George: Thanks for the feedback. Your suggested change did in fact work, but as you observe, it is less efficient than using ipset.
On Fri, 2017-12-15 at 03:29 +0100, Georges Racinet wrote: > Hi, > > As it turns out, I'm typing this on a system recently upgraded to > F27, > so I decided to install f2b and take a look. Thanks for noticing it > has > 0.10 for me ;-) > > And long story short, I was initially convinced it'd rather be a > remnant > of something weird on your system, but I reproduce the issue, and I > think it's a bug in (that version of) f2b's use of ipset with ipv6 > (at > least in firewalld context). > > To workaround the issue you may simply edit > /etc/fail2ban/jail.d/00-firewalld.conf, replacing 'firewallcmd-ipset' > by > 'firewallcmd-multiport', it worked for me. > > Edit: while checking what the output of 'ipset list' would be for > sets > of IPv6 addresses, I got this in my search results > https://github.com/fail2ban/fail2ban/issues/1990, which is fixed, and > looks to be the same bug without ip6tables-restore (optional backend > of > firewalld). > > Time for me to see how to use this package with nftables on Fedora… > > On 12/13/2017 06:40 PM, Daniel L. Srebnick wrote: > > I just upgraded Fedora to FC27, which includes the IPv6 capable > > fail2ban (0.10.0). > > > > IPv6 addresses are not being blocked because of an issue when f2b > > calls > > ip6tables: > > > > Dec 13 12:36:14 myhost.com firewalld[1026]: WARNING: > > '/usr/sbin/ip6tables-restore --wait=2 -n' failed: > > Dec 13 12:36:14 myhost.com firewalld[1026]: ERROR: COMMAND_FAILED > > It turns out that indeed firewalld uses the lower level > iptables-apply/restore utilities (a fact I didn't know) > By turning on firewalld debug log at level >=3, one can see what it > tried to load with ip6tables-restore: > > 2017-12-15 02:31:08 DEBUG1: direct.addRule('ipv6', 'filter', > 'INPUT', 0, > '-p','tcp','-m','multiport','--dports','ssh','-m','set','--match- > set','f2b-sshd6','src','-j','REJECT','--reject-with','icmp6-port- > unreachable') > 2017-12-15 02:31:08 DEBUG2: <class > 'firewall.core.ipXtables.ip6tables'>: /usr/sbin/ip6tables-restore > /run/firewalld/temp.pxn873ip: 146 > 1: *filter > 2: -I INPUT_direct 1 -p tcp -m multiport --dports ssh -m > set > --match-set f2b-sshd6 src -j REJECT --reject-with icmp6-port- > unreachable > 3: COMMIT > > Now I tried the same directly to get a grasp : > > $ sudo ip6tables -I INPUT_direct 1 -p tcp -m multiport --dports > ssh > -m set --match-set f2b-sshd6 src -j REJECT --reject-with > icmp6-port-unreachable > > ip6tables v1.6.1: The protocol family of set f2b-sshd6 is IPv4, > which is not applicable. > > And indeed : > > $ sudo ipset list > Name: f2b-sshd6 > Type: hash:ip > Revision: 4 > Header: family inet hashsize 1024 maxelem 65536 timeout 600 > Size in memory: 88 > References: 0 > Number of entries: 0 > Members: > > > > > Seems to be that the "--wait" parameter is not supported by > > ip6tables- > > restore. > > It says so, but it behaves like a mere warning. > > Regards, > > > _______________________________________________ > > Fail2ban-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > ------------------------------------------------------------------- > ----------- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
