Bug 103943
Summary: | Problem with the Nat table in iptables 1.2.8 | ||||||
---|---|---|---|---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | oracle <webmaster> | ||||
Component: | iptables | Assignee: | Thomas Woerner <twoerner> | ||||
Status: | CLOSED DUPLICATE | QA Contact: | Ben Levenson <benl> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 7.3 | Keywords: | Security | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | i686 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2006-02-21 18:58:30 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
oracle
2003-09-08 04:52:59 UTC
Which iptables and kernel version are you using? Can you send me your /etc/sysconfig/iptables? IPTables version 1.2.8 Kernel 2.4.20-20 I can't send /etc/sysconfig/iptables cos I ain't using that, I have my own custom script that kicks in after /etc/init.d/iptables. And noooo it ain't my script, that I am confident in, cos it doesn't the nat table loaded (which is need before my script). My script is just calling for the 'Nat' table I need more information: - which iptables (full version string) - which kernel (full version string) - a test case Created attachment 94559 [details]
IPTables config file from RedHat 7.3
This is a config file that was known to be working until upgrading to IPTables
1.2.8 and kernel 2.4.20
I've had the exact same problems on my system. Rebooting works, but restarting the iptables service does not. Previously, the iptables init.d script did not unload and load the iptables modules. A quick solution would be to modify the script to leave the modules alone. I've attached a working iptables config file that no longer works with the iptables 1.2.8 + kernel 2.4.20 combination. Linux kernel 2.4.20-20.7 IPTables 1.2.8 That is all the information I have ... I cannot repeat the problem so I don't have a test case ... I just know since the updating it has failed a few times ... I tried re-loading the modules but that seems to produce error messages as if the modules don't work, maybe? I have the same problems on my system and can reproduce it. Versions: RedHat 7.1 iptables-1.2.8-8.72.3 kernel-2.4.20-20.7 Additional modules loaded: ip_conntrack_ftp ip_nat_ftp (in that order) After a fresh restart of the system there is no problem doing a "service iptables restart". The problem starts when a client on the network starts an ftp session towards the internet. Both passive and active sessions trigger the problem. "service iptables restart" will get stuck. ps -aux indicates that the system is very busy with: modprobe -r ip_conntrack_ftp It indicates that about 98% CPU is used. I certainly hope that this problem can be solved. It is unclear to me if other vulnaribilities are present when someone has used ftp. Anyway iptables and/or the kernel seem to have a problem. Additional detail: Without the modules ip_conntrack_ftp ip_nat_ftp loaded there is no problem. *** This bug has been marked as a duplicate of 103177 *** Changed to 'CLOSED' state since 'RESOLVED' has been deprecated. |