Bug 71201
Summary: | ifup eth0 I gives an iptables error | ||
---|---|---|---|
Product: | [Retired] Red Hat Public Beta | Reporter: | Pam Huntley <pam_huntley> |
Component: | initscripts | Assignee: | Bill Nottingham <notting> |
Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | limbo | CC: | harald, notting, rvokal |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2002-08-21 18:11:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 67217 |
Description
Pam Huntley
2002-08-09 21:26:02 UTC
--sport is not valid syntax for iptables, even though the man pages say it is. We should be using --source-port instead. If we don't fix iptables, then we need to fix everything that writes out iptables configs and initscripts. Fixing iptables is probably the better option nothing wrong with iptables or lokkit... this is ifup wrong line: [ -n "$FWHACK" ] && iptables -D RH-Lokkit-0-50-INPUT -s 0/0 --sport 53 -d 0/0 --dport 1025:65535 -p udp -m udp -j ACCEPT [ -n "$FWHACK" ] && iptables -D RH-Lokkit-0-50-INPUT -s 0/0 --sport 53 -d 0/0 --dport 1025:65535 -p udp -m udp -j ACCEPT should be: [ -n "$FWHACK" ] && iptables -D RH-Lokkit-0-50-INPUT -m udp -s 0/0 --sport 53 -d 0/0 --dport 1025:65535 -p udp -j ACCEPT [ -n "$FWHACK" ] && iptables -D RH-Lokkit-0-50-INPUT -m udp -s 0/0 --sport 53 -d 0/0 --dport 1025:65535 -p udp -j ACCEPT see, the -m udp module argument must be first, cause --sport is a argument for that module... this seems to be wrong throughout all initscripts... has it _ever_ been tested???? Not extensively, no. Fixed in CVS, will be in 6.89-1. you should also use -I instead of -A, otherwise the rule would be behind the REJECTs.. fixed in cvs. will test when I get a chance to get to a spare box. initscripts are confirmed fixed with initscripts-6.90-1. We still have the problem with gnome-lokkit writting out '-A' instead of '-I' gnome-lokkit is right, AFAIK; it uses -A, but still adds the DNS before the reject rules. what is wrong with adding the DNS before the reject rules???? It does. I think we're in agreement here. |