Bug 833046 - fail2ban: sometimes(frequently) fails to load iptable rules with multiple jails
Summary: fail2ban: sometimes(frequently) fails to load iptable rules with multiple jails
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: fail2ban
Version: el6
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Orion Poplawski
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-06-18 13:27 UTC by Leonard den Ottolander
Modified: 2014-12-10 15:52 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-12-10 15:52:40 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Leonard den Ottolander 2012-06-18 13:27:21 UTC
Description of problem:

Jails will sometimes fail to insert iptables rules, possibly due to timing issues.

This issue is in Debian's bug tracker:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=554162
which references a patch:
http://sourceforge.net/tracker/?func=detail&aid=2857096&group_id=121032&atid=689046.

This patch has not been incorporated in fail2ban-0.8.5 as provided at github (https://github.com/fail2ban/fail2ban).

Version-Release number of selected component (if applicable):
fail2ban-0.8.4-28.el6.noarch

How reproducible:
# fail2ban-client -x reload
a few times and check /var/log/messages for errors.

Actual results:
<date/time> <host> fail2ban.actions.action: ERROR  iptables -N fail2ban-dovecot#012iptables -A fail2ban-dovecot -j RETURN#012iptables -I INPUT -p tcp -m multiport --dports 110,995,143,993 -j fail2ban-dovecot returned 200

The insertion of iptables rules will fail for random jails. Occasionally they will all load successfully.

Expected results:
No errors

Comment 1 Leonard den Ottolander 2012-06-18 15:09:03 UTC
The patch mentioned above is for a different (also a timing) issue in server/action.py.

I believe the first link in the Debian report to be the same issue as the one I'm reporting:
http://sourceforge.net/tracker/?func=detail&aid=2870788&group_id=121032&atid=689044
that is iptables rules sometimes failing when starting multiple jails.

This issue can apparently be fixed by adding a sleep to __processCmd() in fail2ban-client.

(My confusion was caused by server/action.py sporting a function with the same name.)

Comment 2 Leonard den Ottolander 2012-06-18 15:30:01 UTC
Adding a sleep before executing each start up command seems to fix this issue:

--- fail2ban-client.000 2012-02-11 08:28:12.000000000 +0100
+++ fail2ban-client     2012-06-18 17:17:37.118368467 +0200
@@ -142,6 +142,7 @@ class Fail2banClient:
        def __processCmd(self, cmd, showRet = True):
                beautifier = Beautifier()
                for c in cmd:
+                       time.sleep(0.1)
                        beautifier.setInputCmd(c)
                        try:
                                client = CSocket(self.__conf["socket"])


See http://www.fail2ban.org/wiki/index.php/Fail2ban_talk:Community_Portal "fail2ban.actions.action ERROR on startup/restart". A cleaner solution would be to wait for client.send(c) to actually finish but that might require more code.

Comment 3 Orion Poplawski 2014-07-21 23:14:29 UTC
Please test with https://admin.fedoraproject.org/updates/fail2ban-0.8.13-1.el6 and see if that helps.

Comment 4 Leonard den Ottolander 2014-12-10 15:05:38 UTC
Sorry for responding so late. I haven't been paying attention to this issue since reporting it. As the issue was reported upstream and patched it is most likely fixed.

You can close this bug report FIXED. If I do come across rules not being inserted again I will open a new bug report.

Comment 5 Orion Poplawski 2014-12-10 15:52:40 UTC
Thanks.


Note You need to log in before you can comment on or make changes to this bug.