Bug 833046

Summary: fail2ban: sometimes(frequently) fails to load iptable rules with multiple jails
Product: [Fedora] Fedora EPEL Reporter: Leonard den Ottolander <leonard-rh-bugzilla>
Component: fail2banAssignee: Orion Poplawski <orion>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: el6CC: ali, leonard-rh-bugzilla, maxamillion, orion
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-10 15:52:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Leonard den Ottolander 2012-06-18 13:27:21 UTC 
Description of problem:

Jails will sometimes fail to insert iptables rules, possibly due to timing issues.

This issue is in Debian's bug tracker:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=554162
which references a patch:
http://sourceforge.net/tracker/?func=detail&aid=2857096&group_id=121032&atid=689046.

This patch has not been incorporated in fail2ban-0.8.5 as provided at github (https://github.com/fail2ban/fail2ban).

Version-Release number of selected component (if applicable):
fail2ban-0.8.4-28.el6.noarch

How reproducible:
# fail2ban-client -x reload
a few times and check /var/log/messages for errors.

Actual results:
<date/time> <host> fail2ban.actions.action: ERROR  iptables -N fail2ban-dovecot#012iptables -A fail2ban-dovecot -j RETURN#012iptables -I INPUT -p tcp -m multiport --dports 110,995,143,993 -j fail2ban-dovecot returned 200

The insertion of iptables rules will fail for random jails. Occasionally they will all load successfully.

Expected results:
No errors
Comment 1 Leonard den Ottolander 2012-06-18 15:09:03 UTC 
The patch mentioned above is for a different (also a timing) issue in server/action.py.

I believe the first link in the Debian report to be the same issue as the one I'm reporting:
http://sourceforge.net/tracker/?func=detail&aid=2870788&group_id=121032&atid=689044
that is iptables rules sometimes failing when starting multiple jails.

This issue can apparently be fixed by adding a sleep to __processCmd() in fail2ban-client.

(My confusion was caused by server/action.py sporting a function with the same name.)
Comment 2 Leonard den Ottolander 2012-06-18 15:30:01 UTC 
Adding a sleep before executing each start up command seems to fix this issue:

--- fail2ban-client.000 2012-02-11 08:28:12.000000000 +0100
+++ fail2ban-client     2012-06-18 17:17:37.118368467 +0200
@@ -142,6 +142,7 @@ class Fail2banClient:
        def __processCmd(self, cmd, showRet = True):
                beautifier = Beautifier()
                for c in cmd:
+                       time.sleep(0.1)
                        beautifier.setInputCmd(c)
                        try:
                                client = CSocket(self.__conf["socket"])


See http://www.fail2ban.org/wiki/index.php/Fail2ban_talk:Community_Portal "fail2ban.actions.action ERROR on startup/restart". A cleaner solution would be to wait for client.send(c) to actually finish but that might require more code.
Comment 3 Orion Poplawski 2014-07-21 23:14:29 UTC 
Please test with https://admin.fedoraproject.org/updates/fail2ban-0.8.13-1.el6 and see if that helps.
Comment 4 Leonard den Ottolander 2014-12-10 15:05:38 UTC 
Sorry for responding so late. I haven't been paying attention to this issue since reporting it. As the issue was reported upstream and patched it is most likely fixed.

You can close this bug report FIXED. If I do come across rules not being inserted again I will open a new bug report.
Comment 5 Orion Poplawski 2014-12-10 15:52:40 UTC 
Thanks.