Whitelist is broken

[subdavis]

It doesn't seem like anyone has actually used this.

http.Request docs

// RemoteAddr allows HTTP servers and other software to record // the network address that sent the request, usually for // logging. This field is not filled in by ReadRequest and // has no defined format. The HTTP server in this package // sets RemoteAddr to an "IP:port" address before invoking a // handler. // This field is ignored by the HTTP client.

In my logs, I'm seeing:

Fail2Ban_config: 2020/12/29 02:28:13 restricted.go:51: Whitelisted: '192.168.1.1/32'
....
Fail2Ban: 2020/12/29 02:38:47 restricted.go:52: 192.168.1.1:49926 is in blacklist mode

A closer look at your IP parsing would indictate that you didn't read the ParseIP docs

ParseIP parses s as an IP address, returning the result. The string s can be in IPv4 dotted decimal ("192.0.2.1"), IPv6 ("2001:db8::68"), or IPv4-mapped IPv6 ("::ffff:192.0.2.1") form. If s is not a valid textual representation of an IP address, ParseIP returns nil.

This playground confirms

See how you have to net.SplitHostPort(s)?

Your unit tests pass because you aren't using Request.RemoteAddr strings with ports.

[nitra-mfs]

Hi, we didn't really test this kind of case. We are actually working to add the port support for the whitelist/blacklist. We though that:

Request.RemoteAddr output is: [ip]

but in fact

Request.RemoteAddr output is: [ip:port]

We will keep you in touch when it is done.

[cledavid]

Hi,

We just released the 0.6.0 version of the fail2ban plugin. You can try this new version with your traefik. Thanks for the wait.

Clement