Bug 129344
| Summary: | Connection tracking information lost when reloading firewall rules | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Aleksandar Milivojevic <alex> |
| Component: | iptables | Assignee: | Thomas Woerner <twoerner> |
| Status: | CLOSED NOTABUG | QA Contact: | Ben Levenson <benl> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 2 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2004-08-23 12:14:40 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I've just noticed a typo I made. "Stateless fierwall" should read "statefull firewall". Stateless firewalls do not use connection tracking and are not impacted by this. Just set IPTABLES_MODULES_UNLOAD="no" in /etc/sysconfig/iptables-config. Closing as "NOT A BUG". |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1 Description of problem: If /etc/sysconfig/iptables file is edited, and than reloaded using iptables restart, connection tracking information is lost. This is because ip_conntrack module is unloaded during restart. If connection tracking match is used to build stateless firewall this might cause packets from previously established connection to be dropped. For example, take this two simplified rules for HTTP server: -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT When iptables restart is run, packets from connections established before iptables were restarted will start to get dropped until there is another packet from client to server (that would match NEW state). This will affect more seriously connections where traffic is mostly unidirectional, and direction of traffic matches second line that has only "ESTABLISHED" match. Possible solution for this would be to implement "reload" command in iptables script, that would ignore value of IPTABLES_MODULES_UNLOAD from /etc/sysconfig/iptables-config (or alternatively, there could be new variable IPTABLES_MODULES_UNLOAD_ON_RELOAD or such). Something along the lines: reload() { IPTABLES_MODULES_UNLOAD = "no" stop start } Version-Release number of selected component (if applicable): iptables-1.2.9-2.3.1 How reproducible: Always Steps to Reproduce: 1. Make sure IPTABLES_MODULES_UNLOAD is set to "yes" (default) 2. Restart firewall 3. Watch packets from previously established connections dropped Additional info: