Bug 2001676 - firewallcmd-rich-rules has issue with IPv6 address
Summary: firewallcmd-rich-rules has issue with IPv6 address
Keywords:
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: fail2ban
Version: epel8
Hardware: All
OS: All
unspecified
medium
Target Milestone: ---
Assignee: Orion Poplawski
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-06 17:46 UTC by Peter Bieringer
Modified: 2023-04-07 13:33 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Peter Bieringer 2021-09-06 17:46:57 UTC 
Description of problem:
I had to create a custom jail which temporary blocks access to one particular port for IPv4 and IPv6. A trigger with an IPv4 address creates 2 rules (one for IPv4 and one for IPv6) as configured, but if the trigger IP address is IPv6, this fails.

The dual IP protocol block is necessary to block requests e.g. from 6to4 address of same client.


Version-Release number of selected component (if applicable):
fail2ban-0.11.2-1.el8.noarch


How reproducible:
always


Steps to Reproduce:
1. create a custom jail like:

[apache-jail-special]
enabled   = true
port      = 8080
logpath   = /path/to/apache-log
maxretry  = 1
bantime   = 15m
bantime.increment = false
action    = firewallcmd-rich-rules[name=apache-jail-special-ipv6,actiontype=<multiport>,rich-blocktype=drop,protocol=tcp,port=8080,family=ipv6,ip=::/0]
            firewallcmd-rich-rules[name=apache-jail-special-ipv4,actiontype=<multiport>,rich-blocktype=drop,protocol=tcp,port=8080,family=ipv4,ip=0.0.0.0/0]


2. trigger jail e.g. using curl with an IPv6 address


Actual results:

2021-09-06 19:18:43,403 fail2ban.utils          [2066307]: ERROR   7ff6936acdc0 -- exec: ports="$(echo '8080' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='0.0.0.0/0' port port='$p' protocol='tcp' drop"; done
2021-09-06 19:18:43,403 fail2ban.utils          [2066307]: ERROR   7ff6936acdc0 -- stderr: 'Error: INVALID_ADDR: 0.0.0.0/0'
2021-09-06 19:18:43,403 fail2ban.utils          [2066307]: ERROR   7ff6936acdc0 -- returned 105
2021-09-06 19:18:43,404 fail2ban.actions        [2066307]: ERROR   Failed to execute ban jail 'PB-apache-useragent-java' action 'firewallcmd-rich-rules-apache-useragent-java-ipv4' info 'ActionInfo({'ip': '2002:***', 'family': 'inet6', 'fid': <function Actions.ActionInfo.<lambda> at 0x7ff69366f9d8>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7ff6936700d0>})': Error banning 2002:***



Expected results:

Working well as triggered with IPv4 address - and that is the reason why I don't understand where the root cause of this issue is located...because I would assume that in case of IPv4 the IPv6 error would thrown...but this is not the case.


Additional info:

same config triggered with IPv4 address is resulting in

table inet firewalld {
        chain filter_IN_public_deny {
                ip6 saddr ::/0 tcp dport 8080 ct state { new, untracked } drop
                ip saddr 0.0.0.0/0 tcp dport 8080 ct state { new, untracked } drop
}


Also note that it is not depending on the order, whether IPv6 rule will be created in advance before IPv4 rule.
Comment 1 Richard Shaw 2021-11-02 12:36:59 UTC 
Was a workaround figured out here or is this still an issue?
Comment 2 Peter Bieringer 2021-11-16 21:16:03 UTC 
No workaround known so far, error message still appears (expected, but version is still the same)
Comment 3 Fedora Admin user for bugzilla script actions 2022-01-05 00:10:11 UTC 
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Comment 4 Orion Poplawski 2022-01-11 04:08:45 UTC 
Has this been reported upstream?
Comment 5 Peter Bieringer 2022-01-11 06:37:19 UTC 
(In reply to Orion Poplawski from comment #4)
> Has this been reported upstream?

Not so far to my knowledge.
Comment 6 Orion Poplawski 2023-04-01 14:47:08 UTC 
Please test out https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-1453d3ee4f and see if it helps with this issue.  Thanks.
Comment 7 Peter Bieringer 2023-04-07 13:33:12 UTC 
Issue still exists:

2023-04-07 15:31:05,312 fail2ban.utils          [562949]: ERROR   7f9c600738f0 -- exec: ports="8080"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='0.0.0.0/0' port port='$p' protocol='tcp' drop"; done
2023-04-07 15:31:05,312 fail2ban.utils          [562949]: ERROR   7f9c600738f0 -- stderr: 'Error: INVALID_ADDR: 0.0.0.0/0'
2023-04-07 15:31:05,313 fail2ban.utils          [562949]: ERROR   7f9c600738f0 -- returned 105
2023-04-07 15:31:05,910 fail2ban.utils          [562949]: ERROR   7f9c600738f0 -- exec: ports="8080"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='0.0.0.0/0' port port='$p' protocol='tcp' drop"; done
2023-04-07 15:31:05,911 fail2ban.utils          [562949]: ERROR   7f9c600738f0 -- stderr: 'Error: INVALID_ADDR: 0.0.0.0/0'
2023-04-07 15:31:05,911 fail2ban.utils          [562949]: ERROR   7f9c600738f0 -- returned 105
2023-04-07 15:31:05,911 fail2ban.actions        [562949]: ERROR   Failed to execute ban jail 'PB-apache-useragent-java' action 'firewallcmd-rich-rules-apache-useragent-java-ipv4' info 'ActionInfo({'ip': '2001:a61:3b94:f001:7fdc:ab0c:723b:c87f', 'family': 'inet6', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f9c603652f0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f9c60365950>})': Error banning 2001:****:****:f001:****:****:****:****
Note You need to log in before you can comment on or make changes to this bug.