Bug 432617
Summary: | RFE: Add "reload" option to startup script. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Pekka Pietikäinen <pp> | ||||
Component: | iptables | Assignee: | Thomas Woerner <twoerner> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | rawhide | CC: | clasohm, psutter, topher-redhat-bugzilla | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-05-04 14:40:26 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Pekka Pietikäinen
2008-02-13 13:13:38 UTC
Created attachment 294769 [details]
Add reload action to iptables startup script
I'd really like to see this implemented, as well. I've got a junior admin who broke existing connections to a production database because he went to add an iptables rule, tried to do a 'reload', saw that there was no 'reload', then did a 'restart'. I've never understood why 'reload' wasn't included on RH platforms. Unloading and reloading modules is rarely needed, and causes too many problems, especially when it's the only action supported by the init script. Hrm. Looks like this has actually be requested previously, back about 4 years ago: https://bugzilla.redhat.com/show_bug.cgi?id=115655 Such a simple fix, for so long of a wait. The problem with a reload without unloading the netfilter kernel modules is that you are not unloading the kernel modules. If a kernel module is there, it is active and will be used. Please think of this scenario: Disabling a service, which needs a helper module, gets deactivated and then you do a reload instead of a restart. The helper module will be there and will behave as before. This will be really unexpected, too. A reload could only work if you are adding rules, not if you are removing them. Urgh, found this in my needinfo pile :P What about only reloading the special helper modules (anything in IPTABLES_MODULES vs. IPTABLES_MODULES_COMMON)? People really only get annoyed when their ssh and irc (and sql :) ) gets disconnected just to add/remove one port. That or calling my idea of reload /etc/init.d/iptables flush-and-start or whatnot :P Or even REALLY_DONT_RELOAD_MODULES=1 iptables restart, and I can just do a /usr/local/sbin/fwreload locally ;) I will have to test this with latest netfilter versions in the kernel. With older versions this lead to enexpected behaviour. Please note that module unloading as a whole was dropped from iptables init script in F26. |