commit: e48605a688cd3ca9724c129c07924babab308e0a Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Sat Aug 30 14:22:08 2025 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Sat Aug 30 14:41:06 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e48605a6
net-analyzer/fail2ban: improve systemd unit ordering If fail2ban was using ipset as a backend, previously, fail2ban would create e.g. a 'f2b-sshd' ipset on startup and delete it on shutdown. But the ipstables-store service would save this on shutdown too (and run before fail2ban cleans it up), and then on boot, try to restore it before fail2ban can create it again. Thanks to Ryan Tsien and Mike Fisher for both their patience and explanations on the bug. Quoting Mike on the fix: > With this ordering, upon shutdown fail2ban stops, removing the iptables > rule it inserted at the front of the INPUT chain, then iptables-store saves > the remaining rules. Upon startup iptables-restore repopulates the bulk of > the rules, then fail2ban starts and inserts itself back in the front of the > chain after it creates the ipset. Closes: https://bugs.gentoo.org/871996 Signed-off-by: Sam James <sam <AT> gentoo.org> .../{fail2ban-9999.ebuild => fail2ban-1.1.0-r4.ebuild} | 6 +++++- net-analyzer/fail2ban/fail2ban-9999.ebuild | 1 + .../fail2ban/files/fail2ban-1.1.0-systemd-order.patch | 14 ++++++++++++++ 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/net-analyzer/fail2ban/fail2ban-9999.ebuild b/net-analyzer/fail2ban/fail2ban-1.1.0-r4.ebuild similarity index 93% copy from net-analyzer/fail2ban/fail2ban-9999.ebuild copy to net-analyzer/fail2ban/fail2ban-1.1.0-r4.ebuild index 3202e7ba5294..49a53ad4ae0f 100644 --- a/net-analyzer/fail2ban/fail2ban-9999.ebuild +++ b/net-analyzer/fail2ban/fail2ban-1.1.0-r4.ebuild @@ -15,7 +15,7 @@ if [[ ${PV} == *9999 ]] ; then inherit git-r3 else SRC_URI="https://github.com/fail2ban/fail2ban/archive/${PV}.tar.gz -> ${P}.tar.gz" - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~loong ~ppc ~ppc64 ~riscv ~sparc ~x86" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~ppc ~ppc64 ~riscv ~sparc ~x86" fi LICENSE="GPL-2" @@ -55,6 +55,10 @@ DOCS=( ChangeLog DEVELOP README.md THANKS TODO doc/run-rootless.txt ) PATCHES=( "${FILESDIR}"/${PN}-0.11.2-adjust-apache-logs-paths.patch "${FILESDIR}"/${PN}-1.0.2-umask-tests.patch + "${FILESDIR}"/${PN}-1.1.0-openssh-9.8.patch + "${FILESDIR}"/${PN}-1.1.0-openssh-9.8-fixups.patch + "${FILESDIR}"/${PN}-1.1.0-openrc-nftables.patch + "${FILESDIR}"/${PN}-1.1.0-systemd-order.patch ) src_prepare() { diff --git a/net-analyzer/fail2ban/fail2ban-9999.ebuild b/net-analyzer/fail2ban/fail2ban-9999.ebuild index 3202e7ba5294..768e6cb64ce5 100644 --- a/net-analyzer/fail2ban/fail2ban-9999.ebuild +++ b/net-analyzer/fail2ban/fail2ban-9999.ebuild @@ -55,6 +55,7 @@ DOCS=( ChangeLog DEVELOP README.md THANKS TODO doc/run-rootless.txt ) PATCHES=( "${FILESDIR}"/${PN}-0.11.2-adjust-apache-logs-paths.patch "${FILESDIR}"/${PN}-1.0.2-umask-tests.patch + "${FILESDIR}"/${PN}-1.1.0-systemd-order.patch ) src_prepare() { diff --git a/net-analyzer/fail2ban/files/fail2ban-1.1.0-systemd-order.patch b/net-analyzer/fail2ban/files/fail2ban-1.1.0-systemd-order.patch new file mode 100644 index 000000000000..39da720466ef --- /dev/null +++ b/net-analyzer/fail2ban/files/fail2ban-1.1.0-systemd-order.patch @@ -0,0 +1,14 @@ +https://bugs.gentoo.org/871996 +--- a/files/fail2ban.service.in ++++ b/files/fail2ban.service.in +@@ -1,7 +1,10 @@ + [Unit] + Description=Fail2Ban Service + Documentation=man:fail2ban(1) ++ ++Before=iptables-store.service ip6tables-store.service + After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service ++After=iptables-restore.service ip6tables-restore.service + PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service + + [Service]
