Bug 199906

Summary: iptable_nat, ip_conntrack drivers are loaded after sysreport run
Product: Red Hat Enterprise Linux 4 Reporter: masanari iida <masanari_iida>
Component: sysreportAssignee: Than Ngo <than>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: eparis
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2006-0723 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-11-16 19:58:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch to add --nofirewall switch to deny the probing of iptables rules.
none
final fix none

Description masanari iida 2006-07-24 08:39:21 UTC 
Description of problem:
Even though I didn't configure and load iptables drivers into kernel,
after run sysreport, the drivers are loaded.

Version-Release number of selected component (if applicable):
sysreport-1.3.15-5

How reproducible:

Steps to Reproduce:
1. Confirm no iptables drivers are loaded.
# lsmod |grep ip
dm_multipath           22345  0
ipv6                  240097  14
dm_mod                 58949  7 dm_multipath,dm_snapshot,dm_zero,dm_mirror

2. run sysreport

3. Find out iptables modules again.
# lsmod |grep ip

Actual results:
iptable_nat, ip_conntrack, iptable_filter, iptables  are loaded.
They were not loaded before sysreport run.

# lsmod |grep ip
iptable_nat            27229  0
ip_conntrack           45573  1 iptable_nat
iptable_filter          6721  0
ip_tables              21441  2 iptable_nat,iptable_filter
dm_multipath           22345  0
ipv6                  240097  16
dm_mod                 58949  7 dm_multipath,dm_snapshot,dm_zero,dm_mirror


Expected results:
iptables related drivers are not installed after sysrport runs.

# lsmod |grep ip
dm_multipath           22345  0
ipv6                  240097  14
dm_mod                 58949  7 dm_multipath,dm_snapshot,dm_zero,dm_mirror


Additional info:
After I update the system, I run sysreport to record the latest system config.
It was a few month ago. Then I got following error message from ip_conntrack
module, even though I didn't configured it by myself.

Jul 18 17:44:41 abc001 kernel: ip_conntrack: table full, dropping packet.
Jul 18 17:44:46 abc001 kernel: NET: 1492 messages suppressed.
Jul 18 17:44:46 abc001 kernel: ip_conntrack: table full, dropping packet.
Jul 18 17:44:51 abc001 kernel: NET: 1782 messages suppressed.

It turned out, iptables related drivers were loaded when I run sysreport
for long time ago.
I believe sysreport should not change which kenrel modules are loaded.
If it really required ip_conntrack, it may load temporary. 
But at least, sysreport should change it back what it used to be.

It is because sysreport use issue iptables -t nat, iptables_nat and
ip_conntrak are loaded into kernel.

The ip_conntrak not  only report the number of connection,
it also limit the number of connection, if it exceeds ip_conntrack_max.
Then "ip_conntrack: table full, dropping packet." is logged.

AND even though customer set custom ip_conntrack_max value into sysctl.conf,
it doesn't use when  ip_conntrack is loaded by command. (only when rc.sysinit
is executed at system boot, sysctl.conf may issued.  But at the moment,
network is  still  not active, ip_conntrack driver may not be loaded...so
it is useless. ) The bad news is that default value of ip_conntrack_max is
not large enough for the heavily loaded system.

This is why, I believe sysreport should unload ip_contrack it it was 
not loaded before it runs.

(Request for fix)
(1) sysreport should not keep forgettig iptable_nat,ip_conntrack drivers.
(2) iptable startup script should read /etc/sysctl.conf to find out
    net.ipv4.netfilter.ip_conntrack_max. If it is exist, iptables start
    up script should set the custom value after the ip_conntrak is loaded.
Comment 4 Wade Mealing 2006-10-13 00:08:27 UTC 
Created attachment 138394 [details]
Patch to add --nofirewall switch to deny the probing of iptables rules.

This option stops the query of iptables rules.	This can be if there are
sensitive information about network infrastructure that the customer may not
wish to reveal, or that the loading probing of certain tables can cause
unwanted modules to load, therefore changing the system  behavior.

--nofirewall option added to sysreport.

Seems to work with initial testing on my end. This patch might already be
uploaded, but I'll do this anyway because I can't see the private information
in this bug.

Wade
Comment 5 Than Ngo 2006-10-20 14:15:42 UTC 
Created attachment 138974 [details]
final fix

The patch looks ok for me. I have modified the path and there's the final fix
for the issue. Wade, thanks for the fix
Comment 12 Red Hat Bugzilla 2006-11-16 19:58:00 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0723.html
Comment 14 masanari iida 2006-11-28 11:23:11 UTC 
As I installed latest sysreport, I found Red Hat engineer
add "--firewall" option, instead of "--nofirewall" option.
This last min change should be noted here, unless I have to
report that I found some typo in the official release :)
Comment 16 Chris Williams 2006-11-28 17:51:56 UTC 
The change in the final fix has been modified. It's '-firewall' now and is 
disable by default.