If fail2ban was using ipset as a backend, previously, fail2ban would create
e.g. a 'f2b-sshd' ipset on startup and delete it on shutdown. But the
ipstables-store service would save this on shutdown too (and run before
fail2ban cleans it up), and then on boot, try to restore it before fail2ban
can create it again.
Thanks to Ryan Tsien and Mike Fisher for both their patience and explanations
on the bug. Quoting Mike on the fix:
> With this ordering, upon shutdown fail2ban stops, removing the iptables
> rule it inserted at the front of the INPUT chain, then iptables-store saves
> the remaining rules. Upon startup iptables-restore repopulates the bulk of
> the rules, then fail2ban starts and inserts itself back in the front of the
> chain after it creates the ipset.
Closes: https://bugs.gentoo.org/871996
Signed-off-by: Sam James <sam@gentoo.org>
e48605a688