Start implementing ipv6 support

[jaapmarcus]

No description provided.

[jaapmarcus]

get_user_ipv6 sets $ipv6 how ever $ip is still empty

[jaapmarcus]

If $ip is not provided it should get ip from available ips

[jaapmarcus]

Please make sure to add validation for this ...

[asmcc]

For optional parameters too?
I will show, how it is implemented with other checks. But you are right, the [IPTABLES] parameter is very dangerous. Theoretically you can define instead of iptables each other binary or script here.

[asmcc]

These parameters are from standard examples and scripts, proposed by fail2ban

[jaapmarcus]

We need at least prevent users can't be using ' as it can be abused...

format_no_quotes should fix it ...

[asmcc]

No, if I implement it, then not a half solution. I make it completelly. [IPTABLES] is really very dangerous and I will check it double. [FAMILY] can be only 'inet4' or 'inet6', therefore it is very simple to check it. I rename then the variable to a better and unique one, since "family" is very common. [LOCKINGOPT] is deactivated now, since I used it wrong with quotes. But I will activate it in future and check it against '-w', since it can have actually only this option.

[jaapmarcus]

Do we really need iptables / fw_lockingopt option

I don't we will ever want to implement anything other then iptables and it should all be the same..

[jaapmarcus]

Maybe for iptables6 and iptables...

[asmcc]

this locking option (as -w) comes from standard example of fail2ban. Therefore I pass-through it here, like it is defined in standard library of fail2ban. Unfortunatelly it works actually only in case of "add chain". I do not know, why, but that were results of my "printf test" or better to say "echo test" and play with these scripts.
The problem with this additionally option is followed: If you ignore it completelly, may be, that it will be added during call as last argument. In this case you will have iptables="iptables -w" (or something else). Therefore we need a "very last" argument after "last argument" iptables. Then you will have "clean" separation in iptables="iptables" and rest in this "lockingopt".
After it we can decide, if we want to use it, if we call iptables. Actually it is only during "add chain" and I will observe, how it works. I do not know really, why fail2ban use this option. I will read more about it

[asmcc]

You can find this file under /etc/fail2ban/actions.d/iptables.conf
And that is a kind of "library" for calls over this iptables-interface

[asmcc]

# Notes.:  Option was introduced to iptables to prevent multiple instances from
#          running concurrently and causing irratic behavior.  -w was introduced
#          in iptables 1.4.20, so might be absent on older systems
#          See https://github.com/fail2ban/fail2ban/issues/1122
# Values:  STRING
lockingopt = -w

# Option:  iptables
# Notes.:  Actual command to be executed, including common to all calls options
# Values:  STRING
iptables = iptables <lockingopt>


[Init?family=inet6]

# Option:  blocktype (ipv6)
# Note:    This is what the action does with rules. This can be any jump target
#          as per the iptables man page (section 8). Common values are DROP
#          REJECT, REJECT --reject-with icmp6-port-unreachable
# Values:  STRING
blocktype = REJECT --reject-with icmp6-port-unreachable

# Option:  iptables (ipv6)
# Notes.:  Actual command to be executed, including common to all calls options
# Values:  STRING
iptables = ip6tables <lockingopt>