Bug 1525134

From fail2ban.log after another test, IP changed to ficticious value and reverse IP redacted for brevity:

017-12-12 13:09:44,861 fail2ban.filter         [1392]: INFO    [sshd] Found 2622:3c23::d03c:95ff:fe33:2467 - 2017-12-12 13:09:44
2017-12-12 13:09:47,066 fail2ban.filter         [1392]: INFO    [sshd] Found 2622:3c23::d03c:95ff:fe33:2467 - 2017-12-12 13:09:46
2017-12-12 13:09:47,369 fail2ban.actions        [1392]: NOTICE  [sshd] Ban 2622:3c23::d03c:95ff:fe33:2467
2017-12-12 13:09:47,688 fail2ban.utils          [1392]: Level 39 7ffb59530870 -- exec: ipset create f2b-sshd6 hash:ip timeout 86400
firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set f2b-sshd6 src -j REJECT --reject-with icmp6-port-unreachable
2017-12-12 13:09:47,689 fail2ban.utils          [1392]: ERROR   7ffb59530870 -- stderr: 'ipset v6.32: Set cannot be created: set with the same name already exists'
2017-12-12 13:09:47,689 fail2ban.utils          [1392]: ERROR   7ffb59530870 -- stderr: '\x1b[91mError: COMMAND_FAILED\x1b[00m'
2017-12-12 13:09:47,689 fail2ban.utils          [1392]: ERROR   7ffb59530870 -- returned 13
2017-12-12 13:09:47,689 fail2ban.actions        [1392]: ERROR   Failed to execute ban jail 'sshd' action 'firewallcmd-ipset' info 'ActionInfo({'ip': 2622:3c23::d03c:95ff:fe33:2467, 'family': 'inet6', 'ip-rev': 'redacted reverse ip', 'ip-host': 'other.myhost.com', 'fid': 2622:3c23::d03c:95ff:fe33:2467, 'failures': 3, 'time': 1513102186.719978, 'matches': '2017-12-12T11:31:44.483292myhost.com sshd[3844]: Failed password for dan from 2622:3c23::d03c:95ff:fe33:2467 port 33414 ssh2\n2017-12-12T13:09:46.719978myhost.com sshd[9365]: Failed password for dan from 2622:3c23::d03c:95ff:fe33:2467 port 33462 ssh2', 'restored': 0, 'F-*': {'matches': [('', '2017-12-12T11:31:44.483292', 'myhost.com sshd[3844]: Failed password for dan from 2622:3c23::d03c:95ff:fe33:2467 port 33414 ssh2'), '2017-12-12T13:09:46.719978myhost.com sshd[9365]: Failed password for dan from 2622:3c23::d03c:95ff:fe33:2467 port 33462 ssh2'], 'failures': 3, 'mlfid': 'myhost.com sshd[3844]: ', 'user': 'dan', 'ip6': '2622:3c23::d03c:95ff:fe33:2467'}, 'ipmatches': '2017-12-12T11:31:44.483292myhost.com sshd[3844]: Failed password for dan from 2622:3c23::d03c:95ff:fe33:2467 port 33414 ssh2\n2017-12-12T13:09:46.719978myhost.com sshd[9365]: Failed password for dan from 2622:3c23::d03c:95ff:fe33:2467 port 33462 ssh2', 'ipjailmatches': '2017-12-12T11:31:44.483292myhost.com sshd[3844]: Failed password for dan from 2622:3c23::d03c:95ff:fe33:2467 port 33414 ssh2\n2017-12-12T13:09:46.719978myhost.com sshd[9365]: Failed password for dan from 2622:3c23::d03c:95ff:fe33:2467 port 33462 ssh2', 'ipfailures': 3, 'ipjailfailures': 3, 'fq-hostname': 'ears.private', 'sh-hostname': 'myhost.com'})': Error starting action Jail('sshd')/firewallcmd-ipset

This seems to go back to firewall-cmd.  Manually trying:

sudo firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set f2b-sshd6 src -j REJECT --reject-with icmp6-port-unreachable

It logs:

Dec 13 13:22:56 myhost.com firewalld[1026]: WARNING: '/usr/sbin/ip6tables-restore --wait=2 -n' failed:
Dec 13 13:22:56 myhost.com firewalld[1026]: ERROR: COMMAND_FAILED

Perhaps this should be transferred to the firewalld team?

Seem to relate to this upstream issue on fail2ban:

https://github.com/fail2ban/fail2ban/issues/1990

Hi, I'm also affected by this issue, and I can confirm this is the aforementionned upstream issue 1990

ip6tables-restore is presenting the error only because it acts as a backend of firewalld in this case (that explains the apparent difference with the upstream issue).
I'm not sure what Fedora policy says in that case, but either packaging a future 0.10.2 or backporting the upstream maintainer's very simple fix would solve the present issue.

To back this up, here are my investigations (done before getting knowledge of the upstream bug).

By turning on firewalld debug log at level >=3, one can see what it
tried to load with ip6tables-restore:

    2017-12-15 02:31:08 DEBUG1: direct.addRule('ipv6', 'filter',
'INPUT', 0,
'-p','tcp','-m','multiport','--dports','ssh','-m','set','--match-set','f2b-sshd6','src','-j','REJECT','--reject-with','icmp6-port-unreachable')
    2017-12-15 02:31:08 DEBUG2: <class
'firewall.core.ipXtables.ip6tables'>: /usr/sbin/ip6tables-restore
/run/firewalld/temp.pxn873ip: 146
           1: *filter
           2: -I INPUT_direct 1 -p tcp -m multiport --dports ssh -m set
--match-set f2b-sshd6 src -j REJECT --reject-with icmp6-port-unreachable
           3: COMMIT

Now I tried the same directly to get a grasp :

    $ sudo ip6tables -I INPUT_direct 1 -p tcp -m multiport --dports ssh
-m set --match-set f2b-sshd6 src -j REJECT --reject-with
icmp6-port-unreachable

    ip6tables v1.6.1: The protocol family of set f2b-sshd6 is IPv4,
which is not applicable.

And indeed :

$ sudo ipset list
    Name: f2b-sshd6
    Type: hash:ip
    Revision: 4
    Header: family inet hashsize 1024 maxelem 65536 timeout 600
    Size in memory: 88
    References: 0
    Number of entries: 0
    Members:

fail2ban-0.10.1-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d1257bf9ca

Seems to resolve this issue.  An IPv6 was correctly added to the ipset and blocked as expected.

fail2ban-0.10.1-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d1257bf9ca

*** Bug 1525065 has been marked as a duplicate of this bug. ***

fail2ban-0.10.1-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.