Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1872759

Summary: fail2ban-shorewall requires change to include shorewall-lite or shorewall
Product: [Fedora] Fedora EPEL Reporter: William H. Haller <bill>
Component: fail2banAssignee: Richard Shaw <hobbes1069>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: epel7CC: anon.amish, axel.thimm, hobbes1069, orion, vonsch
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: fail2ban-0.11.1-10.fc34 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-28 11:50:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description William H. Haller 2020-08-26 15:04:02 UTC
Description of problem: Current fail2ban-shorewall requires shorewall. Should require either shorewall or shorewall-lite.


Version-Release number of selected component (if applicable):
fail2ban-shorewall-0.11.1-9.el7.2.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info: shorewall is only need on a system that creates firewalls. If just running a firewall you can use shorewall-lite. We push firewalls out to many virtuals that run shorewall-lite. For those that are internet facing, we install fail2ban-shorewall (and have been just adding shorewall to their package list to make fail2ban-shorewall happy). It would be nice if fail2ban-shorewall would be happy with either shorewall or shorewall-lite. Not a huge problem but also might be simple to fix.

Comment 1 Richard Shaw 2020-08-27 11:48:09 UTC
I don't think rpm in EL 7 can handle this well. In Fedora (and EL 8 I *think*) we have Recommends: and Suggests: which might be one path to fix the problem, but no such options in EL 7.

Looking and the provides of both packages:

$ sudo repoquery --provides shorewall-lite
config(shorewall-lite) = 5.1.10.2-1.el7
shorewall(firewall) = 5.1.10.2-1.el7
shorewall-lite = 5.1.10.2-1.el7

$ sudo repoquery --provides shorewall
config(shorewall) = 5.1.10.2-1.el7
perl(Shorewall::ARP) = 5.0
perl(Shorewall::Accounting) = 5.1
perl(Shorewall::Chains) = 5.1
perl(Shorewall::Compiler) = 5.1
perl(Shorewall::Config) = 5.1
perl(Shorewall::IPAddrs) = 5.1
perl(Shorewall::Misc) = 5.1
perl(Shorewall::Nat) = 5.1
perl(Shorewall::Proc) = 4.6
perl(Shorewall::Providers) = 5.1
perl(Shorewall::Proxyarp) = 5.1
perl(Shorewall::Raw) = 5.0
perl(Shorewall::Rules) = 5.1
perl(Shorewall::Tc) = 5.1
perl(Shorewall::Tunnels) = 5.0
perl(Shorewall::Zones) = 5.1
shorewall = 5.1.10.2-1.el7
shorewall(firewall) = 5.1.10.2-1.el7

The only thing they have in common is "shorewall(firewall)". I think what we can do is I can change the requirement to that so that either package satisfies the dependency, however, I can't control which package yum chooses so I would suggest that you install shorewall-lite first and yum *SHOULD* accept that as meeting the requirements and not install shorewall.

Testing on the epel7 test server it does pull in shorewall-lite by default, which I'm not thrilled about...

$ sudo yum install "shorewall(firewall)"
Loaded plugins: fastestmirror
Determining fastest mirrors
 * base: d36uatko69830t.cloudfront.net
 * epel: mirrors.kernel.org
 * extras: d36uatko69830t.cloudfront.net
 * updates: d36uatko69830t.cloudfront.net
Resolving Dependencies
--> Running transaction check
---> Package shorewall-lite.noarch 0:5.1.10.2-1.el7 will be installed
--> Processing Dependency: shorewall-core = 5.1.10.2-1.el7 for package: shorewall-lite-5.1.10.2-1.el7.noarch
--> Running transaction check
---> Package shorewall-core.noarch 0:5.1.10.2-1.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================================
 Package                         Arch                    Version                           Repository             Size
=======================================================================================================================
Installing:
 shorewall-lite                  noarch                  5.1.10.2-1.el7                    epel                   63 k
Installing for dependencies:
 shorewall-core                  noarch                  5.1.10.2-1.el7                    epel                   82 k

Transaction Summary
=======================================================================================================================
Install  1 Package (+1 Dependent package)


I'll have to think about this.

Comment 2 Richard Shaw 2020-08-27 11:49:04 UTC
On Fedora EPEL 8 I can add a recommends for plain shorewall but can't do that on EL 7.

Comment 3 Richard Shaw 2020-08-27 12:12:36 UTC
Ok, different strategy. I created a fail2ban-shorewall-lite subpackage which conflicts with fail2ban-shorewall so only one or the other can be installed as they provide the same file.

https://koji.fedoraproject.org/koji/taskinfo?taskID=50243307

You can download all the build artifacts for testing using:

koji download-task 50243532

Comment 4 William H. Haller 2020-08-27 13:31:41 UTC
I think a separate fail2ban-shorewall-lite package would be a good approach if adding another package wasn't a problem for anyone. Not trying to make waves - but I think it would be a useful option. I'd think there would be more installs of shorewall-lite (for anyone who has a centralized firewall creation server) than shorewall.

It would certainly be better than having do depend on randomness of yum/dnf or remember to not install shorewall first (especially for those like me that said why install shorewall and shorewall-lite and just deleted the shorewall package that wasn't needed in trying to keep virtual images as small as possible).

Thanks for your time and I hope adding fail2ban-shorewall-lite passes the approval process.

Comment 5 Richard Shaw 2020-08-27 16:29:43 UTC
If you would, please test my scratch build before I do real builds. There's no approval process other than me. :)

Comment 6 William H. Haller 2020-08-27 16:53:30 UTC
Hit a block. I'm running FC32 on the shorewall server, which doesn't satisfy python 3.9 for fail2ban-server and el7's python is only at 2.7.5-88.

Comment 7 Richard Shaw 2020-08-27 17:22:01 UTC
My fault, I assumed since it was a noarch package it really wouldn't matter but you do need EL 7 specific packages.

https://koji.fedoraproject.org/koji/taskinfo?taskID=50261492

Comment 8 William H. Haller 2020-08-27 18:55:19 UTC
rpm -e --justdb fail2ban-shorewall followed by rpm -ivh fail2ban-shorewall-lite seemed to work fine.

Comment 9 Orion Poplawski 2020-08-27 19:38:20 UTC
FYI, I would have suggested:

yum swap fail2ban-shorewall fail2ban-shorewall-lite

Comment 10 Fedora Update System 2020-08-28 11:50:50 UTC
FEDORA-2020-3071e15f57 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.