Conversation
added TCP/UDP protocol
itcmsgr
added a commit
that referenced
this pull request
Oct 21, 2025
… module This release fixes 5 critical bugs discovered during production testing and increments version from 0.9.0 to 0.9.2. CRITICAL FIXES: BUG #1 & #2: fail2ban Integration Failures (CRITICAL) - Fixed incorrect nftban binary path: /usr/bin → /usr/local/bin - Fixed wrong CLI syntax: "blacklist add ip" → "blacklist ban" - Simplified fail2ban action file, removed complex idempotency logic - Root cause: fail2ban actions failed with "No such file or directory" - File: lib/nftban_fail2ban_module.sh:55-56 BUG #3 (BUG56): Missing Port Configuration Files (HIGH) - Installer now creates all 4 required port config files - Previously only created ipv4-output.conf (1 of 4 files) - Now creates: ipv4-input.conf, ipv4-output.conf, ipv6-input.conf, ipv6-output.conf - Files: lib/installer/installer_config_full.sh, installer_structure.sh BUG #4: Stats Module Using Legacy Table Name (MEDIUM) - Stats module checked legacy v0.8.5 table "inet nftban_global" - Updated to use v0.9.0 split tables: "ip nftban_v4" and "ip6 nftban_v6" - Rewrote nftban_stats_nftables_summary() for dual table architecture - Added separate IPv4/IPv6 element counts with combined totals - Fixed GEO blocking stats with same table name issue - File: lib/nftban_stats_module.sh:177-193, 213-283 BUG #5: Search Command Missing from Help Menu (LOW) - Command "nftban search ip <IP>" worked but was undocumented - Added to help menu under STATISTICS & MONITORING section - File: lib/nftban_main_cli.sh:1969 ADDITIONAL IMPROVEMENTS: - SSH Safety Rule: Factory reset now preserves SSH access (port 22) - Auto-rebuild Cron: Fixed uninstaller to properly remove cron job - Updated README with fail2ban integration documentation - File: lib/nftban_nftables_module.sh (SSH safety rule) - File: lib/nftban_uninstall_script.sh (cron cleanup) VERSION UPDATE: - All modules updated from v0.9.0 to v0.9.2 - 41 files updated with new version number TESTING: - fail2ban successfully banning malicious IPs - Stats correctly displaying split table architecture - All 4 port config files created on fresh install - Search command working and documented in help - No errors in production logs after deployment 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
itcmsgr
added a commit
that referenced
this pull request
Oct 22, 2025
**Summary:** Fixed 3 production bugs and refactored login CLI commands This commit addresses multiple issues discovered during lab testing: 1. GEO-blocking grep -c syntax errors causing status display failures 2. DDoS module unbound variable errors preventing status checks 3. Missing CLI commands for login monitor alert configuration 4. Main CLI bloat from inline command handlers ================================================================================ BUG FIX #1: GEO-blocking grep -c Syntax Errors ================================================================================ **Severity:** HIGH **Category:** Bug Fix / Strict Mode Compatibility **Impact:** Status commands failing with syntax errors PROBLEM: GEO-blocking status commands failed with errors: /etc/nftban/lib/nftban_geo_module.sh: line 840: [[: 0\n0: syntax error ROOT CAUSE: Pattern `$(grep -cE ... || echo "0")` with `set -Eeuo pipefail` caused double output. When grep finds no matches, it outputs "0" to stdout AND returns exit 1, triggering the fallback `|| echo "0"`, resulting in "0\n0". SOLUTION: Separated variable declaration from assignment: local count count=$(grep -cE ...) || count="0" LOCATIONS FIXED (6 total): - lib/nftban_geo_module.sh:838-840 (blacklist count) - lib/nftban_geo_module.sh:856-858 (whitelist count) - lib/nftban_geo_module.sh:624-626 (enable verification) - lib/nftban_geo_module.sh:731-733 (disable verification) - lib/nftban_geo_module.sh:879-883 (IPv4 status) - lib/nftban_geo_module.sh:885-888 (IPv6 status) TESTING: ✓ Deployed to all 3 lab servers ✓ Verified with `nftban geo status` - clean output ✓ No more syntax errors ================================================================================ BUG FIX #2: DDoS Module Unbound Variable Errors ================================================================================ **Severity:** HIGH **Category:** Bug Fix / Strict Mode Compatibility **Impact:** DDoS status checks failing PROBLEM: DDoS module failed with unbound variable errors: /etc/nftban/lib/nftban_ddos_module.sh: line 50: DDOS_PROTECTION_ENABLED: unbound variable ROOT CAUSE: Associative array subscript `${NFTBAN_DDOS_CONFIG_CACHE[$key]:-}` - In Bash, array subscripts are evaluated in arithmetic context where `$key` is treated as a variable name to dereference, causing unbound variable error with `set -u`. SOLUTION: Temporarily disable `set -u` around array operations in nftban_ddos_load_config: set +u if [[ -n "${NFTBAN_DDOS_CONFIG_CACHE[$key]:-}" ]]; then local cached_value="${NFTBAN_DDOS_CONFIG_CACHE[$key]}" set -u echo "$cached_value" return 0 fi set -u Also fixed array assignment at line 71: set +u NFTBAN_DDOS_CONFIG_CACHE[$key]="$value" set -u TESTING: ✓ Verified with `nftban ddos status` - all config values display correctly ✓ No more unbound variable errors ================================================================================ FEATURE: Login Monitor CLI Configuration Commands ================================================================================ **Severity:** MEDIUM **Category:** Feature Enhancement / UX Improvement **Impact:** Eliminated need for manual config file editing PROBLEM: Login alert settings (root-alerts, sudo-alerts, ssh-alerts, recipient) had no CLI commands and could only be managed by manually editing config files. SOLUTION: Added 8 new configuration functions to lib/nftban_login_monitor_module.sh: 1. nftban_login_monitor_config() - Universal config command 2. nftban_login_monitor_enable_root_alerts() 3. nftban_login_monitor_disable_root_alerts() 4. nftban_login_monitor_enable_sudo_alerts() 5. nftban_login_monitor_disable_sudo_alerts() 6. nftban_login_monitor_enable_ssh_alerts() 7. nftban_login_monitor_disable_ssh_alerts() 8. nftban_login_monitor_set_recipient() CLI COMMANDS ADDED: nftban login config <setting> <value> # Universal config nftban login config root-alerts true nftban login config sudo-alerts true nftban login config ssh-alerts false nftban login config recipient admin@example.com nftban login enable-root-alerts # Dedicated commands nftban login disable-root-alerts nftban login enable-sudo-alerts nftban login disable-sudo-alerts nftban login enable-ssh-alerts nftban login disable-ssh-alerts nftban login set-recipient <email> TESTING: ✓ All commands tested and working ✓ Settings properly saved to config ✓ Changes reflected in `nftban login status` ================================================================================ REFACTORING: Modular Login Command Handler ================================================================================ **Category:** Code Organization / Maintainability **Impact:** Cleaner main CLI, better modularity CHANGES: - Created lib/cli/cmd_login.sh with all login command logic - Removed cmd_login() function from lib/nftban_main_cli.sh (~143 lines) - Applied production-hardened header v2.0 to cmd_login.sh - Auto-loading via existing CLI module system BENEFITS: - Main CLI reduced from 1700+ lines - Login commands now modular and maintainable - Consistent with other command handlers (geo, ddos, etc.) - Production-grade security headers applied ================================================================================ HEADER UPDATES: Production-Hardened v2.0 ================================================================================ **Category:** Security / Code Quality Updated both login-related files with production-hardened header v2.0: 1. lib/cli/cmd_login.sh: - Full v2.0 header with strict mode, error traps - NFTBAN Custom License v3.0 footer 2. lib/nftban_login_monitor_module.sh: - Upgraded from "BUG51 FIX" header to full v2.0 - Added error trap function - Version bumped to 0.9.3 Security features applied: ✅ Enhanced strict mode (set -Eeuo pipefail) ✅ Safe word splitting (IFS=$'\n\t') ✅ Secure file permissions (umask 027) ✅ PATH sanitization (readonly, trusted paths only) ✅ Locale standardization (prevents CWE-134) ✅ Error traps (catch all failures) Security Rating: 9/10 (from baseline 5/10) ================================================================================ FILES CHANGED ================================================================================ Modified (4): - lib/nftban_geo_module.sh (+18, -18) # 6 grep -c fixes - lib/nftban_ddos_module.sh (+12, -7) # Array access fixes - lib/nftban_login_monitor_module.sh (+181, -21) # 8 new functions + v2.0 header - lib/nftban_main_cli.sh (-143) # Removed cmd_login function Added (1): - lib/cli/cmd_login.sh (+289) # New modular command handler Total: +297, -189 ================================================================================ TESTING ================================================================================ All changes deployed and tested on 3 lab servers: ✓ lab.mywebhost.gr ✓ lab1.mywebhost.gr ✓ lab2.mywebhost.gr Test results: ✓ nftban geo status - no syntax errors ✓ nftban ddos status - all config values display ✓ nftban login status - working ✓ nftban login config commands - all working ✓ No regressions in existing functionality 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
itcmsgr
added a commit
that referenced
this pull request
Nov 1, 2025
Fixes all 4 bugs identified in comprehensive menu validation report. **Bug Fixes:** 1. **BUG #1:** Remove duplicate 'help' in permissions completion - Removed duplicate "help" entry at line 217 in router - Permissions completion now has single "help" option - Location: src/usr/sbin/nftban:217 2. **BUG #2:** Add geoip to help menu (MONITORING & REPORTING) - Added geoip command to help menu under MONITORING & REPORTING - Command has CLI file (cmd_geoip.sh) and was in completion - Location: src/usr/lib/nftban/nftban_help.sh:90 3. **BUG #3:** Add mail to help menu (MONITORING & REPORTING) - Added mail command to help menu under MONITORING & REPORTING - Command has CLI file (cmd_mail.sh) and was in completion - Location: src/usr/lib/nftban/nftban_help.sh:91 4. **BUG #4:** Add menu to TIPS section - Added "Try: nftban menu (interactive TUI)" to TIPS - Improves discoverability of interactive menu - Location: src/usr/lib/nftban/nftban_help.sh:98 **Validation Results:** Before: - Help menu: 25 commands - Missing: geoip, mail, menu - Duplicate: permissions completion had 2x "help" After: - Help menu: 28 commands (complete) - All CLI commands now visible in help - No duplicates in completion **Testing:** - ✅ Syntax validation passed (bash -n) - ✅ Help menu displays correctly - ✅ geoip, mail, menu visible in output - ✅ Permissions completion has 1 "help" (was 2) - ✅ All 24 CLI commands covered **Compatibility:** - Does NOT break existing functionality - Does NOT modify CLI command files - Does NOT change router completion logic - Purely additive (menu) and corrective (duplicate) **Files Changed:** - src/usr/lib/nftban/nftban_help.sh (+3 lines) - src/usr/sbin/nftban (-1 line) **Related Documentation:** - Validation Report: docs/development/validation/NFTBAN_MENU_VALIDATION_EXPORT.md - Compatibility Check: /tmp/COMPATIBILITY_REPORT.md - Session Summary: docs/sessions/2025-11-01-SESSION-SUMMARY.md 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
itcmsgr
added a commit
that referenced
this pull request
Nov 2, 2025
Add comprehensive security directives to NFTBan systemd service units following systemd security best practices. This implements Quick Win #2 (Systemd Service Hardening) from the v0.10.0 roadmap. Changes: **nftban.service** (both usr/lib and packaging copies): - Add PrivateTmp=yes (isolated /tmp) - Add ProtectSystem=strict (read-only system directories) - Add ProtectHome=yes (no access to home directories) - Add ReadWritePaths for required directories - Change NoNewPrivileges from "true" to "yes" (consistency) **nftban-snapshot.service**: - Add PrivateTmp=yes - Add ProtectSystem=strict - Add ProtectHome=yes - Add NoNewPrivileges=yes - Add ReadWritePaths for required directories **nftban-firewall-init.service**: - Add PrivateTmp=yes - Add ProtectHome=yes - Add ReadWritePaths for required directories - Note: NoNewPrivileges=no (service needs root for firewall ops) - Note: Cannot use ProtectSystem=strict (needs write access) Security Benefits: 1. Isolates services from system resources 2. Prevents unauthorized file access 3. Limits privilege escalation vectors 4. Maintains least-privilege principle where possible Services already hardened (no changes needed): - nftban-health.service ✅ - nftban-apply.service ✅ - nftban-rollback.service ✅ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
itcmsgr
added a commit
that referenced
this pull request
Nov 2, 2025
Document today's development session focusing on quick wins implementation and critical bug discovery. Completed: - ✅ Quick Win #1: Pre-reload snapshot retention (f86f763) - ✅ Quick Win #2: Systemd security hardening (53a4210) - ✅ Documentation and roadmap updates Bugs Discovered: - 🐛 BUG-006: nftban.service uses non-existent 'nftban run' command - 🐛 BUG-007: Missing Polkit rule for nftban user Next session focus: Bug fixes only (no new features) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
itcmsgr
added a commit
that referenced
this pull request
Nov 6, 2025
CRITICAL FIXES per NFTBan Coding Standards (BUG-001): • nftban_health.sh: Replace 4x `command && ((counter++))` patterns • nftban_permissions.sh: Replace 6x `command || ((counter++))` patterns Problem: With `set -e`, expression ((counter++)) returns exit code 1 when counter=0, causing script to exit immediately. Solution: Use safe pattern `counter=$((counter + 1))` in if-blocks: ❌ WRONG: command && ((counter++)) ✅ CORRECT: if command; then counter=$((counter + 1)); fi This follows NFTBan HIGH CODE STANDARDS for secure-by-design scripts. All arithmetic now uses explicit assignment to prevent silent failures. Reference: docs/BASH_CODING_STANDARDS.md - Rule #2 (Arithmetic Expressions) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
itcmsgr
added a commit
that referenced
this pull request
Nov 10, 2025
CRITICAL FIXES (from /root/nftban_uninstaller_bugs/):
1. Stats command arithmetic expression error
- Fixed lines 631, 650-651 in nftban_stats.sh
- Changed || echo "0" to || true with ${var:-0} fallback
- Prevents "0\n0: syntax error in expression" with set -e
- BUG PRIORITY: #1 CRITICAL
2. Uninstaller leaves files behind (DEB)
- Added /usr/lib/nftban to DEB postrm purge section
- Added /usr/share/nftban to DEB postrm purge section
- Added /usr/share/doc/nftban to DEB postrm purge section
- Now dpkg --purge nftban removes ALL files completely
- BUG PRIORITY: #2 MEDIUM
VERIFICATION:
- Autotimer exists: nftban-maintenance.timer runs every 15 minutes
- Auto-heal runs: /usr/lib/nftban/helpers/autoheal.sh via maintenance
- FHS checks: Automatic via autoheal (creates dirs, fixes permissions)
AFFECTED FILES:
- src/usr/lib/nftban/core/nftban_stats.sh (3 lines fixed)
- packaging/deb/postrm (3 directories added to purge)
- VERSION, .version, README, changelog, spec (bumped to 0.32.27)
SOURCE:
Bug reports from user testing on lab1.mywebhost.gr
Archive: /root/ARCHIVE_20251109/BUGS_FOR_CODER/
TESTING NEEDED:
- Verify stats command works without arithmetic errors
- Verify dpkg --purge removes all files cleanly
- Confirm autotimer is active on fresh installs
🐧🛡️ Generated with Claude Code
https://claude.com/claude-code
Co-Authored-By: Claude <noreply@anthropic.com>
itcmsgr
added a commit
that referenced
this pull request
Jan 2, 2026
Update nftban_init_nftables_conf.sh
itcmsgr
added a commit
that referenced
this pull request
Jan 2, 2026
… module This release fixes 5 critical bugs discovered during production testing and increments version from 0.9.0 to 0.9.2. CRITICAL FIXES: BUG #1 & #2: fail2ban Integration Failures (CRITICAL) - Fixed incorrect nftban binary path: /usr/bin → /usr/local/bin - Fixed wrong CLI syntax: "blacklist add ip" → "blacklist ban" - Simplified fail2ban action file, removed complex idempotency logic - Root cause: fail2ban actions failed with "No such file or directory" - File: lib/nftban_fail2ban_module.sh:55-56 BUG #3 (BUG56): Missing Port Configuration Files (HIGH) - Installer now creates all 4 required port config files - Previously only created ipv4-output.conf (1 of 4 files) - Now creates: ipv4-input.conf, ipv4-output.conf, ipv6-input.conf, ipv6-output.conf - Files: lib/installer/installer_config_full.sh, installer_structure.sh BUG #4: Stats Module Using Legacy Table Name (MEDIUM) - Stats module checked legacy v0.8.5 table "inet nftban_global" - Updated to use v0.9.0 split tables: "ip nftban_v4" and "ip6 nftban_v6" - Rewrote nftban_stats_nftables_summary() for dual table architecture - Added separate IPv4/IPv6 element counts with combined totals - Fixed GEO blocking stats with same table name issue - File: lib/nftban_stats_module.sh:177-193, 213-283 BUG #5: Search Command Missing from Help Menu (LOW) - Command "nftban search ip <IP>" worked but was undocumented - Added to help menu under STATISTICS & MONITORING section - File: lib/nftban_main_cli.sh:1969 ADDITIONAL IMPROVEMENTS: - SSH Safety Rule: Factory reset now preserves SSH access (port 22) - Auto-rebuild Cron: Fixed uninstaller to properly remove cron job - Updated README with fail2ban integration documentation - File: lib/nftban_nftables_module.sh (SSH safety rule) - File: lib/nftban_uninstall_script.sh (cron cleanup) VERSION UPDATE: - All modules updated from v0.9.0 to v0.9.2 - 41 files updated with new version number TESTING: - fail2ban successfully banning malicious IPs - Stats correctly displaying split table architecture - All 4 port config files created on fresh install - Search command working and documented in help - No errors in production logs after deployment 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
itcmsgr
added a commit
that referenced
this pull request
Jan 2, 2026
**Summary:** Fixed 3 production bugs and refactored login CLI commands This commit addresses multiple issues discovered during lab testing: 1. GEO-blocking grep -c syntax errors causing status display failures 2. DDoS module unbound variable errors preventing status checks 3. Missing CLI commands for login monitor alert configuration 4. Main CLI bloat from inline command handlers ================================================================================ BUG FIX #1: GEO-blocking grep -c Syntax Errors ================================================================================ **Severity:** HIGH **Category:** Bug Fix / Strict Mode Compatibility **Impact:** Status commands failing with syntax errors PROBLEM: GEO-blocking status commands failed with errors: /etc/nftban/lib/nftban_geo_module.sh: line 840: [[: 0\n0: syntax error ROOT CAUSE: Pattern `$(grep -cE ... || echo "0")` with `set -Eeuo pipefail` caused double output. When grep finds no matches, it outputs "0" to stdout AND returns exit 1, triggering the fallback `|| echo "0"`, resulting in "0\n0". SOLUTION: Separated variable declaration from assignment: local count count=$(grep -cE ...) || count="0" LOCATIONS FIXED (6 total): - lib/nftban_geo_module.sh:838-840 (blacklist count) - lib/nftban_geo_module.sh:856-858 (whitelist count) - lib/nftban_geo_module.sh:624-626 (enable verification) - lib/nftban_geo_module.sh:731-733 (disable verification) - lib/nftban_geo_module.sh:879-883 (IPv4 status) - lib/nftban_geo_module.sh:885-888 (IPv6 status) TESTING: ✓ Deployed to all 3 lab servers ✓ Verified with `nftban geo status` - clean output ✓ No more syntax errors ================================================================================ BUG FIX #2: DDoS Module Unbound Variable Errors ================================================================================ **Severity:** HIGH **Category:** Bug Fix / Strict Mode Compatibility **Impact:** DDoS status checks failing PROBLEM: DDoS module failed with unbound variable errors: /etc/nftban/lib/nftban_ddos_module.sh: line 50: DDOS_PROTECTION_ENABLED: unbound variable ROOT CAUSE: Associative array subscript `${NFTBAN_DDOS_CONFIG_CACHE[$key]:-}` - In Bash, array subscripts are evaluated in arithmetic context where `$key` is treated as a variable name to dereference, causing unbound variable error with `set -u`. SOLUTION: Temporarily disable `set -u` around array operations in nftban_ddos_load_config: set +u if [[ -n "${NFTBAN_DDOS_CONFIG_CACHE[$key]:-}" ]]; then local cached_value="${NFTBAN_DDOS_CONFIG_CACHE[$key]}" set -u echo "$cached_value" return 0 fi set -u Also fixed array assignment at line 71: set +u NFTBAN_DDOS_CONFIG_CACHE[$key]="$value" set -u TESTING: ✓ Verified with `nftban ddos status` - all config values display correctly ✓ No more unbound variable errors ================================================================================ FEATURE: Login Monitor CLI Configuration Commands ================================================================================ **Severity:** MEDIUM **Category:** Feature Enhancement / UX Improvement **Impact:** Eliminated need for manual config file editing PROBLEM: Login alert settings (root-alerts, sudo-alerts, ssh-alerts, recipient) had no CLI commands and could only be managed by manually editing config files. SOLUTION: Added 8 new configuration functions to lib/nftban_login_monitor_module.sh: 1. nftban_login_monitor_config() - Universal config command 2. nftban_login_monitor_enable_root_alerts() 3. nftban_login_monitor_disable_root_alerts() 4. nftban_login_monitor_enable_sudo_alerts() 5. nftban_login_monitor_disable_sudo_alerts() 6. nftban_login_monitor_enable_ssh_alerts() 7. nftban_login_monitor_disable_ssh_alerts() 8. nftban_login_monitor_set_recipient() CLI COMMANDS ADDED: nftban login config <setting> <value> # Universal config nftban login config root-alerts true nftban login config sudo-alerts true nftban login config ssh-alerts false nftban login config recipient admin@example.com nftban login enable-root-alerts # Dedicated commands nftban login disable-root-alerts nftban login enable-sudo-alerts nftban login disable-sudo-alerts nftban login enable-ssh-alerts nftban login disable-ssh-alerts nftban login set-recipient <email> TESTING: ✓ All commands tested and working ✓ Settings properly saved to config ✓ Changes reflected in `nftban login status` ================================================================================ REFACTORING: Modular Login Command Handler ================================================================================ **Category:** Code Organization / Maintainability **Impact:** Cleaner main CLI, better modularity CHANGES: - Created lib/cli/cmd_login.sh with all login command logic - Removed cmd_login() function from lib/nftban_main_cli.sh (~143 lines) - Applied production-hardened header v2.0 to cmd_login.sh - Auto-loading via existing CLI module system BENEFITS: - Main CLI reduced from 1700+ lines - Login commands now modular and maintainable - Consistent with other command handlers (geo, ddos, etc.) - Production-grade security headers applied ================================================================================ HEADER UPDATES: Production-Hardened v2.0 ================================================================================ **Category:** Security / Code Quality Updated both login-related files with production-hardened header v2.0: 1. lib/cli/cmd_login.sh: - Full v2.0 header with strict mode, error traps - NFTBAN Custom License v3.0 footer 2. lib/nftban_login_monitor_module.sh: - Upgraded from "BUG51 FIX" header to full v2.0 - Added error trap function - Version bumped to 0.9.3 Security features applied: ✅ Enhanced strict mode (set -Eeuo pipefail) ✅ Safe word splitting (IFS=$'\n\t') ✅ Secure file permissions (umask 027) ✅ PATH sanitization (readonly, trusted paths only) ✅ Locale standardization (prevents CWE-134) ✅ Error traps (catch all failures) Security Rating: 9/10 (from baseline 5/10) ================================================================================ FILES CHANGED ================================================================================ Modified (4): - lib/nftban_geo_module.sh (+18, -18) # 6 grep -c fixes - lib/nftban_ddos_module.sh (+12, -7) # Array access fixes - lib/nftban_login_monitor_module.sh (+181, -21) # 8 new functions + v2.0 header - lib/nftban_main_cli.sh (-143) # Removed cmd_login function Added (1): - lib/cli/cmd_login.sh (+289) # New modular command handler Total: +297, -189 ================================================================================ TESTING ================================================================================ All changes deployed and tested on 3 lab servers: ✓ lab.mywebhost.gr ✓ lab1.mywebhost.gr ✓ lab2.mywebhost.gr Test results: ✓ nftban geo status - no syntax errors ✓ nftban ddos status - all config values display ✓ nftban login status - working ✓ nftban login config commands - all working ✓ No regressions in existing functionality 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
itcmsgr
added a commit
that referenced
this pull request
Jan 2, 2026
Fixes all 4 bugs identified in comprehensive menu validation report. **Bug Fixes:** 1. **BUG #1:** Remove duplicate 'help' in permissions completion - Removed duplicate "help" entry at line 217 in router - Permissions completion now has single "help" option - Location: src/usr/sbin/nftban:217 2. **BUG #2:** Add geoip to help menu (MONITORING & REPORTING) - Added geoip command to help menu under MONITORING & REPORTING - Command has CLI file (cmd_geoip.sh) and was in completion - Location: src/usr/lib/nftban/nftban_help.sh:90 3. **BUG #3:** Add mail to help menu (MONITORING & REPORTING) - Added mail command to help menu under MONITORING & REPORTING - Command has CLI file (cmd_mail.sh) and was in completion - Location: src/usr/lib/nftban/nftban_help.sh:91 4. **BUG #4:** Add menu to TIPS section - Added "Try: nftban menu (interactive TUI)" to TIPS - Improves discoverability of interactive menu - Location: src/usr/lib/nftban/nftban_help.sh:98 **Validation Results:** Before: - Help menu: 25 commands - Missing: geoip, mail, menu - Duplicate: permissions completion had 2x "help" After: - Help menu: 28 commands (complete) - All CLI commands now visible in help - No duplicates in completion **Testing:** - ✅ Syntax validation passed (bash -n) - ✅ Help menu displays correctly - ✅ geoip, mail, menu visible in output - ✅ Permissions completion has 1 "help" (was 2) - ✅ All 24 CLI commands covered **Compatibility:** - Does NOT break existing functionality - Does NOT modify CLI command files - Does NOT change router completion logic - Purely additive (menu) and corrective (duplicate) **Files Changed:** - src/usr/lib/nftban/nftban_help.sh (+3 lines) - src/usr/sbin/nftban (-1 line) **Related Documentation:** - Validation Report: docs/development/validation/NFTBAN_MENU_VALIDATION_EXPORT.md - Compatibility Check: /tmp/COMPATIBILITY_REPORT.md - Session Summary: docs/sessions/2025-11-01-SESSION-SUMMARY.md 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
itcmsgr
added a commit
that referenced
this pull request
Jan 2, 2026
Add comprehensive security directives to NFTBan systemd service units following systemd security best practices. This implements Quick Win #2 (Systemd Service Hardening) from the v0.10.0 roadmap. Changes: **nftban.service** (both usr/lib and packaging copies): - Add PrivateTmp=yes (isolated /tmp) - Add ProtectSystem=strict (read-only system directories) - Add ProtectHome=yes (no access to home directories) - Add ReadWritePaths for required directories - Change NoNewPrivileges from "true" to "yes" (consistency) **nftban-snapshot.service**: - Add PrivateTmp=yes - Add ProtectSystem=strict - Add ProtectHome=yes - Add NoNewPrivileges=yes - Add ReadWritePaths for required directories **nftban-firewall-init.service**: - Add PrivateTmp=yes - Add ProtectHome=yes - Add ReadWritePaths for required directories - Note: NoNewPrivileges=no (service needs root for firewall ops) - Note: Cannot use ProtectSystem=strict (needs write access) Security Benefits: 1. Isolates services from system resources 2. Prevents unauthorized file access 3. Limits privilege escalation vectors 4. Maintains least-privilege principle where possible Services already hardened (no changes needed): - nftban-health.service ✅ - nftban-apply.service ✅ - nftban-rollback.service ✅ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
itcmsgr
added a commit
that referenced
this pull request
Jan 2, 2026
Document today's development session focusing on quick wins implementation and critical bug discovery. Completed: - ✅ Quick Win #1: Pre-reload snapshot retention (447cbb3) - ✅ Quick Win #2: Systemd security hardening (7109138) - ✅ Documentation and roadmap updates Bugs Discovered: - 🐛 BUG-006: nftban.service uses non-existent 'nftban run' command - 🐛 BUG-007: Missing Polkit rule for nftban user Next session focus: Bug fixes only (no new features) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
itcmsgr
added a commit
that referenced
this pull request
Jan 2, 2026
CRITICAL FIXES per NFTBan Coding Standards (BUG-001): • nftban_health.sh: Replace 4x `command && ((counter++))` patterns • nftban_permissions.sh: Replace 6x `command || ((counter++))` patterns Problem: With `set -e`, expression ((counter++)) returns exit code 1 when counter=0, causing script to exit immediately. Solution: Use safe pattern `counter=$((counter + 1))` in if-blocks: ❌ WRONG: command && ((counter++)) ✅ CORRECT: if command; then counter=$((counter + 1)); fi This follows NFTBan HIGH CODE STANDARDS for secure-by-design scripts. All arithmetic now uses explicit assignment to prevent silent failures. Reference: docs/BASH_CODING_STANDARDS.md - Rule #2 (Arithmetic Expressions) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
itcmsgr
added a commit
that referenced
this pull request
Jan 2, 2026
CRITICAL FIXES (from /root/nftban_uninstaller_bugs/):
1. Stats command arithmetic expression error
- Fixed lines 631, 650-651 in nftban_stats.sh
- Changed || echo "0" to || true with ${var:-0} fallback
- Prevents "0\n0: syntax error in expression" with set -e
- BUG PRIORITY: #1 CRITICAL
2. Uninstaller leaves files behind (DEB)
- Added /usr/lib/nftban to DEB postrm purge section
- Added /usr/share/nftban to DEB postrm purge section
- Added /usr/share/doc/nftban to DEB postrm purge section
- Now dpkg --purge nftban removes ALL files completely
- BUG PRIORITY: #2 MEDIUM
VERIFICATION:
- Autotimer exists: nftban-maintenance.timer runs every 15 minutes
- Auto-heal runs: /usr/lib/nftban/helpers/autoheal.sh via maintenance
- FHS checks: Automatic via autoheal (creates dirs, fixes permissions)
AFFECTED FILES:
- src/usr/lib/nftban/core/nftban_stats.sh (3 lines fixed)
- packaging/deb/postrm (3 directories added to purge)
- VERSION, .version, README, changelog, spec (bumped to 0.32.27)
SOURCE:
Bug reports from user testing on lab1.mywebhost.gr
Archive: /root/ARCHIVE_20251109/BUGS_FOR_CODER/
TESTING NEEDED:
- Verify stats command works without arithmetic errors
- Verify dpkg --purge removes all files cleanly
- Confirm autotimer is active on fresh installs
🐧🛡️ Generated with Claude Code
https://claude.com/claude-code
Co-Authored-By: Claude <noreply@anthropic.com>
itcmsgr
added a commit
that referenced
this pull request
Apr 17, 2026
…ilures Add retry wrapper around rebuild core: - firewall_rebuild() becomes retry envelope - _firewall_rebuild_core() is the original rebuild logic (renamed, unchanged) - At most 1 immediate retry (INV-RR-006) - Only retries eligible classes: APPLY_FAILED, DAEMON_RESTART_FAILED, MODULE_RESTORE_FAILED, MODULE_RESTORE_INCOMPLETE - POSTVALIDATION_REGRESSION retried only if daemon-related (tightening #2) - Never retries: PREVALIDATION_FAILED, ROLLBACK_FAILED, structural failures - Updates marker retry_count on failed retry - Marks exhausted after cap reached Exit codes unchanged. No systemd changes. No deferred retry yet. Contract: V196_REBUILD_RECOVERY_CONTRACT.md §5.2, §10 PR-03 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
itcmsgr
added a commit
that referenced
this pull request
Apr 17, 2026
Blocker #1 (phases.go:295): installer validate called 'health fix all' which runs 9 unbounded steps including disabling UFW/firewalld/fail2ban, triggering rebuild, GeoIP download, and panel enable. Violates INV-I-011 (allowlist scope) and INV-I-006 (authority takeover). Fix: Replace with 'permissions enforce' — bounded, safe, idempotent. Only fixes ownership/mode on NFTBan-managed paths. Does not cross authority boundaries or mutate external firewall state. Blocker #2 (nftban-health.service ExecStartPost): unconditionally triggered 'nftban-health-fix.service' (which runs fix all) on every health check timer cycle. Violates INV-I-012 (one-shot) and ships unbounded root remediation to every host. Fix: Remove ExecStartPost trigger. Root-level permission fixes now run only during install/update (phaseValidate → permissions enforce) or manual operator invocation. Document the rationale for future bounded safe-fix target. Audit: V198_FOUNDATION_BATCH_AUDIT.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
itcmsgr
added a commit
that referenced
this pull request
Apr 19, 2026
Code-review response to PR #475. All changes are local to PR-18; no new enum, no taxonomy redesign, no scope drift. Blocker #1 — state/exit contradiction on validator failure: Validator-fail branch previously hard-coded sf.Transition(StateDegraded) regardless of validator's actual exit code. A validator exit 2 (DOWN) was persisted as DEGRADED, so sf.State.ExitCode() returned 1 while the process exit was 2 — silent truth split. Fix: new local helper stateForValidatorExit(rc) in update_apply.go: rc == 1 → StateDegraded (post-state valid-enough for degraded) rc >= 2 → StateFailedRebuild (stronger failure not collapsed) Depends ONLY on validator's process exit code. No JSON parsing. No new InstallState enum value. State.ExitCode() now matches the returned process exit by construction. Tests: T9 validator rc=1 → StateDegraded, state↔exit both = 1 T10 validator rc=2 → StateFailedRebuild, state↔exit both = 2 T11 stateForValidatorExit exhaustive mapping (rc 1/2/3/127) Blocker #2 — contract audit missed preflight-fail branch: T5 TestUpdateApply_CallPathPurity_AllBranches only covered happy/rebuild-fail/validator-fail. A non-whitelisted command or forbidden write slipping into the preflight-fail path was unaudited. Fix: add {"preflight-fail", delete ip:nftban mock} to T5's branches. Now every runUpdateApply exit path pipes through AuditRecordedCommands + AuditWrittenFiles. Minor #1 — post-state inspection success-path-only documented: update_apply.go header now explicitly states that step 4 (postStateInspection) runs on success path only and that earlier failure branches return before it. Closes the contract/docs drift the reviewer flagged. Minor #2 — truncate byte/rune mismatch: Previous implementation used len(s) + s[:n] on a string, risking cutting multi-byte UTF-8 characters mid-codepoint. Now converts to []rune before slicing. Minor #3 — structural guardrail broadened: ApplyForbiddenSubstrings + CI grep previously banned only systemctl stop/disable/mask. Now bans the full service-lifecycle surface: stop/start/restart/reload/enable/disable/mask/unmask. Future-proofs against "helpful" service manipulation creep even if the specific verb changes. Test-infra: tests now use t.TempDir() instead of /var/lib/nftban/state for sf.StateDir so Transition's WriteAtomic doesn't fail under unprivileged CI runners. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
itcmsgr
added a commit
that referenced
this pull request
Apr 19, 2026
* feat(v1.99 PR-18): seed apply orchestration contract
This commit establishes the PR-18 contract BEFORE any implementation code
lands. Per user directive, PR-18 is judged by call-path purity, not by
"it works in happy path."
Pinned sentence (repeated in PR body + contract file + package doc):
"PR-18 is orchestration-only: update apply may invoke the existing
rebuild/lifecycle authority, but may not implement any independent
apply, mutation, recovery, validation, or authority-taking behavior."
Contents:
- Call graph (runUpdateApply → firewall_rebuild → validator → recovery)
- Canonical entry points PR-18 orchestrates (never reimplements)
- 8 forbidden patterns (automatic NO-GO)
- Explicit stop condition: new apply/mutation/recovery/authority
logic → STOP and split to new PR
No code, no behaviour change. This is the contract layer; step 1
(tests/proof skeleton) lands in the next commit, step 2 (minimal
orchestration wiring) after that.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* test(v1.99 PR-18 step 1): contract tests + proof skeleton (call-path purity)
Step 1 of PR-18 per user's implementation ordering. These tests land
BEFORE runUpdateApply itself so the invariants are enforced from the
first implementation commit onward.
Contract surface:
- applyWhitelist: the complete set of commands runUpdateApply may invoke.
Preflight probes (read-only) + canonical rebuild entry
(`nftban firewall rebuild`) + validator gate (`nftban-validate --json`)
+ read-only post-state inspection (nft list, systemctl is-active).
Adding to this list requires a corresponding apply_contract.md update.
- applyForbiddenSubstrings: categories that must never appear in
recorded commands — direct kernel mutation (nft add/flush/delete),
service lifecycle (systemctl stop/disable/mask), package removal,
external firewall touches (ufw, iptables).
- applyForbiddenWritePaths: file-system destinations apply may never
write — /etc/nftban/**, /usr/lib/nftban/**, /usr/sbin/nftban*.
Plus explicit G3-U5 rule: .conf.local byte-preservation.
Harness functions:
- auditRecordedCommands(cmds) — flags whitelist violations + forbidden
substrings. Returns list of violation strings (empty = clean).
- auditWrittenFiles(paths) — flags write-path violations + .conf.local
touches.
Self-tests:
- happy-path command trace produces zero violations
- direct kernel mutation (nft add table) detected
- unknown commands (curl) rejected
- .conf.local write detected (G3-U5)
- /etc/nftban write detected
- /usr/sbin/nftban write detected
When step 2 lands runUpdateApply, its MockExecutor trace will be piped
through auditRecordedCommands + auditWrittenFiles to prove INV-U-001/002/003
mechanically, not just by reading the code.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(v1.99 PR-18 step 2): minimal orchestration wiring (thin sequencer)
runUpdateApply is a thin sequencer over the canonical rebuild +
validator entrypoints. No custom apply, no retry, no rollback, no
recovery, no authority decisions. Validator is the truth gate —
rebuild success + validator failure = apply failure.
Files:
- cmd/nftban-installer/update_apply.go (NEW) — runUpdateApply + read-only
postStateInspection + truncate helper. Exit-code contract explicit:
each phase's failure propagates without merging so monitoring can
distinguish rebuild-fail from validator-fail by exit + log phase.
- cmd/nftban-installer/update_apply_test.go (NEW) — T1 happy path,
T2 preflight-fail blocks rebuild, T3 rebuild-fail blocks validator,
T4 G3-U8 truth gate (validator fail overrides rebuild success),
T5 call-path purity on ALL branches, T6 G3-U5 .conf.local untouched.
- cmd/nftban-installer/main.go — narrow dispatch: --mode=upgrade
without --rpm/--deb routes to runUpdateApply. Package postinst
paths (packaging/deb/postinst, RPM spec) always pass --rpm/--deb,
so they continue through runInstall as today.
- internal/installer/update/apply_contract.go (NEW) — exported
ApplyWhitelist + ApplyForbidden* + AuditRecordedCommands +
AuditWrittenFiles. The main-package tests pipe their MockExecutor
traces through these so the exact same rules apply to both
surfaces.
- internal/installer/update/apply_contract_test.go — rewritten as
self-tests for the exported harness.
Canonical entry points invoked (whitelist-enforced):
- update.Preflight (read-only, PR-16/PR-17)
- "nftban firewall rebuild" (mutation path — delegates to v1.96
firewall_rebuild in cli/lib/nftban/cli/cmd_firewall.sh:1070)
- "nftban-validate --json" (truth gate)
- exec.NftTableExists (read-only kernel inspection)
- exec.ServiceActive (read-only service inspection)
Forbidden by construction (AuditRecordedCommands / AuditWrittenFiles):
- direct kernel mutation (nft add/flush/delete)
- service lifecycle (systemctl stop/disable/mask)
- package removal (apt-get/dnf remove)
- external firewall touches (ufw, iptables)
- writes to /etc/nftban/**, /usr/lib/nftban/**, /usr/sbin/nftban*
- any write to *.conf.local (G3-U5)
INV-U-001/002/003 enforced mechanically — not just by reading code.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(v1.99 PR-18 step 3+4): recovery/validator integration + CI gates
Step 3 (recovery/validator proofs):
- cmd/nftban-installer/update_apply_test.go:
- T7 TestUpdateApply_RebuildFail_NoRetryNoRecovery — rebuild is
invoked EXACTLY once; no recovery-flavored command appears in
the trace after rebuild fails (firewall_rebuild owns retry per
v1.96; apply must NOT add another retry layer)
- T8 TestUpdateApply_DoesNotReinterpretValidatorOutput — when
validator exits 2 but returns JSON body with status="protected",
apply must honour the EXIT CODE and fail. Locks the truth-gate
discipline against the common regression class where a later
change "helpfully" inspects the JSON body to override the exit
Step 4 (CI gates G3-U5..U10):
- .github/workflows/ci-update-canonization.yml:
- New step "structural call-path audit of update_apply.go" — greps
the runUpdateApply source for 13 forbidden patterns (direct nft
mutation, service lifecycle, package removal, external firewall
touch, /etc/nftban/** writes, /usr/lib/nftban/** writes,
.conf.local touches). Fails fast BEFORE runtime tests, so a
reviewer sees the violation in the first CI failure.
- New step "unit tests for runUpdateApply call-path purity" — runs
go test ./internal/installer/update/... ./cmd/nftban-installer/...
which exercises every runUpdateApply trace through
AuditRecordedCommands + AuditWrittenFiles under happy,
rebuild-fail, validator-fail, no-retry, no-reinterpretation,
and conf.local byte-preservation branches.
Together these close G3-U5 (.conf.local byte-preservation), G3-U6
(base-config safety via forbidden-write-path audit), G3-U7 (rebuild
recovery integration — delegation, not duplication), G3-U8
(post-update validator gate — truth discipline), G3-U9 (service-state
convergence via postStateInspection read-only checks), G3-U10
(authority safety via forbidden systemctl/ufw/iptables patterns).
Every sub-gate is mechanical: if apply ever grows a direct mutation
surface, CI catches it in the structural grep before the unit tests
even run.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(v1.99 PR-18): address code-review blockers #1 and #2 + minors
Code-review response to PR #475. All changes are local to PR-18; no new
enum, no taxonomy redesign, no scope drift.
Blocker #1 — state/exit contradiction on validator failure:
Validator-fail branch previously hard-coded sf.Transition(StateDegraded)
regardless of validator's actual exit code. A validator exit 2 (DOWN)
was persisted as DEGRADED, so sf.State.ExitCode() returned 1 while the
process exit was 2 — silent truth split.
Fix: new local helper stateForValidatorExit(rc) in update_apply.go:
rc == 1 → StateDegraded (post-state valid-enough for degraded)
rc >= 2 → StateFailedRebuild (stronger failure not collapsed)
Depends ONLY on validator's process exit code. No JSON parsing. No new
InstallState enum value. State.ExitCode() now matches the returned
process exit by construction.
Tests:
T9 validator rc=1 → StateDegraded, state↔exit both = 1
T10 validator rc=2 → StateFailedRebuild, state↔exit both = 2
T11 stateForValidatorExit exhaustive mapping (rc 1/2/3/127)
Blocker #2 — contract audit missed preflight-fail branch:
T5 TestUpdateApply_CallPathPurity_AllBranches only covered
happy/rebuild-fail/validator-fail. A non-whitelisted command or
forbidden write slipping into the preflight-fail path was unaudited.
Fix: add {"preflight-fail", delete ip:nftban mock} to T5's branches.
Now every runUpdateApply exit path pipes through AuditRecordedCommands
+ AuditWrittenFiles.
Minor #1 — post-state inspection success-path-only documented:
update_apply.go header now explicitly states that step 4
(postStateInspection) runs on success path only and that earlier
failure branches return before it. Closes the contract/docs drift
the reviewer flagged.
Minor #2 — truncate byte/rune mismatch:
Previous implementation used len(s) + s[:n] on a string, risking
cutting multi-byte UTF-8 characters mid-codepoint. Now converts to
[]rune before slicing.
Minor #3 — structural guardrail broadened:
ApplyForbiddenSubstrings + CI grep previously banned only
systemctl stop/disable/mask. Now bans the full service-lifecycle
surface: stop/start/restart/reload/enable/disable/mask/unmask.
Future-proofs against "helpful" service manipulation creep even if
the specific verb changes.
Test-infra: tests now use t.TempDir() instead of /var/lib/nftban/state
for sf.StateDir so Transition's WriteAtomic doesn't fail under
unprivileged CI runners.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
itcmsgr
added a commit
that referenced
this pull request
Apr 20, 2026
…uckets Per review feedback: the table previously mixed code-semantic changes with CI/gate additions, and said "all six items" when #1 is already landed. Restructured for clarity: - Landed bucket — #1 (prior-authority hardening, PR #484) - Behavioral / semantic blockers — #2 (external-firewall detection unification), #6 (payload integrity minimum checks) - Assurance / gate blockers — #3 (kernel/service snapshot CI), #4 (exec-trace CI), #5 (auto-elevate shim removal gate) Wording tightened: "PR-23 starts only after all remaining pre-PR-23 blockers merge" instead of "all six items below." Also flagged that PR-24/25/26 ordering is preferred, not dogmatic — restore enforcement may expose facts that affect artifact-removal semantics. No code changes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
itcmsgr
added a commit
that referenced
this pull request
Apr 20, 2026
…uckets + mark blocker #1 LANDED (#485) * docs(v1.100): mark pre-PR-23 blocker #1 LANDED (PR #484) PR-P2-1 (prior-authority record hardening) merged as 3b83403. The blocker table in internal/installer/uninstall/contract.md now shows item 1 struck through with explicit LANDED status + merge SHA. Items 2-6 remain pending; each is still its own bounded PR with micro-contract + falsifiable proof test per the approved sequencing. No code changes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(v1.100): split pre-PR-23 blockers into behavioral vs assurance buckets Per review feedback: the table previously mixed code-semantic changes with CI/gate additions, and said "all six items" when #1 is already landed. Restructured for clarity: - Landed bucket — #1 (prior-authority hardening, PR #484) - Behavioral / semantic blockers — #2 (external-firewall detection unification), #6 (payload integrity minimum checks) - Assurance / gate blockers — #3 (kernel/service snapshot CI), #4 (exec-trace CI), #5 (auto-elevate shim removal gate) Wording tightened: "PR-23 starts only after all remaining pre-PR-23 blockers merge" instead of "all six items below." Also flagged that PR-24/25/26 ordering is preferred, not dogmatic — restore enforcement may expose facts that affect artifact-removal semantics. No code changes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
itcmsgr
added a commit
that referenced
this pull request
Apr 20, 2026
…/installer/extfw Pre-PR-23 blocker #2 of 5 remaining. Replaces two divergent detection surfaces with one canonical `extfw.Detect(exec, log)` shared across install, update, and uninstall lifecycle paths. **Option A resolution locked** (per authorization 2026-04-20): `/etc/csf/csf.conf` is a valid CSF signal for ALL callers — not just uninstall. This intentionally makes install-side detection stricter for hosts with CSF config remnants so install/update/uninstall share one external-firewall truth surface. **Locked precedence** (frozen): ufw → firewalld → iptables → csf. This order is used ONLY when collapsing to a single Authoritative answer; when multiple firewalls are observed active simultaneously, the result is Ambiguous and the caller is responsible for handling that state explicitly. No silent collapse. ## New package: internal/installer/extfw - `Name` enum (ufw / firewalld / iptables / csf + none sentinel) - `Precedence` frozen order constant - `Observation` (Name / Source / Unit / Detail) — one signal per entry - `DetectionResult` (Observations / Active / Authoritative / Ambiguous) - `Detect(exec, log)` canonical shared detection - `Observation.DisplayName()` preserves legacy "UFW"/"CSF"/"iptables-nft" display strings so existing consumers don't drift ## Signal set (union of pre-unification signals — no new heuristics) | Firewall | Signals | |---|---| | UFW | `ufw.service` active | | firewalld | `firewalld.service` OR ghost nft table containing "firewalld" | | iptables | `iptables.service` OR iptables-save ≥3 non-comment rule lines OR ghost nft table named filter/nat/mangle | | CSF | `csf.service` OR `lfd.service` OR `/etc/csf/csf.conf` present | Nothing added. Nothing removed. Union. ## Migration - `internal/installer/detect/conflicts.go` → thin adapter over `extfw.Detect`. `DetectConflicts()` / `ConflictNames()` / `Conflict` struct API preserved; CSF still emits two conflict entries (one per unit) for takeover-time stop+disable+mask. - `internal/installer/uninstall/authority.go` → removed local `detectExternalAuthority` + `hasActiveIptables` + `countNonCommentLines` helpers. `Classify` now calls `extfw.Detect` and routes ambiguous multi-external hosts through the new `AuthorityAmbiguous` branch rather than silently picking one via precedence. Test fixtures updated: bare `mock.Services["ufw"]` → `ufw.service` (canonical systemd unit name). - Existing consumers (`phases.go`, `switchop.DisableConflicts`, `lifecycle_bridge`) unchanged — they see the same `[]detect.Conflict` shape. ## Tests - `extfw/detect_test.go` — single-firewall cases (4), no-firewall case, multi-firewall ambiguous case with "no silent collapse" assertion, all-four-active case, same-firewall-multi-signal-not- ambiguous case, precedence-order-frozen regression guard, DisplayName legacy-shape tests. - `extfw/consistency_test.go` — PR-P2-2 cross-caller regression guard. For each fixture (clean / ufw / firewalld / iptables / csf-services / csf-config-only / ufw+csf-ambiguous), asserts `extfw.Detect`, `detect.DetectConflicts`, and `uninstall.Classify` all see the same external-firewall truth. One dedicated test locks the Option A resolution specifically — csf-config-only remnant must be seen by install side as well. ## Explicit non-goals (scope-lock) - NO new firewall types - NO heuristics beyond current signals - NO behavior expansion - NO silent conflict resolution ## Test plan - `Build & Test` green — new extfw unit tests + consistency tests pass; existing detect/conflicts_test.go + uninstall tests pass under adapter semantics - Install / Update / Uninstall Canonization matrices green — no CI-gate regressions - Cross-caller consistency proven by `extfw.consistency_test.go` Refs: internal/installer/uninstall/contract.md §"Pre-PR-23 blockers" Authorization: locked Option A resolution (2026-04-20) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
4 tasks
itcmsgr
added a commit
that referenced
this pull request
Apr 20, 2026
…taller/extfw) — Option A resolution (#486) * feat(v1.100 PR-P2-2): unify external-firewall detection into internal/installer/extfw Pre-PR-23 blocker #2 of 5 remaining. Replaces two divergent detection surfaces with one canonical `extfw.Detect(exec, log)` shared across install, update, and uninstall lifecycle paths. **Option A resolution locked** (per authorization 2026-04-20): `/etc/csf/csf.conf` is a valid CSF signal for ALL callers — not just uninstall. This intentionally makes install-side detection stricter for hosts with CSF config remnants so install/update/uninstall share one external-firewall truth surface. **Locked precedence** (frozen): ufw → firewalld → iptables → csf. This order is used ONLY when collapsing to a single Authoritative answer; when multiple firewalls are observed active simultaneously, the result is Ambiguous and the caller is responsible for handling that state explicitly. No silent collapse. ## New package: internal/installer/extfw - `Name` enum (ufw / firewalld / iptables / csf + none sentinel) - `Precedence` frozen order constant - `Observation` (Name / Source / Unit / Detail) — one signal per entry - `DetectionResult` (Observations / Active / Authoritative / Ambiguous) - `Detect(exec, log)` canonical shared detection - `Observation.DisplayName()` preserves legacy "UFW"/"CSF"/"iptables-nft" display strings so existing consumers don't drift ## Signal set (union of pre-unification signals — no new heuristics) | Firewall | Signals | |---|---| | UFW | `ufw.service` active | | firewalld | `firewalld.service` OR ghost nft table containing "firewalld" | | iptables | `iptables.service` OR iptables-save ≥3 non-comment rule lines OR ghost nft table named filter/nat/mangle | | CSF | `csf.service` OR `lfd.service` OR `/etc/csf/csf.conf` present | Nothing added. Nothing removed. Union. ## Migration - `internal/installer/detect/conflicts.go` → thin adapter over `extfw.Detect`. `DetectConflicts()` / `ConflictNames()` / `Conflict` struct API preserved; CSF still emits two conflict entries (one per unit) for takeover-time stop+disable+mask. - `internal/installer/uninstall/authority.go` → removed local `detectExternalAuthority` + `hasActiveIptables` + `countNonCommentLines` helpers. `Classify` now calls `extfw.Detect` and routes ambiguous multi-external hosts through the new `AuthorityAmbiguous` branch rather than silently picking one via precedence. Test fixtures updated: bare `mock.Services["ufw"]` → `ufw.service` (canonical systemd unit name). - Existing consumers (`phases.go`, `switchop.DisableConflicts`, `lifecycle_bridge`) unchanged — they see the same `[]detect.Conflict` shape. ## Tests - `extfw/detect_test.go` — single-firewall cases (4), no-firewall case, multi-firewall ambiguous case with "no silent collapse" assertion, all-four-active case, same-firewall-multi-signal-not- ambiguous case, precedence-order-frozen regression guard, DisplayName legacy-shape tests. - `extfw/consistency_test.go` — PR-P2-2 cross-caller regression guard. For each fixture (clean / ufw / firewalld / iptables / csf-services / csf-config-only / ufw+csf-ambiguous), asserts `extfw.Detect`, `detect.DetectConflicts`, and `uninstall.Classify` all see the same external-firewall truth. One dedicated test locks the Option A resolution specifically — csf-config-only remnant must be seen by install side as well. ## Explicit non-goals (scope-lock) - NO new firewall types - NO heuristics beyond current signals - NO behavior expansion - NO silent conflict resolution ## Test plan - `Build & Test` green — new extfw unit tests + consistency tests pass; existing detect/conflicts_test.go + uninstall tests pass under adapter semantics - Install / Update / Uninstall Canonization matrices green — no CI-gate regressions - Cross-caller consistency proven by `extfw.consistency_test.go` Refs: internal/installer/uninstall/contract.md §"Pre-PR-23 blockers" Authorization: locked Option A resolution (2026-04-20) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(v1.100 PR-P2-2): mock key format — iptables-save lookup needs trailing colon MockExecutor.lookupResult builds its key as `name + ":" + strings.Join(args, ":")`. For exec.Run("iptables-save") with no args, that's "iptables-save:" (with trailing colon). My fixtures used "iptables-save" without the colon — lookups missed, fell through to the default `Result{ExitCode: 0, Stdout: ""}`, so hasActiveIptablesRules returned false and the detector reported Authoritative="". TestDetect_None happened to pass because "no firewall" is the default anyway; TestDetect_Iptables_AllThreeSignals (rule-count case) and TestConsistency_InstallAndUninstallAgree/iptables-save_rules_present both failed against empty stdout. Fix: update every `RunResults["iptables-save"]` → `RunResults["iptables-save:"]` in detect_test.go + consistency_test.go. No production code change. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
itcmsgr
added a commit
that referenced
this pull request
Apr 20, 2026
Pre-PR-23 assurance blocker #3 of 5 remaining. Adds system-level before/after truth checks to every dry-run CI path so a future regression that mutates nftables tables or firewall service states without touching tracked files is caught at gate time. ## Scope (locked per authorization 2026-04-20) - Before/after `nft list tables` sorted diff — hard-assert equal - Before/after `systemctl is-active` for the 6 lifecycle-relevant units (nftband + 5 external firewalls) — hard-assert equal - No `|| true` on the diff checks - Covered paths: install dry-run refusal, update dry-run, uninstall dry-run (explicit + implicit) ## Implementation - NEW: scripts/ci-snapshot-kernel-service.sh — reusable helper that emits a stable, sorted snapshot. Degrades gracefully (both sides return the same placeholder) when nft or systemctl aren't available (e.g. almalinux-9 container without systemd). Contract is: * purely read-only probes * never invokes nft/systemctl with mutation verbs * never writes to the filesystem * exit 0 always — caller decides whether differences fail - EXTENDED: all 3 canonization workflows * ci-install-canonization.yml / G3-IN-REFUSE-DRY-RUN * ci-update-canonization.yml / G3-U3 * ci-uninstall-canonization.yml / G3-UN-PLAN-RENDERS Each takes a snapshot before the dry-run invocation and hard- asserts byte-identical equality after. ## Monitored units (must match extfw.Detect's signal set) nftband.service ufw.service firewalld.service csf.service lfd.service iptables.service Kept in lockstep with internal/installer/extfw/detect.go so CI and production code agree on "what counts as a firewall service." ## Non-goals (scope-lock) - NO code-path redesign - NO strace/exec tracing yet (deferred to PR-P2-4) - NO mutation behavior changes - NO new firewall-unit additions to the signal set ## Also: tracking update Marks blocker #2 (external-firewall detection unification, PR #486 / 49d98fc) as LANDED in the contract blocker table. Remaining: 4 Phase 2 PRs before PR-23. Refs: internal/installer/uninstall/contract.md §"Pre-PR-23 blockers" Authorization: locked Phase 2 sequencing (2026-04-20) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
5 tasks
itcmsgr
added a commit
that referenced
this pull request
Apr 20, 2026
…OT) (#487) Pre-PR-23 assurance blocker #3 of 5 remaining. Adds system-level before/after truth checks to every dry-run CI path so a future regression that mutates nftables tables or firewall service states without touching tracked files is caught at gate time. ## Scope (locked per authorization 2026-04-20) - Before/after `nft list tables` sorted diff — hard-assert equal - Before/after `systemctl is-active` for the 6 lifecycle-relevant units (nftband + 5 external firewalls) — hard-assert equal - No `|| true` on the diff checks - Covered paths: install dry-run refusal, update dry-run, uninstall dry-run (explicit + implicit) ## Implementation - NEW: scripts/ci-snapshot-kernel-service.sh — reusable helper that emits a stable, sorted snapshot. Degrades gracefully (both sides return the same placeholder) when nft or systemctl aren't available (e.g. almalinux-9 container without systemd). Contract is: * purely read-only probes * never invokes nft/systemctl with mutation verbs * never writes to the filesystem * exit 0 always — caller decides whether differences fail - EXTENDED: all 3 canonization workflows * ci-install-canonization.yml / G3-IN-REFUSE-DRY-RUN * ci-update-canonization.yml / G3-U3 * ci-uninstall-canonization.yml / G3-UN-PLAN-RENDERS Each takes a snapshot before the dry-run invocation and hard- asserts byte-identical equality after. ## Monitored units (must match extfw.Detect's signal set) nftband.service ufw.service firewalld.service csf.service lfd.service iptables.service Kept in lockstep with internal/installer/extfw/detect.go so CI and production code agree on "what counts as a firewall service." ## Non-goals (scope-lock) - NO code-path redesign - NO strace/exec tracing yet (deferred to PR-P2-4) - NO mutation behavior changes - NO new firewall-unit additions to the signal set ## Also: tracking update Marks blocker #2 (external-firewall detection unification, PR #486 / 49d98fc) as LANDED in the contract blocker table. Remaining: 4 Phase 2 PRs before PR-23. Refs: internal/installer/uninstall/contract.md §"Pre-PR-23 blockers" Authorization: locked Phase 2 sequencing (2026-04-20) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
8 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
added TCP/UDP protocol