Bug 730061

Summary: iptables shutdown error when ip6tables running
Product: Red Hat Enterprise Linux 5 Reporter: John G. Myers <jgmyers>
Component: iptablesAssignee: iptables-maint-list <iptables-maint-list>
Status: CLOSED NOTABUG QA Contact: qe-baseos-daemons
Severity: low Docs Contact:
Priority: unspecified    
Version: 5.6CC: twoerner
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 6.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-18 08:20:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
/etc/sysconfig/iptables
none
/etc/sysconfig/ip6tables none

Description John G. Myers 2011-08-11 16:31:44 UTC 
Description of problem:

Stopping iptables when ip6tables is running results in a failure message

Version-Release number of selected component (if applicable):

iptables-1.3.5-5.3.el5_4.1

How reproducible: Always


Steps to Reproduce:
1. Configure IPv6, iptables, and ipv6tables
2. /etc/init.d/ip6tables start
3. /etc/init.d/iptables stop
  
Actual results:

# /etc/init.d/iptables stop
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: raw filter nat            [  OK  ]
Unloading iptables modules:                                [FAILED]

Expected results:

# /etc/init.d/iptables stop
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: raw filter nat            [  OK  ]
Unloading iptables modules:                                [  OK  ]

Additional info:

iptables should not (complain about failure to) unload ip_conntrack when it is still in use by ip6tables.
Comment 1 Thomas Woerner 2011-08-12 07:20:49 UTC 
Please add the firewall configuration for iptables and ip6tables as a private comment. From files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables or the output of the commands iptables-save and ip6tables-save).
Please also add the values of IPTABLES_MODULES and IP6TABLES_MODULES from /etc/sysconfig/iptables-config and /etc/sysconfig/ip6tables-config.
Thanks
Comment 2 John G. Myers 2011-08-17 19:42:44 UTC 
Created attachment 518743 [details]
/etc/sysconfig/iptables
Comment 3 John G. Myers 2011-08-17 19:43:10 UTC 
Created attachment 518744 [details]
/etc/sysconfig/ip6tables
Comment 4 John G. Myers 2011-08-17 19:45:04 UTC 
Does not reproduce in 6.0.
Comment 5 Thomas Woerner 2011-08-18 08:20:11 UTC 
The problem is the use of state in the IPv6 firewall. Connection tracking in the 2.6.18 kernel in EL-5 does not support IPv6. Please have a look at #243739 and #212839 for more information.

You need to replace the state line in the IPv6 firewall by this:
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 32768:61000 ! --syn -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT

This is known limitation of the RHEL-5 kernel and can not be changed. The state rule in your IPv6 firewall is not working and all packets are marked INVALID.

Here is an except of the RELEASE_NOTES of EL-5:

              o Added nf_conntrack subsystem (2.6.15)

                   o The existing connection tracking subsystem in netfilter
                     can only handle ipv4. There were two choices present to
                     add connection tracking support for ipv6; either
                     duplicate all of the ipv4 connection tracking code into
                     an ipv6 counterpart, or (the choice taken by these
                     patches) design a generic layer that could handle both
                     ipv4 and ipv6 and thus requiring only one sub-protocol
                     (TCP, UDP, etc.) connection tracking helper module to be
                     written. In fact, nf_conntrack is capable of working
                     with any layer 3 protocol.

I will close this bug as NOT A BUG.