Bug 474937

Summary: Kickstart F10 results in two "--dport 22" entries in iptables file
Product: [Fedora] Fedora Reporter: Mike Hanby <flakrat>
Component: anacondaAssignee: Chris Lumens <clumens>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 10CC: anaconda-maint-list, flakrat
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-12-11 20:46:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
anaconda.log from the Fedora 10 i386 kickstart install none

Description Mike Hanby 2008-12-05 22:28:42 UTC 
Description of problem:
I kickstart installed a Fedora 10 i386 system with the following firewall configuration specified in the kickstart file to enable SSH and NRPE:

firewall --enabled --port=22:tcp --port=5666:tcp

Following the install I looked at /etc/sysconfig/iptables and it had two entries for port 22:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5666 -j ACCEPT

And iptables status reports:

$ sudo /sbin/service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:5666 
7    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         


Version-Release number of selected component (if applicable):


How reproducible:
I haven't had a chance to reinstall the system using the same kickstart file.

Steps to Reproduce:
1. Create a kickstart file with the firewall config line listed above
2. Kickstart the system
3. Check /etc/sysconfig/iptables following the install
  
Actual results:
Duplicate entries for SSH in the firewall script

Expected results:
A single entry for port 22

Additional info:
Comment 1 Chris Lumens 2008-12-09 18:56:02 UTC 
Can you attach /var/log/anaconda.log from your running system to this bug report?  That ought to tell us exactly which lokkit command was run so we can see where the problem here lies.  Thanks.
Comment 2 Mike Hanby 2008-12-11 16:15:07 UTC 
Created attachment 326634 [details]
anaconda.log from the Fedora 10 i386 kickstart install

Added the anaconda.log file as requested.
Comment 3 Chris Lumens 2008-12-11 20:46:18 UTC 
This will be fixed in the next build of anaconda.  Thanks for the bug report.