Bug 236669

Summary: protocols should not come from ldap
Product: Red Hat Enterprise Linux 5 Reporter: Gordon Messmer <gordon.messmer>
Component: authconfigAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0CC: jjneely, rbulling
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2008-0375 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-21 14:29:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 380551    
Bug Blocks:    
Attachments:
Description Flags
A patch workaround for ip6tables none

Description Gordon Messmer 2007-04-17 02:09:05 UTC 
Description of problem:
ip6tables-restore makes a call to "getprotobyname" before the network is up.  If
authconfig has configured "protocols" to use ldap as a db source, it will take a
very long time to complete.  In order to prevent this from being a problem,
authconfig should avoid listing ldap as a source for "protocols".

Version-Release number of selected component (if applicable):
authconfig-5.3.12-2.el5

How reproducible:
always

Steps to Reproduce:
1. configure a system to use ldap for user info, using authconfig
2. reboot
Comment 1 Richard Bullington-McGuire 2007-07-05 23:08:16 UTC 
This looks related to Fedora Core 6 bug # 214141.
Comment 2 Richard Bullington-McGuire 2007-07-05 23:35:55 UTC 
Created attachment 158631 [details]
A patch workaround for ip6tables

This patch to /etc/sysconfig/ip6tables.conf works around the problem by
eliminating the use of the symbolic protocol specified, replacing it with a
literal number. The protocol number for IPv6 ICMP is 58.

So, this works in ip6tables.conf to accept ipv6-icmp traffic:

-A RH-Firewall-1-INPUT -p 58 -j ACCEPT


Putting any symbolic value in the protocol makes ip6tables-restore hang:

-A RH-Firewall-1-INPUT -p icmp6 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-icmp -j ACCEPT
-A RH-Firewall-1-INPUT -p foo -j ACCEPT

These all yield the same result.
Comment 3 Richard Bullington-McGuire 2007-07-05 23:40:53 UTC 
Ooops, I meant just "A patch workaround for /etc/sysconfig/ip6tables".

The fix for this should probably go into system-config-securitylevel, since that
is what is generating the "-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT" line.
ip6tables-restore could probably also be patched to hardcode the icmpv6 protocol
number to avoid a lookup. It's not as if that is going to change any time soon.

I wonder why ip6tables-restore has this issue, but iptables-restore does not,
though /etc/sysconfig/iptables has "icmp" as a symbol.
Comment 4 Richard Bullington-McGuire 2007-07-06 11:38:09 UTC 
Changing /etc/nsswitch.conf so that protocols are only looked up from files also
resolves the issue:

protocols:  files
Comment 5 RHEL Program Management 2007-10-31 18:25:37 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 11 errata-xmlrpc 2008-05-21 14:29:29 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0375.html