fail2ban: Use a managed firewalld ipset

The firewalld direct interface is deprecated and will be removed in a future release[1]. Recently IPv4 connectivity inside docker containers on our runners broke and after some troubleshooting, the issue was pinpointed to the start of the fail2ban service. We also had issues in the past where sometimes firewalld had to be restarted after boot before network connectivity worked in libvirt on our runners.

The issuse may be due to a bug in the way fail2ban use the direct interface, a bug in firewalld or a combination thereof. Let's just avoid the direct interface altogether and create a clean separation, with firewalld handling the blocking and fail2ban maintaining the ipset.

[1] https://firewalld.org/documentation/man-pages/firewalld.direct.html

added 1 commit

• 0a9fad18 - fixup! fail2ban: Use a managed firewalld ipset

Compare with previous version

marked this merge request as draft from klausenbusk/infrastructure@0a9fad18

Deployed on runner1.archlinux.org, runner3.archlinux.org and secure-runner1.archlinux.org.

added 1 commit

• d8e5d350 - fail2ban: Use a managed firewalld ipset

Compare with previous version

marked this merge request as ready

approved this merge request

added 2 commits

• c370c9d0 - 1 commit from branch archlinux:master
• f154263e - fail2ban: Use a managed firewalld ipset

Compare with previous version

Doesn't this also fix #571 (closed)?

added 1 commit

• 95e19506 - fail2ban: Use a managed firewalld ipset

Compare with previous version

reset approvals from @foutrelis by pushing to the branch

resolved all threads

requested review from @gromit

approved this merge request

resolved all threads

mentioned in issue #571 (closed)

Deployed on every nodes with the fail2ban role.

mentioned in commit ee91fbe3

merged