Bug 210546

Summary: setup updates /etc/protocols and creates troubles for iptables
Product: [Fedora] Fedora Reporter: Michal Jaegermann <michal>
Component: setupAssignee: Phil Knirsch <pknirsch>
Status: CLOSED RAWHIDE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-23 13:56:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Jaegermann 2006-10-12 19:56:26 UTC 
Description of problem:

Before an update, and still in /etc/protocols provided by setup-2.5.49-1
used in FC5, we had such lines:

ipv6-crypt      50      IPv6-Crypt      # Encryption Header for IPv6
ipv6-auth       51      IPv6-Auth       # Authentication Header for IPv6

After that update protocols 50 and 51 changed like that:

esp     50      ESP             # Encap Security Payload
ah      51      AH              # Authentication Header

The trouble is that in the past something (and it was not me) wrote
in /etc/sysconfig/iptables:

-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT

and now '/etc/init.d/iptables start' fails with "unknown protocol".
This results is no firewall at all.

Editing /etc/sysconfig/iptables to replace 'ipv6-crypt' by 'esp'
and 'ipv6-auth' by 'ah' makes iptables to work again.  'setup' package
could do such edits in %post script thus preventing the failure.

If this substitution does not make sense then incriminated lines
should be removed by %post from /etc/sysconfig/iptables entirely.

Version-Release number of selected component (if applicable):
setup-2.5.54-1
Comment 1 Phil Knirsch 2007-05-23 13:56:10 UTC 
I'll add those back again after the new "official" protocol names to provide
backward compatibility. Package should be building real soon in Fedora Devel.

Read ya, Phil