Hi, As it turns out, I'm typing this on a system recently upgraded to F27, so I decided to install f2b and take a look. Thanks for noticing it has 0.10 for me ;-)
And long story short, I was initially convinced it'd rather be a remnant of something weird on your system, but I reproduce the issue, and I think it's a bug in (that version of) f2b's use of ipset with ipv6 (at least in firewalld context). To workaround the issue you may simply edit /etc/fail2ban/jail.d/00-firewalld.conf, replacing 'firewallcmd-ipset' by 'firewallcmd-multiport', it worked for me. Edit: while checking what the output of 'ipset list' would be for sets of IPv6 addresses, I got this in my search results https://github.com/fail2ban/fail2ban/issues/1990, which is fixed, and looks to be the same bug without ip6tables-restore (optional backend of firewalld). Time for me to see how to use this package with nftables on Fedora… On 12/13/2017 06:40 PM, Daniel L. Srebnick wrote: > I just upgraded Fedora to FC27, which includes the IPv6 capable > fail2ban (0.10.0). > > IPv6 addresses are not being blocked because of an issue when f2b calls > ip6tables: > > Dec 13 12:36:14 myhost.com firewalld[1026]: WARNING: > '/usr/sbin/ip6tables-restore --wait=2 -n' failed: > Dec 13 12:36:14 myhost.com firewalld[1026]: ERROR: COMMAND_FAILED It turns out that indeed firewalld uses the lower level iptables-apply/restore utilities (a fact I didn't know) By turning on firewalld debug log at level >=3, one can see what it tried to load with ip6tables-restore: 2017-12-15 02:31:08 DEBUG1: direct.addRule('ipv6', 'filter', 'INPUT', 0, '-p','tcp','-m','multiport','--dports','ssh','-m','set','--match-set','f2b-sshd6','src','-j','REJECT','--reject-with','icmp6-port-unreachable') 2017-12-15 02:31:08 DEBUG2: <class 'firewall.core.ipXtables.ip6tables'>: /usr/sbin/ip6tables-restore /run/firewalld/temp.pxn873ip: 146 1: *filter 2: -I INPUT_direct 1 -p tcp -m multiport --dports ssh -m set --match-set f2b-sshd6 src -j REJECT --reject-with icmp6-port-unreachable 3: COMMIT Now I tried the same directly to get a grasp : $ sudo ip6tables -I INPUT_direct 1 -p tcp -m multiport --dports ssh -m set --match-set f2b-sshd6 src -j REJECT --reject-with icmp6-port-unreachable ip6tables v1.6.1: The protocol family of set f2b-sshd6 is IPv4, which is not applicable. And indeed : $ sudo ipset list Name: f2b-sshd6 Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 600 Size in memory: 88 References: 0 Number of entries: 0 Members: > > Seems to be that the "--wait" parameter is not supported by ip6tables- > restore. It says so, but it behaves like a mere warning. Regards, > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
