Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

firewall-cmd fails on shutdown #48

Closed
marcosfrm opened this issue Oct 7, 2015 · 5 comments
Closed

firewall-cmd fails on shutdown #48

marcosfrm opened this issue Oct 7, 2015 · 5 comments

Comments

@marcosfrm
Copy link
Contributor

CentOS 7 + EPEL here, firewalld-0.3.9-11.el7.noarch. fail2ban-firewalld package sets firewall-cmd/ipset action, see

https://bugzilla.redhat.com/show_bug.cgi?id=979622

On shutdown, fail2ban calls:

firewall-cmd --direct --remove-rule ipv4 filter INPUT 0 -p XXX -m multiport --dports XXX -m set --match-set fail2ban-XXX src -j REJECT --reject-with icmp-port-unreachable
ipset flush fail2ban-XXX
ipset destroy fail2ban-XXX

But firewall-cmd fails with (excerpt from /var/log/fail2ban.log):

Traceback (most recent call last):
  File "/usr/bin/firewall-cmd", line 703, in <module>
    fw = FirewallClient()
  File "<string>", line 2, in __init__
  File "/usr/lib/python2.7/site-packages/firewall/client.py", line 52, in handle_exceptions
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/firewall/client.py", line 1594, in __init__
    self.bus = dbus.SystemBus()
  File "/usr/lib64/python2.7/site-packages/dbus/_dbus.py", line 194, in __new__
    private=private)
  File "/usr/lib64/python2.7/site-packages/dbus/_dbus.py", line 100, in __new__
    bus = BusConnection.__new__(subclass, bus_type, mainloop=mainloop)
  File "/usr/lib64/python2.7/site-packages/dbus/bus.py", line 122, in __new__
    bus = cls._new_for_bus(address_or_type, mainloop=mainloop)
    dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoServer: Failed to connect to socket /var/run/dbus/system_bus_socket: Conex\xc3\xa3o recusada

"Conex\xc3\xa3o recusada" is "Connection refused".

And then ipset also fails:

ipset v6.19: Set cannot be destroyed: it is in use by a kernel component

It only fails this way on system shutdown. When I restart fail2ban.service all works as it should.

On Fedora 22 it works as expected.
@t-woerner
Copy link
Collaborator

This means that firewalld has already been stopped in the shutdown process by systemd. There is no way to talk to firewalld anymore at this moment. fail2ban should make sure to make this change before firewalld has been stopped by systemd.

@marcosfrm
Copy link
Contributor Author

http://thread.gmane.org/gmane.comp.sysutils.systemd.devel/29959/focus=29971

See other Lennart responses too.

Solution is simply After=dbus.service in [Unit] section of firewalld.service. Now it is working fine here, fail2ban jails are stopped correctly.

@marcosfrm
Copy link
Contributor Author

I have forgotten to say that ordenation between firewalld and fail2ban is ok. The problem is that without After=dbus.service systemd does not guarantee D-Bus daemon will be running when firewalld is stopped on shutdown.

@marcosfrm
Copy link
Contributor Author

@t-woerner , thanks for modifying firewalld.service in 2948525. However After=syslog.target does nothing, you can remove it.

http://lists.opensuse.org/opensuse-packaging/2013-05/msg00102.html

t-woerner added a commit that referenced this issue Jan 29, 2016
@t-woerner
firewalld.service: Dropped syslog.target again as requested in issue #48
afb54be
@marcosfrm
Copy link
Contributor Author

Fixed in 0.4.0.

@marcosfrm marcosfrm mentioned this issue Jan 31, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@t-woerner @marcosfrm