Bug 1324101
| Summary: | nf_conntrack won't be unloaded even with IPTABLES_MODULES_UNLOAD="yes" | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Masaki Furuta ( RH ) <mfuruta> | |
| Component: | iptables | Assignee: | Thomas Woerner <twoerner> | |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | rawhide | CC: | jpopelka, twoerner | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1324102 (view as bug list) | Environment: | ||
| Last Closed: | 2016-04-13 17:23:37 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1324102 | |||
(In reply to Masaki Furuta from comment #0) > 80 [ $NEW_MODUTILS = 1 ] \ > 81 && ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') > \ <========= This'll also fail! I mean .. it's not fail but '&&' and followings are not executed. Fixed in rawhide in package iptables-1.6.0-1.fc25 |
Description of problem: 1) Set or leave it as default IPTABLES_MODULES_UNLOAD="yes" in /etc/sysconfig/iptables. I think /usr/libexec/iptables/iptables.init has bug. It still has older version check method, but on RHEL7 and Fedora I think we can assume we're using newer modutils safely. [root@localhost ~]# rpm -q iptables-services iptables-services-1.4.21-16.fc24.x86_64 [root@localhost ~]# head -14 /etc/sysconfig/iptables-config # Load additional iptables modules (nat helpers) # Default: -none- # Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which # are loaded after the firewall rules are applied. Options for the helpers are # stored in /etc/modprobe.conf. IPTABLES_MODULES="" # Unload modules on restart and stop # Value: yes|no, default: yes # This option has to be 'yes' to get to a sane state for a firewall # restart or stop. Only set to 'no' if there are problems unloading netfilter # modules. IPTABLES_MODULES_UNLOAD="yes" 2) Start iptables [root@localhost ~]# systemctl start iptables [root@localhost ~]# lsmod |grep '^nf_conntrack ' nf_conntrack 106496 2 xt_conntrack,nf_conntrack_ipv4 3) Stop iptables and nf_conntrack is still loaded. [root@localhost ~]# systemctl stop iptables [root@localhost ~]# lsmod |grep '^nf_conntrack ' nf_conntrack 106496 2 xt_conntrack,nf_conntrack_ipv4 Following patch will fix issue. [root@localhost ~]# diff -u /usr/libexec/iptables/iptables.init-2016-04-05 /usr/libexec/iptables/iptables.init --- /usr/libexec/iptables/iptables.init-2016-04-05 2016-04-05 23:02:40.274944559 +0900 +++ /usr/libexec/iptables/iptables.init 2016-04-05 23:03:38.687006594 +0900 @@ -36,7 +36,7 @@ fi # Old or new modutils -/sbin/modprobe --version 2>&1 | grep -q module-init-tools \ +/sbin/modprobe --version 2>&1 | grep -q 'kmod version' \ && NEW_MODUTILS=1 \ || NEW_MODUTILS=0 [root@localhost ~]# systemctl start iptables [root@localhost ~]# lsmod |grep '^nf_conntrack ' nf_conntrack 106496 2 xt_conntrack,nf_conntrack_ipv4 [root@localhost ~]# systemctl stop iptables [root@localhost ~]# lsmod |grep '^nf_conntrack ' Version-Release number of selected component (if applicable): iptables-services-1.4.21-16.fc24.x86_64 How reproducible: Always Steps to Reproduce: 1. Set or leave it as default IPTABLES_MODULES_UNLOAD="yes" in /etc/sysconfig/iptables. 2. Start iptables 3. Stop iptables and nf_conntrack is still loaded. Actual results: Expected results: Additional info: - /usr/libexec/iptables/iptables.init ~~~ 44 # Old or new modutils 45 /sbin/modprobe --version 2>&1 | grep -q module-init-tools \ <===== This will fail! 46 && NEW_MODUTILS=1 \ 47 || NEW_MODUTILS=0 <...> 71 rmmod_r() { 72 # Unload module with all referring modules. 73 # At first all referring modules will be unloaded, then the module itself. 74 local mod=$1 75 local ret=0 76 local ref= 77 78 # Get referring modules. 79 # New modutils have another output format. 80 [ $NEW_MODUTILS = 1 ] \ 81 && ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \ <========= This'll also fail! 82 || ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1) 83 84 # recursive call for all referring modules 85 for i in $ref; do <=========== This has no modules 86 rmmod_r $i <=========== Finally this'll fail. 87 let ret+=$?; 88 done <...> 256 stop() { 257 # Do not stop if iptables module is not loaded. 258 [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 259 260 # Set default chain policy to ACCEPT, in order to not break shutdown 261 # on systems where the default policy is DROP and root device is 262 # network-based (i.e.: iSCSI, NFS) 263 set_policy ACCEPT 264 # And then, flush the rules and delete chains 265 flush_n_delete 266 267 if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then 268 echo -n $"${IPTABLES}: Unloading modules: " 269 ret=0 270 for mod in ${NF_MODULES[*]}; do 271 rmmod_r $mod 272 let ret+=$?; 273 done 274 # try to unload remaining netfilter modules used by ipv4 and ipv6 275 # netfilter 276 for mod in ${NF_MODULES_COMMON[*]}; do 277 rmmod_r $mod >/dev/null 278 done ~~~ RHEL6 has 'module-init-tools' string. RHEL6.7: ~~~ [root@el67 ~]# modprobe --version module-init-tools version 3.9 ~~~ RHEL7 and newer doesn't have it and it won't be detected as NEW_MODUTILS and due to that , $ref is empty and dependency of nf_conntrack is not resolved and nf_conntrack remained loaded. RHEL7.2: ~~~ [root@localhost ~]# /sbin/modprobe --version kmod version 20 ~~~ Fedora23: ~~~ [root@f23] modprobe --version kmod version 22 +XZ +ZLIB -EXPERIMENTAL ~~~