Bugzilla – Bug 12119
Freshclam can't update on Linux Machines running IPv4 only
Last modified: 2018-05-31 15:18:35 EDT
Seems that no machine running IPv4 only is enable to update cuz fresh clam fails to fall back to IPv4: ClamAV update process started at Fri May 18 11:04:42 2018 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.99.4 Recommended version: 0.100.0 DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) ERROR: Can't create new socket: Address family not supported by protocol WARNING: getpatch: Can't download daily-24574.cdiff from db.gb.clamav.net Trying host db.gb.clamav.net (2400:cb00:2048:1::6810:bd8a)... ERROR: Can't create new socket: Address family not supported by protocol WARNING: getpatch: Can't download daily-24574.cdiff from db.gb.clamav.net Trying host db.gb.clamav.net (2400:cb00:2048:1::6810:bb8a)... ERROR: Can't create new socket: Address family not supported by protocol WARNING: getpatch: Can't download daily-24574.cdiff from db.gb.clamav.net WARNING: Incremental update failed, trying to download daily.cvd ERROR: Can't create new socket: Address family not supported by protocol WARNING: Can't download daily.cvd from db.gb.clamav.net Trying again in 5 secs... ClamAV update process started at Fri May 18 11:04:48 2018 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.99.4 Recommended version: 0.100.0 DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Trying host db.gb.clamav.net (2400:cb00:2048:1::6810:bb8a)... ERROR: Can't create new socket: Address family not supported by protocol WARNING: getpatch: Can't download daily-24574.cdiff from db.gb.clamav.net Trying host db.gb.clamav.net (2400:cb00:2048:1::6810:bb8a)... ERROR: Can't create new socket: Address family not supported by protocol WARNING: getpatch: Can't download daily-24574.cdiff from db.gb.clamav.net Trying host db.gb.clamav.net (2400:cb00:2048:1::6810:bd8a)... ERROR: Can't create new socket: Address family not supported by protocol WARNING: getpatch: Can't download daily-24574.cdiff from db.gb.clamav.net WARNING: Incremental update failed, trying to download daily.cvd Trying host db.gb.clamav.net (2400:cb00:2048:1::6810:bc8a)... ERROR: Can't create new socket: Address family not supported by protocol WARNING: Can't download daily.cvd from db.gb.clamav.net Trying again in 5 secs... ClamAV update process started at Fri May 18 11:04:53 2018 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.99.4 Recommended version: 0.100.0 DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Trying host db.gb.clamav.net (2400:cb00:2048:1::6810:bc8a)... ERROR: Can't create new socket: Address family not supported by protocol WARNING: getpatch: Can't download daily-24574.cdiff from db.gb.clamav.net Trying host db.gb.clamav.net (2400:cb00:2048:1::6810:bc8a)... ERROR: Can't create new socket: Address family not supported by protocol WARNING: getpatch: Can't download daily-24574.cdiff from db.gb.clamav.net Trying host db.gb.clamav.net (2400:cb00:2048:1::6810:bd8a)... ERROR: Can't create new socket: Address family not supported by protocol ERROR: getpatch: Can't download daily-24574.cdiff from db.gb.clamav.net WARNING: Incremental update failed, trying to download daily.cvd Trying host db.gb.clamav.net (2400:cb00:2048:1::6810:b98a)... ERROR: Can't create new socket: Address family not supported by protocol ERROR: Can't download daily.cvd from db.gb.clamav.net Giving up on db.gb.clamav.net... ClamAV update process started at Fri May 18 11:04:54 2018 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.99.4 Recommended version: 0.100.0 DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Trying host db.si.clamav.net (2400:cb00:2048:1::6810:ba8a)... ERROR: Can't create new socket: Address family not supported by protocol WARNING: getpatch: Can't download daily-24574.cdiff from db.si.clamav.net Trying host db.si.clamav.net (2400:cb00:2048:1::6810:bd8a)... ERROR: Can't create new socket: Address family not supported by protocol WARNING: getpatch: Can't download daily-24574.cdiff from db.si.clamav.net Trying host db.si.clamav.net (2400:cb00:2048:1::6810:b98a)... ERROR: Can't create new socket: Address family not supported by protocol ERROR: getpatch: Can't download daily-24574.cdiff from db.si.clamav.net WARNING: Incremental update failed, trying to download daily.cvd Trying host db.si.clamav.net (2400:cb00:2048:1::6810:bd8a)... ERROR: Can't create new socket: Address family not supported by protocol ERROR: Can't download daily.cvd from db.si.clamav.net Giving up on db.si.clamav.net... ClamAV update process started at Fri May 18 11:04:54 2018 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.99.4 Recommended version: 0.100.0 DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Trying host db.local.clamav.net (2400:cb00:2048:1::6810:b98a)... ERROR: Can't create new socket: Address family not supported by protocol WARNING: getpatch: Can't download daily-24574.cdiff from db.local.clamav.net Trying host db.local.clamav.net (2400:cb00:2048:1::6810:bd8a)... ERROR: Can't create new socket: Address family not supported by protocol WARNING: getpatch: Can't download daily-24574.cdiff from db.local.clamav.net Trying host db.local.clamav.net (2400:cb00:2048:1::6810:bb8a)... ERROR: Can't create new socket: Address family not supported by protocol ERROR: getpatch: Can't download daily-24574.cdiff from db.local.clamav.net WARNING: Incremental update failed, trying to download daily.cvd Trying host db.local.clamav.net (2400:cb00:2048:1::6810:bd8a)... ERROR: Can't create new socket: Address family not supported by protocol ERROR: Can't download daily.cvd from db.local.clamav.net Giving up on db.local.clamav.net... Update failed. Your network may be down or none of the mirrors listed in /etc/freshclam.conf is working. Check http://www.clamav.net/doc/mirrors-faq.html for possible reasons.
Here is a patch: --- clamav-0.99.4/freshclam/manager.c.orig 2018-02-16 23:20:09.000000000 +0000 +++ clamav-0.99.4/freshclam/manager.c 2018-05-18 11:43:09.601669844 +0100 @@ -231,6 +231,7 @@ hints.ai_family = AF_INET; #endif hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_ADDRCONFIG; snprintf (port_s, sizeof (port_s), "%d", port); port_s[sizeof (port_s) - 1] = 0; ret = getaddrinfo (hostpt, port_s, &hints, &res);
Thank you Guilherme!
Thanks for pointing out the issue and double-thanks for suggesting a patch. I will attempt to replicate the situation to validate the patch. I have asked those who manage the mirror infrastructure what can be done to alleviate the issue for those on IPv4-only systems.
This is probably related: http://lists.clamav.net/pipermail/clamav-users/2018-May/006228.html It seems that db.gb wasn't working right but is now fixed. Please delete your /usr/local/share/clamav/mirrors.dat file and try again. I wouldn't be surprised if you resolve an ipv4 address now rather quickly. I tried to replicate your exact scenario using a machine with ipv6 disabled. I always got ipv4 mirror from db.gb.clamav.net, and db.si.clamav.net. I resorted to testing with db.us.ipv6.clamav.net to see the error messages you saw. It is verbose with the error output, but eventually after trying a halfdozen different ipv6 addresses it abandoned db.us.ipv6.clamav.net and immediately resolved an ipv4 mirror from db.gb.clamav.net. Suffice to say that the behavior is essentially as expected, even though the output is not ideal. I applied the patch and tried again, and instead of a halfdozen failed attempts with ipv6 addresses, it immediately gives up on the domain and tries a different one. Perhaps this is because i was trying with a db.XX.ipv6.clamav.net domain that won't offer IPv4 mirror addresses -- I can't be sure since I can't replicate the exact scenario you saw. So with all that said.... Can you please try again and tell me if it's working now that db.gb.clamav.net is fixed?
It is also worth mentioning that you should try deleting mirrors.dat before you retry, in case IP's are being skipped due to previous network issues.
Could you please attach listing of freshclam --list-mirrors
Patch looks ok. But how about ipv6 enabled systems, where it is not really used and system has only ipv6 link-local addresses fe80: .. getaddrinfo(3) manual doesn't quite explain what happens in that scenario.
(In reply to Mika Ilmaranta from comment #7) > Patch looks ok. But how about ipv6 enabled systems, where it is not really > used and system has only ipv6 link-local addresses fe80: .. > > getaddrinfo(3) manual doesn't quite explain what happens in that scenario. I agree, neither the linux man pages nor the Windows MSDN equivalent are explicit about this. MSDN does state that the loopback address aren't considered valid global addresses, but doesn't call out link-local. Regardless, some searching and it appears that setting ai_flags to AI_ADDRCONFIG should disregard link-local. https://stackoverflow.com/questions/14443686/getaddrinfo-for-ipv6-link-local https://bugzilla.redhat.com/show_bug.cgi?id=697149 https://bugzilla.redhat.com/show_bug.cgi?id=505105 Tuomo Soini and I had an extended conversation about this yesterday and I came to the conclusion that the patch is an improvement so that freshclam doesn't even try IPv6 in cases where it won't work. However, the real cause of the problem where freshclam was failing to update was a result of the IP's having been blacklisted during transition to a new CDN during which which DNS was returning a new set of IP's (v4 & v6) but the CDN wasn't enabled yet for those IP's. This is at least my current theory. The IP's were getting blacklisted by freshclam, and then once they were up - freshclam continued to ignore them. This is why Tuomo asked for the output of `freshclam --list-mirrors`. We're curious if all of the mirror entries are marked "Ignore: yes". In this case, deleting the mirrors.dat file in the database directory (/usr/local/share/clamav/mirrors.dat) should resolve the issue for the time being. I will apply the patch and see if we can investigate the best way to retry 'Ignored' mirror IP's in the event that all of the IP's are ignored, or the ignore occurred some time in the past and is worth a retry.
At the time we were having the issue the output of 'freshclam --list-mirrors' was: freshclam --list-mirrors Mirror #1 IP: 104.16.188.138 Successes: 0 Failures: 1 Last access: Fri May 18 13:11:35 2018 Ignore: No ------------------------------------- Mirror #2 IP: 104.16.187.138 Successes: 0 Failures: 2 Last access: Fri May 18 13:11:45 2018 Ignore: Yes ------------------------------------- Mirror #3 IP: 104.16.186.138 Successes: 0 Failures: 1 Last access: Fri May 18 13:11:46 2018 Ignore: No ------------------------------------- Mirror #4 IP: 104.16.189.138 Successes: 1 Failures: 0 Last access: Fri May 18 13:11:46 2018 Ignore: No After the patch it has every Mirror marked as "Ignored" but its working.
All zones that should be pointed at the CDN are now enabled. Please test, starting now, that everything is working.
Guilherme, I have added your patch to our development branch for v0.101 and the upcoming v0.100.1 patch release. 0.101: https://github.com/Cisco-Talos/clamav-devel/commit/f4861c670167a7a109340c1f8579a55205acbd8a 0.100.1: https://github.com/Cisco-Talos/clamav-devel/commit/9fd6d90afab40b5e3e3fe456d337eecce670fa50 Thanks submitting the improvement. Please continue to submit patches as necessary. We'll investigate the possibility for improving or removing the 'ignore'/mirrors.dat feature as well for v0.101.