 - Add patch from upstream to fix module imports (Bug #892365)
 - Add patch from upstream to UTF-8 characters in syslog (Bug #905097)
 - Drop Requires: tcp_wrappers and shorewall (Bug #781341)
 * Fri Jan 18 2013 Orion Poplawski <orion@cora.nwra.com> - 0.8.8-2
 - Add patch to prevent sshd blocks of successful logins for systems that use
  sssd or ldap
 * Mon Dec 17 2012 Orion Poplawski <orion@cora.nwra.com> - 0.8.8-1
 - Update to 0.8.8 (CVE-2012-5642 Bug #887914)
 * Thu Oct 11 2012 Orion Poplawski <orion@cora.nwra.com> - 0.8.7.1-1
 - Update to 0.8.7.1
 - Drop fd_cloexec, pyinotify, and examplemail patches fixed upstream
 - Rebase sshd and notmp patches
 - Use _initddir macro
 * Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.4-29
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
 * Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.4-28
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
 * Sat Apr  9 2011 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.4-27
 - Move tmp files to /var/lib (suggested by Phil Anderson).
 - Enable inotify support (by Jonathan Underwood).
 - Fixes RH bugs #669966, #669965, #551895, #552947, #658849, #656584.
 * Sun Feb 14 2010 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.4-24
 - Patch by Jonathan G. Underwood <jonathan.underwood@gmail.com> to
  cloexec another fd leak.
--- a/fail2ban.te
+++ b/fail2ban.te
@ -1,197 +0,0 @@
 policy_module(fail2ban, 1.5.1)
 ########################################
 #
 # Declarations
 #
 attribute_role fail2ban_client_roles;
 type fail2ban_t;
 type fail2ban_exec_t;
 init_daemon_domain(fail2ban_t, fail2ban_exec_t)
 type fail2ban_initrc_exec_t;
 init_script_file(fail2ban_initrc_exec_t)
 type fail2ban_log_t;
 logging_log_file(fail2ban_log_t)
 type fail2ban_var_lib_t;
 files_type(fail2ban_var_lib_t)
 type fail2ban_var_run_t;
 files_pid_file(fail2ban_var_run_t)
 type fail2ban_tmp_t;
 files_tmp_file(fail2ban_tmp_t)
 type fail2ban_client_t;
 type fail2ban_client_exec_t;
 init_system_domain(fail2ban_client_t, fail2ban_client_exec_t)
 role fail2ban_client_roles types fail2ban_client_t;
 ########################################
 #
 # Server Local policy
 #
 allow fail2ban_t self:capability { dac_read_search sys_tty_config };
 allow fail2ban_t self:process { getpgid setsched signal };
 allow fail2ban_t self:fifo_file rw_fifo_file_perms;
 allow fail2ban_t self:unix_stream_socket { accept connectto listen };
 allow fail2ban_t self:tcp_socket { accept listen };
 allow fail2ban_t self:netlink_netfilter_socket create_socket_perms;
 read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t)
 append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
 create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
 setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
 logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
 manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
 manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
 exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
 files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file })
 manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
 manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
 manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
 manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
 manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
 files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file)
 kernel_read_system_state(fail2ban_t)
 kernel_read_network_state(fail2ban_t)
 kernel_read_net_sysctls(fail2ban_t)
 corecmd_exec_bin(fail2ban_t)
 corecmd_exec_shell(fail2ban_t)
 corenet_all_recvfrom_netlabel(fail2ban_t)
 corenet_tcp_sendrecv_generic_if(fail2ban_t)
 corenet_tcp_sendrecv_generic_node(fail2ban_t)
 corenet_sendrecv_whois_client_packets(fail2ban_t)
 corenet_tcp_connect_whois_port(fail2ban_t)
 corenet_tcp_sendrecv_whois_port(fail2ban_t)
 dev_read_urand(fail2ban_t)
 dev_read_sysfs(fail2ban_t)
 domain_use_interactive_fds(fail2ban_t)
 domain_dontaudit_read_all_domains_state(fail2ban_t)
 files_read_etc_runtime_files(fail2ban_t)
 files_list_var(fail2ban_t)
 files_dontaudit_list_tmp(fail2ban_t)
 fs_getattr_all_fs(fail2ban_t)
 auth_use_nsswitch(fail2ban_t)
 logging_read_all_logs(fail2ban_t)
 logging_read_audit_log(fail2ban_t)
 logging_send_syslog_msg(fail2ban_t)
 logging_read_syslog_pid(fail2ban_t)
 logging_dontaudit_search_audit_logs(fail2ban_t)
 logging_mmap_generic_logs(fail2ban_t)
 logging_mmap_journal(fail2ban_t)
 # Not in EL9 yet
 #logging_watch_audit_log_files(fail2ban_t)
 logging_watch_all_log_files(fail2ban_t)
 logging_watch_all_log_dirs(fail2ban_t)
 logging_watch_audit_log_files(fail2ban_t)
 logging_watch_audit_log_dirs(fail2ban_t)
 logging_watch_journal_dir(fail2ban_t)
 mta_send_mail(fail2ban_t)
 sysnet_manage_config(fail2ban_t)
 optional_policy(`
 	apache_read_log(fail2ban_t)
 ')
 optional_policy(`
 	dbus_system_bus_client(fail2ban_t)
 	dbus_connect_system_bus(fail2ban_t)
 	optional_policy(`
 		firewalld_dbus_chat(fail2ban_t)
 	')
 ')
 optional_policy(`
 	ftp_read_log(fail2ban_t)
 ')
 optional_policy(`
 	gnome_dontaudit_search_config(fail2ban_t)
 ')
 optional_policy(`
 	iptables_domtrans(fail2ban_t)
 ')
 optional_policy(`
 	allow fail2ban_t self:capability sys_resource;
 	allow fail2ban_t self:process setrlimit;
 	journalctl_exec(fail2ban_t)
 ')
 optional_policy(`
 	libs_exec_ldconfig(fail2ban_t)
 ')
 optional_policy(`
 	rpm_exec(fail2ban_t)
 ')
 optional_policy(`
 	shorewall_domtrans(fail2ban_t)
 ')
 ########################################
 #
 # Client Local policy
 #
 allow fail2ban_client_t self:capability { dac_read_search  };
 allow fail2ban_client_t self:unix_stream_socket { create connect write read };
 domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
 allow fail2ban_client_t fail2ban_t:process { rlimitinh };
 dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access;
 allow fail2ban_client_t fail2ban_var_run_t:dir write;
 stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
 kernel_read_system_state(fail2ban_client_t)
 corecmd_exec_bin(fail2ban_client_t)
 dev_read_urand(fail2ban_client_t)
 dev_read_rand(fail2ban_client_t)
 domain_use_interactive_fds(fail2ban_client_t)
 files_search_pids(fail2ban_client_t)
 auth_use_nsswitch(fail2ban_client_t)
 libs_exec_ldconfig(fail2ban_client_t)
 logging_getattr_all_logs(fail2ban_client_t)
 logging_search_all_logs(fail2ban_client_t)
 logging_read_audit_log(fail2ban_client_t)
 userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
 userdom_use_user_terminals(fail2ban_client_t)
 optional_policy(`
    apache_read_log(fail2ban_client_t)
 ')
--- a/gpgkey-8738559E26F671DF9E2C6D9E683BF1BEBD0A882C.asc
+++ b/gpgkey-8738559E26F671DF9E2C6D9E683BF1BEBD0A882C.asc
@ -1,29 +0,0 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQENBFeHbzIBCACWgr54J4t2fpI7EIrMTqso5kqPRTSY7eO2T0965JW6Zl4C0HZT
 Wz+9c5aGlKeotf4Fv7zOhpUwULFSGAq3tVbxAxW9++LAXPGad6uE4aPsXoQ6+0RV
 lJozNclURRal46vz3uuGLiSJ5+VQ1WD1sFLuw2/bMzE4GFR0z4w4UOc3ufAQ3obC
 i5szSy5JWtCsmvCdNlhXTxa66aUddN8/8IHJSB6QZabGEcG4WfsfhUiH38KUuqrO
 hYvT9ROY74pwSsHuWEzVRE00eJB4uxngsKHAGMYhkNxdKCG7Blu2IbJRcBE8QAs3
 BGqJR8FBify86COZYUZ7CuAyLyo1U6BZd7ohABEBAAG0KVNlcmcgRy4gQnJlc3Rl
 ciAoc2VicmVzKSA8aW5mb0BzZWJyZXMuZGU+iQE4BBMBAgAiBQJXh28yAhsDBgsJ
 CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBoO/G+vQqILMThB/0YUr7Y+urJChgm
 NG9exjjmTayoNb+XiMR5T2+A919NrKulEaH2mb51B7XBmFuCj8x5O1wA3xYo7B6h
 RVuNyb2eI3+bRD33QsKcs6NsgK/I1xLD15NrEftPckWqYypR6//u9Tmz5o9n9+/n
 2dH7SU7UPW468/bRUhFp+SQ70B0XLdyDgGLEN9TNsAvnEi30Vtjbia4Lp/NXYRkq
 GEzvpgZ7Dt9YhT+qdSs6AwyN0ZhnvX+zqXi+Q18xlbnuq2ZZkwK8Es/HdEDu2HNJ
 3nn3l15pyMe/OxYhg646NcqGR6j1rEZ7jXyN2i5sEdspXfwv0lGtLr7ANElWqOvX
 XYBAspRvuQENBFeHbzIBCACyCMv4CQ+blzj53ZLPyBMnj38oQ7bbpAtDThfB8hEZ
 uk6Kmo799Zo2rLG2iqvy8SEuN/bLQKyzFTiB4UYWvRxne792N0nWLU24/bd7j/Gh
 Q4EHUhs38WRSYtu93XCKzvyzn5s3504luOBF6czNrLeDfWXGVGosBsBoASY7de7a
 kiXb7a28dNDSG0JaR+QwONjmde9hAzqOX0iOYHvJeu68UKaUp4IrJ+nTMHFhwUbf
 awCmz+NPPrm360j4BuvYSWhS06tM7c6+gfvXHOTtJ5TEGbrm+I8d2q7nhxg3nku6
 7qnddkW2OS8EQVlw7XFox929mTLzw0MEmjqmSRTx2Qk3ABEBAAGJAR8EGAECAAkF
 AleHbzICGwwACgkQaDvxvr0KiCwdxQf7BM7jo6v7uU7324ZkLQmtZndcXnXZMbSw
 2pDzR2h01Vx7dHppzNOkyv8DvUWttwaMaTU57cdzThTkQPk8Lx8sCvi40RmWS2vs
 IArgTS1HNStprPUg4sk99JOZg2y4LBqkLUxZveDsH+rXdFA/fp8048/M4ss6qj4O
 ySe4crABbbv5yRADBJZt4LQdFoNGEpSaOtcxJmwJ7hrV+wQhVMm9m+/JpgzNT4rb
 muPgveqzmSiTGJ6Yy2bEKyY0dCyPuWbWWPt4mCcT+9emZC1O8EjST0i9f9EUUU6c
 6UCy7zi5EQ9CVv1Dlz1qefm/5/iFAAFQ5DtYC3cwDq8CqgqzoHMtNg==
 =vqSW
 -----END PGP PUBLIC KEY BLOCK-----
--- a/3
+++ b/3
@ -1 +1,2 @@
-SHA512 (fail2ban-1.1.0.tar.gz) = 9bff7b9c41e58a953901800468e5c4153c9db6af01c7eb18111ad8620b40d03a0771020472fb759b2809d250e2bb45471e6c7e8283e72ea48290ecf7bf921821
+76b4d0e69ad808950b8353c6fcf93615  fail2ban-FAIL2BAN-0_8.tar.bz2
 df94335a5d12b4750869e5fe350073fa  fail2ban-0.8.4.tar.bz2
		`@ -0,0 +1,2 @@`
							`fail2ban-FAIL2BAN-0_8.tar.bz2`
							`fail2ban-0.8.4.tar.bz2`
`@ -1 +1,2 @@`
	`SHA512 (fail2ban-1.1.0.tar.gz) = 9bff7b9c41e58a953901800468e5c4153c9db6af01c7eb18111ad8620b40d03a0771020472fb759b2809d250e2bb45471e6c7e8283e72ea48290ecf7bf921821`	`76b4d0e69ad808950b8353c6fcf93615 fail2ban-FAIL2BAN-0_8.tar.bz2`
		`df94335a5d12b4750869e5fe350073fa fail2ban-0.8.4.tar.bz2`