Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionMasaki Furuta ( RH )
2016-04-05 14:06:27 UTC
+++ This bug was initially created as a clone of Bug #1324101 +++
Description of problem:
1) Set or leave it as default IPTABLES_MODULES_UNLOAD="yes" in /etc/sysconfig/iptables.
I think /usr/libexec/iptables/iptables.init has bug.
It still has older version check method, but on RHEL7 and Fedora I think we can assume we're using newer modutils safely.
[root@localhost ~]# rpm -q iptables-services
iptables-services-1.4.21-16.fc24.x86_64
[root@localhost ~]# head -14 /etc/sysconfig/iptables-config
# Load additional iptables modules (nat helpers)
# Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES=""
# Unload modules on restart and stop
# Value: yes|no, default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"
2) Start iptables
[root@localhost ~]# systemctl start iptables
[root@localhost ~]# lsmod |grep '^nf_conntrack '
nf_conntrack 106496 2 xt_conntrack,nf_conntrack_ipv4
3) Stop iptables and nf_conntrack is still loaded.
[root@localhost ~]# systemctl stop iptables
[root@localhost ~]# lsmod |grep '^nf_conntrack '
nf_conntrack 106496 2 xt_conntrack,nf_conntrack_ipv4
Following patch will fix issue.
[root@localhost ~]# diff -u /usr/libexec/iptables/iptables.init-2016-04-05 /usr/libexec/iptables/iptables.init
--- /usr/libexec/iptables/iptables.init-2016-04-05 2016-04-05 23:02:40.274944559 +0900
+++ /usr/libexec/iptables/iptables.init 2016-04-05 23:03:38.687006594 +0900
@@ -36,7 +36,7 @@
fi
# Old or new modutils
-/sbin/modprobe --version 2>&1 | grep -q module-init-tools \
+/sbin/modprobe --version 2>&1 | grep -q 'kmod version' \
&& NEW_MODUTILS=1 \
|| NEW_MODUTILS=0
[root@localhost ~]# systemctl start iptables
[root@localhost ~]# lsmod |grep '^nf_conntrack '
nf_conntrack 106496 2 xt_conntrack,nf_conntrack_ipv4
[root@localhost ~]# systemctl stop iptables
[root@localhost ~]# lsmod |grep '^nf_conntrack '
Version-Release number of selected component (if applicable):
iptables-services-1.4.21-16.fc24.x86_64
How reproducible:
Always
Steps to Reproduce:
1. Set or leave it as default IPTABLES_MODULES_UNLOAD="yes" in /etc/sysconfig/iptables.
2. Start iptables
3. Stop iptables and nf_conntrack is still loaded.
Actual results:
Expected results:
Additional info:
- /usr/libexec/iptables/iptables.init
~~~
44 # Old or new modutils
45 /sbin/modprobe --version 2>&1 | grep -q module-init-tools \ <===== This will fail!
46 && NEW_MODUTILS=1 \
47 || NEW_MODUTILS=0
<...>
71 rmmod_r() {
72 # Unload module with all referring modules.
73 # At first all referring modules will be unloaded, then the module itself.
74 local mod=$1
75 local ret=0
76 local ref=
77
78 # Get referring modules.
79 # New modutils have another output format.
80 [ $NEW_MODUTILS = 1 ] \
81 && ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \ <========= This'll also fail!
82 || ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1)
83
84 # recursive call for all referring modules
85 for i in $ref; do <=========== This has no modules
86 rmmod_r $i <=========== Finally this'll fail.
87 let ret+=$?;
88 done
<...>
256 stop() {
257 # Do not stop if iptables module is not loaded.
258 [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
259
260 # Set default chain policy to ACCEPT, in order to not break shutdown
261 # on systems where the default policy is DROP and root device is
262 # network-based (i.e.: iSCSI, NFS)
263 set_policy ACCEPT
264 # And then, flush the rules and delete chains
265 flush_n_delete
266
267 if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
268 echo -n $"${IPTABLES}: Unloading modules: "
269 ret=0
270 for mod in ${NF_MODULES[*]}; do
271 rmmod_r $mod
272 let ret+=$?;
273 done
274 # try to unload remaining netfilter modules used by ipv4 and ipv6
275 # netfilter
276 for mod in ${NF_MODULES_COMMON[*]}; do
277 rmmod_r $mod >/dev/null
278 done
~~~
RHEL6 has 'module-init-tools' string.
RHEL6.7:
~~~
[root@el67 ~]# modprobe --version
module-init-tools version 3.9
~~~
RHEL7 and newer doesn't have it and it won't be detected as NEW_MODUTILS and due to that , $ref is empty and dependency of nf_conntrack is not resolved and nf_conntrack remained loaded.
RHEL7.2:
~~~
[root@localhost ~]# /sbin/modprobe --version
kmod version 20
~~~
Fedora23:
~~~
[root@f23] modprobe --version
kmod version 22
+XZ +ZLIB -EXPERIMENTAL
~~~
Comment 2Masaki Furuta ( RH )
2016-04-05 14:53:21 UTC
(In reply to Masaki Furuta from comment #0)
> 80 [ $NEW_MODUTILS = 1 ] \
> 81 && ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ')
> \ <========= This'll also fail!
I mean .. it's not fail but '&&' and followings are not executed.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHBA-2016-2521.html