Description of problem: Current fail2ban-shorewall requires shorewall. Should require either shorewall or shorewall-lite. Version-Release number of selected component (if applicable): fail2ban-shorewall-0.11.1-9.el7.2.noarch How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: shorewall is only need on a system that creates firewalls. If just running a firewall you can use shorewall-lite. We push firewalls out to many virtuals that run shorewall-lite. For those that are internet facing, we install fail2ban-shorewall (and have been just adding shorewall to their package list to make fail2ban-shorewall happy). It would be nice if fail2ban-shorewall would be happy with either shorewall or shorewall-lite. Not a huge problem but also might be simple to fix.
I don't think rpm in EL 7 can handle this well. In Fedora (and EL 8 I *think*) we have Recommends: and Suggests: which might be one path to fix the problem, but no such options in EL 7. Looking and the provides of both packages: $ sudo repoquery --provides shorewall-lite config(shorewall-lite) = 5.1.10.2-1.el7 shorewall(firewall) = 5.1.10.2-1.el7 shorewall-lite = 5.1.10.2-1.el7 $ sudo repoquery --provides shorewall config(shorewall) = 5.1.10.2-1.el7 perl(Shorewall::ARP) = 5.0 perl(Shorewall::Accounting) = 5.1 perl(Shorewall::Chains) = 5.1 perl(Shorewall::Compiler) = 5.1 perl(Shorewall::Config) = 5.1 perl(Shorewall::IPAddrs) = 5.1 perl(Shorewall::Misc) = 5.1 perl(Shorewall::Nat) = 5.1 perl(Shorewall::Proc) = 4.6 perl(Shorewall::Providers) = 5.1 perl(Shorewall::Proxyarp) = 5.1 perl(Shorewall::Raw) = 5.0 perl(Shorewall::Rules) = 5.1 perl(Shorewall::Tc) = 5.1 perl(Shorewall::Tunnels) = 5.0 perl(Shorewall::Zones) = 5.1 shorewall = 5.1.10.2-1.el7 shorewall(firewall) = 5.1.10.2-1.el7 The only thing they have in common is "shorewall(firewall)". I think what we can do is I can change the requirement to that so that either package satisfies the dependency, however, I can't control which package yum chooses so I would suggest that you install shorewall-lite first and yum *SHOULD* accept that as meeting the requirements and not install shorewall. Testing on the epel7 test server it does pull in shorewall-lite by default, which I'm not thrilled about... $ sudo yum install "shorewall(firewall)" Loaded plugins: fastestmirror Determining fastest mirrors * base: d36uatko69830t.cloudfront.net * epel: mirrors.kernel.org * extras: d36uatko69830t.cloudfront.net * updates: d36uatko69830t.cloudfront.net Resolving Dependencies --> Running transaction check ---> Package shorewall-lite.noarch 0:5.1.10.2-1.el7 will be installed --> Processing Dependency: shorewall-core = 5.1.10.2-1.el7 for package: shorewall-lite-5.1.10.2-1.el7.noarch --> Running transaction check ---> Package shorewall-core.noarch 0:5.1.10.2-1.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================= Package Arch Version Repository Size ======================================================================================================================= Installing: shorewall-lite noarch 5.1.10.2-1.el7 epel 63 k Installing for dependencies: shorewall-core noarch 5.1.10.2-1.el7 epel 82 k Transaction Summary ======================================================================================================================= Install 1 Package (+1 Dependent package) I'll have to think about this.
On Fedora EPEL 8 I can add a recommends for plain shorewall but can't do that on EL 7.
Ok, different strategy. I created a fail2ban-shorewall-lite subpackage which conflicts with fail2ban-shorewall so only one or the other can be installed as they provide the same file. https://koji.fedoraproject.org/koji/taskinfo?taskID=50243307 You can download all the build artifacts for testing using: koji download-task 50243532
I think a separate fail2ban-shorewall-lite package would be a good approach if adding another package wasn't a problem for anyone. Not trying to make waves - but I think it would be a useful option. I'd think there would be more installs of shorewall-lite (for anyone who has a centralized firewall creation server) than shorewall. It would certainly be better than having do depend on randomness of yum/dnf or remember to not install shorewall first (especially for those like me that said why install shorewall and shorewall-lite and just deleted the shorewall package that wasn't needed in trying to keep virtual images as small as possible). Thanks for your time and I hope adding fail2ban-shorewall-lite passes the approval process.
If you would, please test my scratch build before I do real builds. There's no approval process other than me. :)
Hit a block. I'm running FC32 on the shorewall server, which doesn't satisfy python 3.9 for fail2ban-server and el7's python is only at 2.7.5-88.
My fault, I assumed since it was a noarch package it really wouldn't matter but you do need EL 7 specific packages. https://koji.fedoraproject.org/koji/taskinfo?taskID=50261492
rpm -e --justdb fail2ban-shorewall followed by rpm -ivh fail2ban-shorewall-lite seemed to work fine.
FYI, I would have suggested: yum swap fail2ban-shorewall fail2ban-shorewall-lite
FEDORA-2020-3071e15f57 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.