Red Hat Bugzilla – Bug 1272681
Adding -w option to iptables breaks on EL6
Last modified: 2015-10-27 02:24:40 EDT
Update message for 0.9.3-1 states:
"All calls to iptables command now use -w switch introduced in iptables 1.4.20 (some distribution could have patched their earlier base version as well) to provide this locking mechanism useful under heavy load to avoid contesting on iptables calls. If you need to disable, define 'action.d/iptables-common.local' with empty value for 'lockingopt' in [Init] section."
As this causes breakage on EL6 it is probably a good idea to patch action.d/iptables-common.local instead of shipping with an option that you know will cause breakage.
*** Bug 1272683 has been marked as a duplicate of this bug. ***
fail2ban-0.9.3-1.el6.1 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-71a66aaf59
fail2ban-0.9.3-1.el6.1 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'yum --enablerepo=epel-testing update fail2ban'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-71a66aaf59
This issue most likely also exists on EL5. Do you want me to open a separate bug report for EL5? Iptables on EL7 is version 1.4.21, so probably ok.
yum --enablerepo=epel-testing update fail2ban
to pick up fail2ban-0.9.3-1.el6.1 and that resolved the problem on 2 REHL6 hosts that had been bumped to the broken version, so fail2ban-0.9.3-1.el6.1 looks like a winner.
HREL5 fail2ban seems to be on the fail2ban-0.8 train, (fail2ban-0.8.14-1.el5), so I don't think RHEL5 will be hit unless someone back ports fail2ban 0.9... If a 0.9 backport to RHEL5 is in the mill, then yes, a ticket for RHEL5 is in order as that OS is running iptables-1.3.5-9.2.el5_8 which is even more ancient than the iptables-1.4.7-16 on RHEL6
I have no particular interest in updating EL5 to 0.9. If the update works, karma filed on the update page is helpful and will get the update pushed to stable sooner.
I'am not sure what the updated package of fail2ban should fix, but on CentOS release 6.7 (Final) the recent fail2ban release with version string 0.9.3-1.el6.1 didn't fix the "-w" switch problem.
So, after setting lockingopt to an empty value, as suggested in the first post, the new fail2ban version works now as expected.
Interesting - I upgraded another system (CentOS6 this time as opposed to yesterdays tests with RHEL6) running the broken fail2ban (0.0.3-2.el6) to the epel-testing variant (fail2ban-0.9.3-1.el6.1), and diff'ed that against a saved copy of all the files listed "rpm -ql" from the 0.9.3 (broken) version. The only difference of substance was in /etc/fail2ban/action.d/iptables-common.conf
< lockingopt = -w
> lockingopt =
After doing the update and also doing
service fail2ban stop
service fail2ban start
I now have the f2b-SSH jail in the iptables -L output
Perhaps there's some other differences in our base configurations?
The new update sets lockingopt to '' as noted. However, that file is a config file and will not be updated if local modifications have been made.
I may need to make another update that completely removes the use of lockingopt.
I was actually pretty sure that I've updated to el6.1, because I've updated fail2ban this morning and after reading that the actual fixed package can be found in the testing repository I've additionally executed the suggested yum --enablerepo=epel-testing update fail2ban which returned "no packages marked for update".
So this led me to think that I've already updated fail2ban to the el6.1 package. Well, in the end it turned out that the yum priorities plugin prevented me to update to epel-testing... those mondays...
So, see my comment as feedback: The empty value fix works and with the correct yum priorities the update works as well ;-)
Again please give positive karma on the update in bodhi so this can get pushed out quickly.
Updating to Fail2ban version 0.9.3-1.el6.1 from EPEL repo has fixed the issue. I can now see fail2ban chain in iptables, which was there before.
*** Bug 1275374 has been marked as a duplicate of this bug. ***
fail2ban-0.9.3-1.el6.1 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
[root@jabber action.d]# uname -a
Linux 2.6.32-220.el6.i686 #1 SMP Tue Dec 6 16:15:40 GMT 2011 i686 i686 i386 GNU/Linux
[root@jabber action.d]# yum info fail2ban
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
* base: mirror.digitalhusky.com
* epel: mirror.nsc.liu.se
* extras: mirror.digitalhusky.com
* rpmforge: ftp.kddilabs.jp
* updates: mirror.digitalhusky.com
Name : fail2ban
Arch : noarch
Version : 0.9.3
Release : 1.el6.1
Size : 1.3 M
Repo : installed
From repo : epel-testing
Summary : Ban IPs that make too many password failures
URL : http://fail2ban.sourceforge.net/
License : GPLv2+
Description : Fail2ban scans log files like /var/log/pwdfail or
: /var/log/apache/error_log and bans IP that makes too many password
: failures. It updates firewall rules to reject the IP address.
: To use the hostsdeny and shorewall actions you must install tcp_wrappers
: and shorewall respectively
[root@jabber action.d]# iptables -V
[root@jabber action.d]# ps axuw | grep fail2ban
root 7328 0.0 0.7 49160 7420 ? Sl 13:51 0:00 /usr/bin/python -Es /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b
root 7491 0.0 0.0 4380 748 pts/1 S+ 14:00 0:00 grep fail2ban
root has only bash shell
Oct 27 13:51:56 jabber fail2ban.action: ERROR iptables -w -N f2b-SSH#012iptables -w -A f2b-SSH -j RETURN#012iptables -w -I INPUT -p tcp --dport ssh -j f2b-SSH -- stdout: ''
Oct 27 13:51:56 jabber fail2ban.action: ERROR iptables -w -N f2b-SSH#012iptables -w -A f2b-SSH -j RETURN#012iptables -w -I INPUT -p tcp --dport ssh -j f2b-SSH -- stderr: "iptables v1.4.7: option `-w' requires an argument\nTry `iptables -h' or 'iptables --help' for more information.\niptables v1.4.7: option `-w' requires an argument\nTry `iptables -h' or 'iptables --help' for more information.\niptables v1.4.7: option `-w' requires an argument\nTry `iptables -h' or 'iptables --help' for more information.\n"
Oct 27 13:51:56 jabber fail2ban.action: ERROR iptables -w -N f2b-SSH#012iptables -w -A f2b-SSH -j RETURN#012iptables -w -I INPUT -p tcp --dport ssh -j f2b-SSH -- returned 2
Oct 27 13:51:56 jabber fail2ban.actions: ERROR Failed to start jail 'sshd' action 'iptables': Error starting action
Disable SElinux solved my problem