Le 20/03/21 à 11:06, Laurent Bigonville a écrit :
Le 20/03/21 à 09:58, Sylvestre Ledru a écrit :
control: severity -1 normal
control: thanks
Le 19/03/2021 à 23:53, Laurent Bigonville a écrit :
Package: fail2ban
Version: 0.11.2-1
Severity: serious
Hello,
Making this RC as this could cause ordering issue during boot and
firewalling rules not being properly applied, feel free to donwgrade
It seem that the deb_no_iptables_service patch removes nftables.service
from PartOf=, but recent nftables is shipping this service and the
bullseye defaults to nft as well
Shouldn't nftables.service be readded?
Not sure I understand why you think this was serious ?
AFAIK, it has been this way for a long time and didn't cause
significant issues?!
Bullseye will use nftables by default instead of iptables for what I
understand.
PartOf=nftables.service means that if nftables.service is
restarted/stopped, fail2ban.service will be restarted/stopped too.
So if the user uses nftables.service to restore nftables rules, it's
possible that fail2ban still think that its rules are still present in
the firewall and it will not readd them as it's not being restarted.
OK, i see. The problem is that firewalld is adding
"Conflicts=iptables.service ip6tables.service ebtables.service
ipset.service nftables.service" meaning that it would create a
dependency issue between the fail2ban.service, firewalld.service and
nftables.service
But that still mean that the integration with nftables is not perfect
