378913 – net-analyzer/fail2ban-0.8.4-r3: iptables race condition while adding chains

Bug 378913 - net-analyzer/fail2ban-0.8.4-r3: iptables race condition while adding chains

Summary: net-analyzer/fail2ban-0.8.4-r3: iptables race condition while adding chains

Status:	RESOLVED TEST-REQUEST

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Core system (show other bugs)
Hardware:	All Linux

Importance:	Normal normal with 1 vote (vote)
Assignee:	Markos Chandras (RETIRED)

URL:	https://github.com/fail2ban/fail2ban/...
Whiteboard:
Keywords:

Depends on:	392481
Blocks:
	Show dependency tree

Reported:	2011-08-12 13:37 UTC by cilly
Modified:	2011-12-30 10:19 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
fail2ban-0.8.4-iptables_race_condition.patch (fail2ban-0.8.4-iptables_race_condition.patch,364 bytes, patch) 2011-09-14 13:48 UTC, cilly	Details \| Diff
ebuild to include patch in previous attachment (fail2ban-0.8.4-r3.ebuild,1.94 KB, patch) 2011-09-14 13:48 UTC, cilly	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description cilly 2011-08-12 13:37:03 UTC

While using iptables-1.4.11.1-r2, fail2ban gets errors while adding chains.

This is the rexpected result with iptables-1.4.10-r1:

Firewall-rules:
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 fail2ban-SASL  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 25,465 
2        0     0 fail2ban-COURIER  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 143,993,110,995 
3       21  1428 fail2ban-SSH  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
4        0     0 fail2ban-APACHE  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 80,443,8080,8081 

With iptables-1.4.11.1-r2 some lines are always missing and fail2ban.log reads:

2011-08-12 15:04:39,687 fail2ban.actions.action: ERROR  iptables -N fail2ban-SSH
iptables -A fail2ban-SSH -j RETURN
iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 400
2011-08-12 15:04:39,754 fail2ban.actions.action: ERROR  iptables -N fail2ban-COURIER
iptables -A fail2ban-COURIER -j RETURN
iptables -I INPUT -p tcp -m multiport --dports imap,imaps,pop3,pop3s -j fail2ban-COURIER returned 200
2011-08-12 15:23:58,410 fail2ban.jail   : INFO   Jail 'ssh-iptables' stopped
2011-08-12 15:23:59,441 fail2ban.jail   : INFO   Jail 'apache-auth' stopped
2011-08-12 15:24:00,426 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -m multiport --dports imap,imaps,pop3,pop3s -j fail2ban-COURIER
iptables -F fail2ban-COURIER
iptables -X fail2ban-COURIER returned 100

I am not sure what's wrong, but I don't trust iptables-1.4.11.1-r2 anymore, see:

https://bugs.gentoo.org/show_bug.cgi?id=378867
https://bugs.gentoo.org/show_bug.cgi?id=378883

Comment 1 SpanKY gentoo-dev

2011-08-15 02:51:36 UTC

you really should try the latest versions of packages.  like iptables 1.4.12.

Comment 2 Peter Volkov (RETIRED) gentoo-dev

2011-09-03 13:25:04 UTC

Is it possible to add some debugging output to see what errors actually are there? Or... could you try iptables-1.4.12.1 so I could fast stabilize it to fix this error?

Comment 3 Peter Volkov (RETIRED) gentoo-dev

2011-09-09 09:56:52 UTC

Ok I hope this bug is fixed. Any way we need some information to work with.

Comment 4 cilly 2011-09-14 12:44:52 UTC

This bug isn't fixed in iptables-1.4.12.1. I tested it and there are still some lines missing.

Comment 5 cilly 2011-09-14 12:47:23 UTC

2011-09-14 14:40:48,498 fail2ban.jail   : INFO   Jail 'courier-iptables' stopped
2011-09-14 14:40:49,518 fail2ban.jail   : INFO   Jail 'sasl-iptables' stopped
2011-09-14 14:40:49,530 fail2ban.server : INFO   Exiting Fail2ban
2011-09-14 14:41:07,875 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2011-09-14 14:41:07,879 fail2ban.jail   : INFO   Creating new jail 'ssh-iptables'
2011-09-14 14:41:07,884 fail2ban.jail   : INFO   Jail 'ssh-iptables' uses Gamin
2011-09-14 14:41:07,994 fail2ban.filter : INFO   Added logfile = /var/log/secure.log
2011-09-14 14:41:07,999 fail2ban.filter : INFO   Set maxRetry = 3
2011-09-14 14:41:08,014 fail2ban.filter : INFO   Set findtime = 600
2011-09-14 14:41:08,018 fail2ban.actions: INFO   Set banTime = 3600
2011-09-14 14:41:08,352 fail2ban.jail   : INFO   Creating new jail 'apache-auth'
2011-09-14 14:41:08,354 fail2ban.jail   : INFO   Jail 'apache-auth' uses Gamin
2011-09-14 14:41:08,363 fail2ban.filter : INFO   Added logfile = /var/log/apache2/ssl_error_log
2011-09-14 14:41:08,369 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error_log
2011-09-14 14:41:08,373 fail2ban.filter : INFO   Set maxRetry = 3
2011-09-14 14:41:08,388 fail2ban.filter : INFO   Set findtime = 600
2011-09-14 14:41:08,393 fail2ban.actions: INFO   Set banTime = 3600
2011-09-14 14:41:08,501 fail2ban.jail   : INFO   Creating new jail 'sasl-iptables'
2011-09-14 14:41:08,503 fail2ban.jail   : INFO   Jail 'sasl-iptables' uses Gamin
2011-09-14 14:41:08,511 fail2ban.filter : INFO   Added logfile = /var/log/mail/mail.log
2011-09-14 14:41:08,516 fail2ban.filter : INFO   Set maxRetry = 3
2011-09-14 14:41:08,531 fail2ban.filter : INFO   Set findtime = 600
2011-09-14 14:41:08,536 fail2ban.actions: INFO   Set banTime = 3600
2011-09-14 14:41:08,616 fail2ban.jail   : INFO   Creating new jail 'courier-iptables'
2011-09-14 14:41:08,620 fail2ban.jail   : INFO   Jail 'courier-iptables' uses Gamin
2011-09-14 14:41:08,628 fail2ban.filter : INFO   Added logfile = /var/log/mail/mail.log
2011-09-14 14:41:08,633 fail2ban.filter : INFO   Set maxRetry = 3
2011-09-14 14:41:08,648 fail2ban.filter : INFO   Set findtime = 600
2011-09-14 14:41:08,653 fail2ban.actions: INFO   Set banTime = 3600
2011-09-14 14:41:08,732 fail2ban.jail   : INFO   Jail 'ssh-iptables' started
2011-09-14 14:41:08,751 fail2ban.jail   : INFO   Jail 'apache-auth' started
2011-09-14 14:41:08,777 fail2ban.jail   : INFO   Jail 'sasl-iptables' started
2011-09-14 14:41:08,809 fail2ban.jail   : INFO   Jail 'courier-iptables' started
2011-09-14 14:41:08,993 fail2ban.actions.action: ERROR  iptables -N fail2ban-SSH
iptables -A fail2ban-SSH -j RETURN
iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 400

Comment 6 cilly 2011-09-14 13:02:05 UTC

I found a solution:

http://www.fail2ban.org/wiki/index.php/Fail2ban_talk:Community_Portal#fail2ban.actions.action_ERROR_on_startup.2Frestart

Comment 7 cilly 2011-09-14 13:48:24 UTC

Created attachment 286429 [details, diff]
fail2ban-0.8.4-iptables_race_condition.patch

Comment 8 cilly 2011-09-14 13:48:47 UTC

Created attachment 286431 [details, diff]
ebuild to include patch in previous attachment

Comment 9 cilly 2011-09-14 13:52:30 UTC

@pva: pls assign to fail2ban herd

Comment 10 Peter Volkov (RETIRED) gentoo-dev

2011-09-14 17:17:34 UTC

Uh, fixing race conditions with sleep is really horrible idea :)

Comment 11 Markos Chandras (RETIRED) gentoo-dev

2011-09-26 11:04:15 UTC

Yes sleep is not a proper solution to this problem so this patch wont be applied to fail2ban package

Comment 12 Markos Chandras (RETIRED) gentoo-dev

2011-11-19 09:23:37 UTC

Could someone please try the $URL and see if this race condition is reproducible?

Comment 13 Markos Chandras (RETIRED) gentoo-dev

2011-12-30 10:19:15 UTC

This should be fixed in 0.8.6