Bug 1872759 - fail2ban-shorewall requires change to include shorewall-lite or shorewall
Summary: fail2ban-shorewall requires change to include shorewall-lite or shorewall
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: fail2ban
Version: epel7
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Richard Shaw
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-08-26 15:04 UTC by William H. Haller
Modified: 2020-08-28 11:50 UTC (History)
5 users (show)

Fixed In Version: fail2ban-0.11.1-10.fc34
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-08-28 11:50:50 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description William H. Haller 2020-08-26 15:04:02 UTC
Description of problem: Current fail2ban-shorewall requires shorewall. Should require either shorewall or shorewall-lite.


Version-Release number of selected component (if applicable):
fail2ban-shorewall-0.11.1-9.el7.2.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info: shorewall is only need on a system that creates firewalls. If just running a firewall you can use shorewall-lite. We push firewalls out to many virtuals that run shorewall-lite. For those that are internet facing, we install fail2ban-shorewall (and have been just adding shorewall to their package list to make fail2ban-shorewall happy). It would be nice if fail2ban-shorewall would be happy with either shorewall or shorewall-lite. Not a huge problem but also might be simple to fix.

Comment 1 Richard Shaw 2020-08-27 11:48:09 UTC
I don't think rpm in EL 7 can handle this well. In Fedora (and EL 8 I *think*) we have Recommends: and Suggests: which might be one path to fix the problem, but no such options in EL 7.

Looking and the provides of both packages:

$ sudo repoquery --provides shorewall-lite
config(shorewall-lite) = 5.1.10.2-1.el7
shorewall(firewall) = 5.1.10.2-1.el7
shorewall-lite = 5.1.10.2-1.el7

$ sudo repoquery --provides shorewall
config(shorewall) = 5.1.10.2-1.el7
perl(Shorewall::ARP) = 5.0
perl(Shorewall::Accounting) = 5.1
perl(Shorewall::Chains) = 5.1
perl(Shorewall::Compiler) = 5.1
perl(Shorewall::Config) = 5.1
perl(Shorewall::IPAddrs) = 5.1
perl(Shorewall::Misc) = 5.1
perl(Shorewall::Nat) = 5.1
perl(Shorewall::Proc) = 4.6
perl(Shorewall::Providers) = 5.1
perl(Shorewall::Proxyarp) = 5.1
perl(Shorewall::Raw) = 5.0
perl(Shorewall::Rules) = 5.1
perl(Shorewall::Tc) = 5.1
perl(Shorewall::Tunnels) = 5.0
perl(Shorewall::Zones) = 5.1
shorewall = 5.1.10.2-1.el7
shorewall(firewall) = 5.1.10.2-1.el7

The only thing they have in common is "shorewall(firewall)". I think what we can do is I can change the requirement to that so that either package satisfies the dependency, however, I can't control which package yum chooses so I would suggest that you install shorewall-lite first and yum *SHOULD* accept that as meeting the requirements and not install shorewall.

Testing on the epel7 test server it does pull in shorewall-lite by default, which I'm not thrilled about...

$ sudo yum install "shorewall(firewall)"
Loaded plugins: fastestmirror
Determining fastest mirrors
 * base: d36uatko69830t.cloudfront.net
 * epel: mirrors.kernel.org
 * extras: d36uatko69830t.cloudfront.net
 * updates: d36uatko69830t.cloudfront.net
Resolving Dependencies
--> Running transaction check
---> Package shorewall-lite.noarch 0:5.1.10.2-1.el7 will be installed
--> Processing Dependency: shorewall-core = 5.1.10.2-1.el7 for package: shorewall-lite-5.1.10.2-1.el7.noarch
--> Running transaction check
---> Package shorewall-core.noarch 0:5.1.10.2-1.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================================
 Package                         Arch                    Version                           Repository             Size
=======================================================================================================================
Installing:
 shorewall-lite                  noarch                  5.1.10.2-1.el7                    epel                   63 k
Installing for dependencies:
 shorewall-core                  noarch                  5.1.10.2-1.el7                    epel                   82 k

Transaction Summary
=======================================================================================================================
Install  1 Package (+1 Dependent package)


I'll have to think about this.

Comment 2 Richard Shaw 2020-08-27 11:49:04 UTC
On Fedora EPEL 8 I can add a recommends for plain shorewall but can't do that on EL 7.

Comment 3 Richard Shaw 2020-08-27 12:12:36 UTC
Ok, different strategy. I created a fail2ban-shorewall-lite subpackage which conflicts with fail2ban-shorewall so only one or the other can be installed as they provide the same file.

https://koji.fedoraproject.org/koji/taskinfo?taskID=50243307

You can download all the build artifacts for testing using:

koji download-task 50243532

Comment 4 William H. Haller 2020-08-27 13:31:41 UTC
I think a separate fail2ban-shorewall-lite package would be a good approach if adding another package wasn't a problem for anyone. Not trying to make waves - but I think it would be a useful option. I'd think there would be more installs of shorewall-lite (for anyone who has a centralized firewall creation server) than shorewall.

It would certainly be better than having do depend on randomness of yum/dnf or remember to not install shorewall first (especially for those like me that said why install shorewall and shorewall-lite and just deleted the shorewall package that wasn't needed in trying to keep virtual images as small as possible).

Thanks for your time and I hope adding fail2ban-shorewall-lite passes the approval process.

Comment 5 Richard Shaw 2020-08-27 16:29:43 UTC
If you would, please test my scratch build before I do real builds. There's no approval process other than me. :)

Comment 6 William H. Haller 2020-08-27 16:53:30 UTC
Hit a block. I'm running FC32 on the shorewall server, which doesn't satisfy python 3.9 for fail2ban-server and el7's python is only at 2.7.5-88.

Comment 7 Richard Shaw 2020-08-27 17:22:01 UTC
My fault, I assumed since it was a noarch package it really wouldn't matter but you do need EL 7 specific packages.

https://koji.fedoraproject.org/koji/taskinfo?taskID=50261492

Comment 8 William H. Haller 2020-08-27 18:55:19 UTC
rpm -e --justdb fail2ban-shorewall followed by rpm -ivh fail2ban-shorewall-lite seemed to work fine.

Comment 9 Orion Poplawski 2020-08-27 19:38:20 UTC
FYI, I would have suggested:

yum swap fail2ban-shorewall fail2ban-shorewall-lite

Comment 10 Fedora Update System 2020-08-28 11:50:50 UTC
FEDORA-2020-3071e15f57 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.