Bug 60465

Summary: iptables 1.2.4 fails to work with kernel 2.4.18
Product: [Retired] Red Hat Linux Reporter: Joe Acosta <josepha48>
Component: iptablesAssignee: wdovlrrw <brosenkr>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: mark.williamson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2002-02-28 01:34:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joe Acosta 2002-02-27 23:23:30 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.7) Gecko/20011221

Description of problem:
I tried to run 2.4.18 kernel with RH 7.2 and it iptables failed to load tables

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. using RH 7.2 upgrade the kernel to 2.4.18
2. make sure you enable iptables 
3. make sure you have some tables set up 
4. make sure you have it set to start on boot (/etc/init.d/iptables start)
5. reboot system
6. you'll see messages and iptables -L will show system opn wide.	

Actual Results:  Flushing all current rules and user defined chains:        [  OK  ]
Clearing all current rules and user defined chains:        [  OK  ]
iptables: libiptc/libip4tc.c:384: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
/etc/init.d/iptables: line -242:  1222 Aborted
iptables
-t $i -Fiptables: libiptc/libip4tc.c:384: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
/etc/init.d/iptables: line -239:  1225 Aborted
iptables
-t $i -Xiptables: libiptc/libip4tc.c:384: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
/etc/init.d/iptables: line -235:  1228 Aborted
iptables
-t $i -ZApplying iptables firewall rules:
iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
/etc/init.d/iptables: line -232:  1230 Done                    grep
-v
"^[[:space:]]*#" $IPTABLES_CONFIG
      1231                       | grep -v '^[[:space:]]*$'
      1232 Aborted                 | /sbin/iptables-restore -c



Expected Results:  expected iptables to load with an OK

Additional info:

Apparently according to Alan Cox RH compiled iptables with debugging or
something and this is causing it to fail with 2.4.18.

I am marking this as a security bug as it WILL leave the system wide open and it
seems that there is no way of securing the system with iptables.
Comment 1 Need Real Name 2002-02-28 01:09:47 UTC 
I think the patch at

http://pserver.samba.org/cgi-bin/cvsweb/netfilter/userspace/libiptc/libip4tc.c.diff?r1=1.13&r2=1.14&sortby=date&f=h

may resolve this. I don't fully understand the problem, but it's linked with
(and I quote from the above link) 

"linux < 2.4.18-pre6 had two mangle hooks, linux >= 2.4.18-pre6 has five mangle
hooks".

I hope this may shed some light (but I may be wrong).

Regards,

Mark
Comment 2 Joe Acosta 2002-02-28 01:34:09 UTC 
That is probably true.  I have been told to get the latest iptables.  I am
wondering if Redhat has a newer kernel other than 2.4.9 and if they have a
2.4.18 kernel out.
Comment 3 Bernhard Rosenkraenzer 2002-03-04 11:36:17 UTC 
Patch added in 1.2.5-3.