Bug 432617

Summary: RFE: Add "reload" option to startup script.
Product: [Fedora] Fedora Reporter: Pekka Pietikäinen <pp>
Component: iptablesAssignee: Thomas Woerner <twoerner>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: clasohm, psutter, topher-redhat-bugzilla
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-04 14:40:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Add reload action to iptables startup script none

Description Pekka Pietikäinen 2008-02-13 13:13:38 UTC
Description of problem:

When a /etc/init.d/iptables restart is done, existing connections to the host
get dropped (some of them. This is caused by the conntrack modules getting
unloaded -> no more states.

# Unload modules on restart and stop
#   Value: yes|no,  default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"

In the use case of "Add new allowed incoming port" that's pretty overkill.
I attached a patch that adds a "reload" target that sets
IPTABLES_MODULES_UNLOAD="no" and restarts.

Comment 1 Pekka Pietikäinen 2008-02-13 13:13:38 UTC
Created attachment 294769 [details]
Add reload action to iptables startup script

Comment 2 Christopher Cashell 2008-06-25 16:36:07 UTC
I'd really like to see this implemented, as well.

I've got a junior admin who broke existing connections to a production database
because he went to add an iptables rule, tried to do a 'reload', saw that there
was no 'reload', then did a 'restart'.

I've never understood why 'reload' wasn't included on RH platforms.  Unloading
and reloading modules is rarely needed, and causes too many problems, especially
when it's the only action supported by the init script.

Comment 3 Christopher Cashell 2008-06-25 16:57:33 UTC
Hrm.  Looks like this has actually be requested previously, back about 4 years
ago: https://bugzilla.redhat.com/show_bug.cgi?id=115655

Such a simple fix, for so long of a wait.

Comment 4 Thomas Woerner 2008-07-01 10:13:23 UTC
The problem with a reload without unloading the netfilter kernel modules is that
you are not unloading the kernel modules. If a kernel module is there, it is
active and will be used.

Please think of this scenario: Disabling a service, which needs a helper module,
gets deactivated and then you do a reload instead of a restart. The helper
module will be there and will behave as before. This will be really unexpected, too.

A reload could only work if you are adding rules, not if you are removing them.

Comment 5 Pekka Pietikäinen 2008-11-18 00:37:48 UTC
Urgh, found this in my needinfo pile :P

What about only reloading the special helper modules (anything in IPTABLES_MODULES vs. IPTABLES_MODULES_COMMON)? People really only get annoyed when their ssh and irc (and sql :) ) gets disconnected just to add/remove one port.

That or calling my idea of reload /etc/init.d/iptables flush-and-start or whatnot :P

Or even REALLY_DONT_RELOAD_MODULES=1 iptables restart, and I can just do a /usr/local/sbin/fwreload locally ;)

Comment 6 Thomas Woerner 2009-06-03 09:21:55 UTC
I will have to test this with latest netfilter versions in the kernel. With older versions this lead to enexpected behaviour.

Comment 7 Phil Sutter 2018-05-04 14:40:26 UTC
Please note that module unloading as a whole was dropped from iptables init script in F26.