New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BR]: socket.getaddrinfo segfaults, fail2ban crash on host with ipv6 disabled. #3438
Comments
Well as already said rather a 3rd party issue (python's socket module is to blame here), but we can try to circumvent it also (for the case |
Hmm... the issue here is if I'll try to restrict |
Ticket open : python/cpython#100795 |
OK, 58834b6 must "fix" that, well basically circumvent the segfault (I also found better way to auto-detect You can either update fail2ban/server/ipdns.py in python's modules under fail2ban manually (it should be compatible to 1.0.1 too), but do 2to3 firstly for the file (see example below)... At least you can give it an attempt without to install it... Try to do this in your docker where that was reproducible previously: cd /tmp
git clone -b fix-gh-3438 --single-branch https://github.com/sebres/fail2ban.git /tmp/f2b-fix-gh-3438/
# or download and unpack https://github.com/sebres/fail2ban/archive/refs/heads/fix-gh-3438.zip
cd /tmp/f2b-fix-gh-3438
./fail2ban-2to3
PYTHONPATH=. python3 -c 'from fail2ban.server.ipdns import DNSUtils; print(DNSUtils.IPv6IsAllowed(), DNSUtils.dnsToIp("localhost"))'
PYTHONPATH=. python3 -c 'from fail2ban.server.ipdns import DNSUtils; print(DNSUtils.IPv6IsAllowed(), DNSUtils.dnsToIp("fail2ban_01"))' The results must be something like |
@ptempier Are there any new information? |
As further discussed on IRC, even disabling it in kernel by start doesn't avoid Since implementation of #3132 belongs to almost the same subject and may also help against this issue, I'll try to put my test branch iterating over addresses of interfaces (with |
Some info for future reference, some additional tests
Some not existing host
fail2ban_01 is the container o the host with ipv6 disabled
full backtrace :
Conclusion of the chat
OK, so it is confirmed... you can try to fix this module manually (remove INET6 and IPv6 family), I'll try to change it too for new f2b release
but it is basically python's error, so basically to be fixed there
The text was updated successfully, but these errors were encountered: