Bug 40429

Summary: ipchains says "Incompatible with this kernel" if no /etc/sysconfig/ipchains exists
Product: [Retired] Red Hat Linux Reporter: Daniel G. Link <daniel_link>
Component: ipchainsAssignee: Mike A. Harris <mharris>
Status: CLOSED NOTABUG QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1   
Target Milestone: ---   
Target Release: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-05-13 20:47:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daniel G. Link 2001-05-13 20:47:36 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)

Description of problem:
Issuing "/sbin/ipchains -L" or other ipchains commands will cause it to 
say "Incompatible with this kernel" if /etc/sysconfig/ipchains has not at 
least once been present when ipchains was run since reboot.

How reproducible:
Every time.

Steps to Reproduce:
1.Remove /etc/sysconfig/ipchains (if present)
2.Reboot.
3.Issue "/sbin/ipchains -L" or "/sbin/ipchains -F" etc.
	

Actual Results:  ipchains: Incompatible with this kernel

Expected Results:  It should have said something like: "Config 
file /etc/sysconfig/ipchains not found"

Additional info: If you create /etc/sysconfig/ipchains and 
run /sbin/ipchains just once with the file present, every subsequent time 
it will work, even if you remove the config file.

Comment 1 Mike A. Harris 2001-05-13 21:27:22 UTC
This is not a bug.  The 2.4.x kernel has a totally brand new firewall interface
called "netfilter".  When used in its native mode, netfilter is configured using
the "iptables" command.  netfilter also has backward compatibility modules
however so that you can use an ipchains or ipfwadm based firewall script
with the new netfilter without worrying about having to completely rewrite all
of your existing firewall code.  In order to maintain backward compatibility
with our previous releases, we decided to continue using ipchains as the
supported firewall interface.  All of our distribution supplied tools use
the netfilter ipchains interface.  Our startup scripts for ipchains firewalling
load the iptables "ipchains" personality module when the firewall is enabled.
If you disable our supplied firewall script, then the module does not get
loaded.

If you want to use an alternative ipchains based firewall script, you will
have to manually load the ipchains personality module yourself from your own
scripts, or even better - avoid ipchains, and use iptables natively.

Hope this helps.