Skip to content

fix(fail2ban): improve handling of fail2ban#7120

Draft
denis-ev wants to merge 1 commit intomailcow:stagingfrom
denis-ev:fix-negative-unban-timer-try-2
Draft

fix(fail2ban): improve handling of fail2ban#7120
denis-ev wants to merge 1 commit intomailcow:stagingfrom
denis-ev:fix-negative-unban-timer-try-2

Conversation

@denis-ev
Copy link
Contributor

@denis-ev denis-ev commented Mar 11, 2026
edited
Loading

  • Still needs a long time test, as my previous PR worked until it didn't
  • I'll leave this open as Draft so others have the opportunity to test, I'm currently running the change on my system and will check regularly if I have any negative counters with unbanned IPs.

Contribution Guidelines

What does this PR include?

Fixes #5879

Short Description

Fixes fail2ban/netfilter so that bans are actually removed when they expire or when the user clicks unban. Previously, unban() returned early when the banned network was not in the in-memory bans dict: it only cleared F2B_QUEUE_UNBAN and did not remove the entry from F2B_ACTIVE_BANS or remove the firewall rule. That left IPs stuck in Redis and in the firewall, the UI timer went negative, and the unban button had no effect until the netfilter container was restarted.

This change makes unban always perform Redis cleanup and firewall unban when called (by autopurge on expiry or by the unban queue). The in-memory bans dict is only used for bookkeeping (attempts, ban_counter). Invalid or unparseable network strings are handled by still removing the entry from Redis and only skipping the firewall unban, so stale entries do not remain in the UI.

Affected Containers

  • netfilter-mailcow

Did you run tests?

What did you tested?

  • Triggered multiple failed admin UI logins until an IP was banned.
  • Waited for the ban timer to expire (and, in another run, used the unban button before expiry).
  • Confirmed that the IP was removed from the active ban list and that connectivity was restored without restarting netfilter.
  • Confirmed that the unban button works for both recently banned IPs and for entries that had already expired (negative timer).

What were the final results? (Awaited, got)

So far IPs are getting unbanned as expected, needs a bit of a longer runtime to properly check, as the previous PR only failed after a while and not instantly

@milkmaker
Copy link
Collaborator

milkmaker commented Mar 11, 2026

Thanks for contributing!

I noticed that you didn't select staging as your base branch. Please change the base branch to staging.
See the attached picture on how to change the base branch to staging:

check_prs_if_on_staging.png

@denis-ev denis-ev mentioned this pull request Mar 11, 2026
Open
5 tasks
@denis-ev denis-ev changed the base branch from master to staging March 11, 2026 03:28
@denis-ev denis-ev force-pushed the fix-negative-unban-timer-try-2 branch from 896e1d1 to dc53358 Compare March 11, 2026 03:32
refactor(unban logic): improve handling of banned networks. Added che…
09e2f84 
…cks for network validity and enhanced logging for unban operations. Ensured proper deletion from Redis and updated attempts and ban counters accordingly.
@denis-ev denis-ev force-pushed the fix-negative-unban-timer-try-2 branch from dc53358 to 09e2f84 Compare March 11, 2026 03:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@denis-ev @milkmaker