From fe5d325c64f0fb945730be2689437c407f7028be Mon Sep 17 00:00:00 2001
From: Richard Shaw <hobbes1069@gmail.com>
Date: Thu, 16 Apr 2020 07:26:35 -0500
Subject: [PATCH] Change default firewalld backend from ipset to rich-rules as
 ipset causes   firewalld to use legacy iptables. Fixes RHBZ#1823746. Remove
 conditionals for EL versions less than 7.

---
 fail2ban.spec | 51 +++++++++++++++++----------------------------------
 1 file changed, 17 insertions(+), 34 deletions(-)

diff --git a/fail2ban.spec b/fail2ban.spec
index 0d892ad..22f73c2 100644
--- a/fail2ban.spec
+++ b/fail2ban.spec
@@ -1,6 +1,6 @@
 Name: fail2ban
 Version: 0.11.1
-Release: 5%{?dist}
+Release: 6%{?dist}
 Summary: Daemon to ban hosts that cause multiple authentication errors
 
 License: GPLv2+
@@ -36,9 +36,7 @@ BuildRequires: /usr/bin/2to3
 BuildRequires: python3-inotify
 BuildRequires: sqlite
 BuildArch: noarch
-%if 0%{?fedora} || 0%{?rhel} >= 7
 BuildRequires: systemd
-%endif
 BuildRequires: selinux-policy-devel
 # Default components
 Requires: %{name}-firewalld = %{version}-%{release}
@@ -75,17 +73,10 @@ SELinux policies for Fail2Ban.
 
 %package server
 Summary: Core server component for Fail2Ban
-%if 0%{?fedora} || 0%{?rhel} >= 7
 Requires: python3-systemd
 Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
-%else
-Requires: initscripts
-Requires(post): /sbin/chkconfig
-Requires(preun): /sbin/chkconfig
-Requires(preun): /sbin/service
-%endif
 Requires: ipset
 Requires: iptables
 Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
@@ -185,13 +176,16 @@ by default.
 
 %prep
 %autosetup -p1
+
 # Use Fedora paths
 sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf
 2to3 --write --nobackups .
 find -type f -exec sed -i -e '1s,^#!/usr/bin/python *,#!/usr/bin/python%{python3_version},' {} +
+
 # SELinux sources
 cp -p %SOURCE1 %SOURCE2 %SOURCE3 .
 
+
 %build
 %py3_build
 make -f %SOURCE4
@@ -202,13 +196,8 @@ make -f %SOURCE4
 # Make symbolic link relative
 ln -fs python3 %{buildroot}%{_bindir}/fail2ban-python
 
-%if 0%{?fedora} || 0%{?rhel} >= 7
 mkdir -p %{buildroot}%{_unitdir}
 cp -p build/fail2ban.service %{buildroot}%{_unitdir}/
-%else
-mkdir -p %{buildroot}%{_initddir}
-install -p -m 755 files/redhat-initd %{buildroot}%{_initddir}/fail2ban
-%endif
 mkdir -p %{buildroot}%{_mandir}/man{1,5}
 install -p -m 644 man/*.1 %{buildroot}%{_mandir}/man1
 install -p -m 644 man/*.5 %{buildroot}%{_mandir}/man5
@@ -219,21 +208,25 @@ install -m 0600 /dev/null %{buildroot}/run/fail2ban/fail2ban.pid
 install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/
 mkdir -p %{buildroot}%{_tmpfilesdir}
 install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/fail2ban.conf
+
 # Remove non-Linux actions
 rm %{buildroot}%{_sysconfdir}/%{name}/action.d/*ipfw.conf
 rm %{buildroot}%{_sysconfdir}/%{name}/action.d/{ipfilter,pf,ufw}.conf
 rm %{buildroot}%{_sysconfdir}/%{name}/action.d/osx-*.conf
+
 # Remove config files for other distros
 rm -f %{buildroot}%{_sysconfdir}/fail2ban/paths-{arch,debian,freebsd,opensuse,osx}.conf
+
 # firewalld configuration
 cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-firewalld.conf <<EOF
 # This file is part of the fail2ban-firewalld package to configure the use of
 # the firewalld actions as the default actions.  You can remove this package
 # (along with the empty fail2ban meta-package) if you do not use firewalld
 [DEFAULT]
-banaction = firewallcmd-ipset[actiontype=<multiport>]
-banaction_allports = firewallcmd-ipset[actiontype=<allports>]
+banaction = firewallcmd-rich-rules[actiontype=<multiport>]
+banaction_allports = firewallcmd-rich-rules[actiontype=<allports>]
 EOF
+
 # systemd journal configuration
 cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-systemd.conf <<EOF
 # This file is part of the fail2ban-systemd package to configure the use of
@@ -243,6 +236,7 @@ cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-systemd.conf <<EOF
 [DEFAULT]
 backend=systemd
 EOF
+
 # Remove installed doc, use doc macro instead
 rm -r %{buildroot}%{_docdir}/%{name}
 
@@ -272,26 +266,14 @@ fi
 
 
 %post server
-%if 0%{?fedora} || 0%{?rhel} >= 7
 %systemd_post fail2ban.service
-%else
-/sbin/chkconfig --add %{name}
-%endif
 
 %preun server
-%if 0%{?fedora} || 0%{?rhel} >= 7
 %systemd_preun fail2ban.service
-%else
-if [ $1 = 0 ]; then
-  /sbin/service %{name} stop > /dev/null 2>&1
-  /sbin/chkconfig --del %{name}
-fi
-%endif
 
-%if 0%{?fedora} || 0%{?rhel} >= 7
 %postun server
 %systemd_postun_with_restart fail2ban.service
-%endif
+
 
 %files
 
@@ -308,11 +290,7 @@ fi
 %{_bindir}/fail2ban-server
 %{python3_sitelib}/*
 %exclude %{python3_sitelib}/fail2ban/tests
-%if 0%{?fedora} || 0%{?rhel} >= 7
 %{_unitdir}/fail2ban.service
-%else
-%{_initddir}/fail2ban
-%endif
 %{_mandir}/man1/fail2ban.1*
 %{_mandir}/man1/fail2ban-client.1*
 %{_mandir}/man1/fail2ban-python.1*
@@ -366,6 +344,11 @@ fi
 
 
 %changelog
+* Thu Apr 16 2020 Richard Shaw <hobbes1069@gmail.com> - 0.11.1-6
+- Change default firewalld backend from ipset to rich-rules as ipset causes
+  firewalld to use legacy iptables. Fixes RHBZ#1823746.
+- Remove conditionals for EL versions less than 7.
+
 * Thu Mar 19 2020 Richard Shaw <hobbes1069@gmail.com> - 0.11.1-5
 - Update for Python 3.9.