Summary: | net-analyzer/fail2ban systemd iptables-restore.service failed sometimes when fail2ban set ipset to ban IPs | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Ryan Tsien <i> |
Component: | Current packages | Assignee: | Sam James <sam> |
Status: | UNCONFIRMED --- | ||
Severity: | normal | CC: | base-system, mike.fisher128 |
Priority: | Normal | Keywords: | PATCH |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | fail2ban.service.in-fix-ordering-iptables.patch |
Description
Ryan Tsien
2022-09-20 07:02:25 UTC
Created attachment 849209 [details, diff]
fail2ban.service.in-fix-ordering-iptables.patch
Does this work?
(In reply to Sam James from comment #1) > Created attachment 849209 [details, diff] [details, diff] > fail2ban.service.in-fix-ordering-iptables.patch > > Does this work? Thanks for your patch! It's not a suitable time for testing due to the server is running, I'm not sure whether the 'After=' configure works on a 'shutdown.target' only service with a 'multi-user.target' service or not. But due to the new 'Before=' configure, the fail2ban service will always be started before the ip[6]tables-restore service, and the f2b-<xxx> ipset will always be created first, so no matter whether the fail2ban service is stopped before the ip[6]tables-store service, there will be no problem. I ran into this today myself. Apologies in advance as I'm still learning the ins and outs of systemd here... I tried applying the suggested changes in the patch to the default fail2ban.service unit, but it ran into circular ordering upon startup so it would drop iptables-restore or fail2ban to break that cycle. However, rather than trying to start fail2ban before iptables, it seems to work better to start iptables first (and stop fail2ban first upon shutdown). Essentially swap around the "Before=" and "After=". In /etc/systemd/system/fail2ban.service.d/override.conf (via systemctl edit fail2ban.service): ---- [Unit] Before=iptables-store.service ip6tables-store.service After=iptables-restore.service ip6tables-restore.service ---- That seems to have done the trick. Several reboots were repeatedly successful. With this ordering, upon shutdown fail2ban stops, removing the iptables rule it inserted at the front of the INPUT chain, then iptables-store saves the remaining rules. Upon startup iptables-restore repopulates the bulk of the rules, then fail2ban starts and inserts itself back in the front of the chain after it creates the ipset. |