tallow not receiving a single message from journal - no IP is getting blocked

[Tereius]

I have noticed on my server (Arch) that not a single malicious IP has been blocked.

I debugged the code and notices that the sd_journal_next call always returns 0. So the while loop is always skipped (and no journal message will ever get parsed). I found this discussion https://github.com/systemd/systemd/pull/26577 which describes that a sd_journal_previous call directly after sd_journal_seek_tail is necessary to pull out journal messages with sd_journal_next.

So I applied this patch and tallow started working again.

diff --git a/src/tallow.c b/src/tallow.c
index 58e0fb4..2c9fc85 100644
--- a/src/tallow.c
+++ b/src/tallow.c
@@ -371,6 +371,7 @@ int main(void)
 
 	/* go to the tail and wait */
 	r = sd_journal_seek_tail(j);
+	sd_journal_previous(j);
 	sd_journal_wait(j, (uint64_t) 0);
 	dbg("sd_journal_seek_tail() returned %d\n", r);
 	while (sd_journal_next(j) != 0)
@@ -387,6 +388,7 @@ int main(void)
 		if (r == SD_JOURNAL_INVALIDATE) {
 			fprintf(stderr, "Journal was rotated, resetting\n");
 			sd_journal_seek_tail(j);
+			sd_journal_previous(j);
 		} else if (r == SD_JOURNAL_NOP) {
 			dbg("Timeout reached, waiting again\n");
 			continue;

Don't know if Clear Linux is also affected by this strange journal behavior.

[aversecat]

Correct. This fix looks good for me (tested on fedora 41).