Bug 77430

Summary: ipchains does not work with updated kernel
Product: [Retired] Red Hat Linux Reporter: Mate Wierdl <mw-redhat>
Component: ipchainsAssignee: Mike A. Harris <mharris>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-05-28 13:24:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mate Wierdl 2002-11-06 22:42:53 UTC 
Description of Problem:

# ipchains -L
ipchains: Incompatible with this kernel

Version-Release number of selected component (if applicable):
# rpm -q kernel ipchains
kernel-2.4.18-17.8.0
ipchains-1.3.10-16

# uname -ps
Linux athlon

How Reproducible:
always

Steps to Reproduce:
1. see above  
2. 
3. 

Actual Results:


Expected Results:


Additional Information:
	
I tried then to recompile ipchains from the src.rpm (I am a RH mirror)

# rpmbuild --rebuild
~ftp/pub/redhat/linux/8.0/en/os/i386/SRPMS/ipchains-1.3.10-16.src.rpm
Installing
/disk02/ftp/pub/redhat/linux/8.0/en/os/i386/SRPMS/ipchains-1.3.10-16.src.rpm
error: Failed build dependencies:
        sgml-tools is needed by ipchains-1.3.10-16

But sgml-tools is not part of RH anymore:

# ls ~ftp/pub/redhat/linux/8.0/en/os/i386/SRPMS/*sgml*
/disk02/ftp/pub/redhat/linux/8.0/en/os/i386/SRPMS/psgml-1.2.3-5.src.rpm
/disk02/ftp/pub/redhat/linux/8.0/en/os/i386/SRPMS/sgml-common-0.6.3-12.src.rpm

# rpm -qa|grep sgml
sgml-common-0.6.3-12
psgml-1.2.3-5
Comment 1 Mike A. Harris 2002-11-07 10:49:32 UTC 
This isn't a bug.  ipchains does work, let me explain...

# ipchains -L
ipchains: Incompatible with this kernel

That message is wrong.  Dead wrong.  The problem, is that the 2.4 kernel
has 2 different firewall interfaces.  One is ipchains, the other is
iptables.  You can use one or the other, however you can _not_ use
*both* simultaneously.  If the ipchains kernel module is loaded, then
iptables can not be used, and if iptables kernel module is loaded, then
ipchains can not be used.

What happens if you _do_ try to use the ipchains, while the iptables
kernel module is loaded, is that you get the above stupid error message.

So, the solution is to disable iptables if you want to use ipchains.

On another note however, I'm so annoyed by all the bug reports over this
coming in constantly ever since the 2.4 kernel came out, that I am
going to hack ipchains and iptables and remove these stupid bogus error
messages and replace them with a truely informative message instructing
the user to what they've done wrong and how to fix it.

I'm going to leave this bug report open as a reminder to myself, sort
of a kick in the pants until I fix this error message.  Then it can
be closed NOTABUG.

Also, the build time problem with sgml-tools needs to be looked at too.
I might as well fix that at the same time if it needs fixing.

Thanks for the report.
Comment 2 David Woodhouse 2002-11-07 10:55:38 UTC 
'course, the real bug here is that something started causing the iptables module
to be loaded when it shouldn't have been. This 'helpful' addition of pointless
default firewall rules broke my firewall setup too, and rendered my system less
secure till I noticed that masq wasn't working either and fixed it.
Comment 3 Mike A. Harris 2002-11-07 11:43:00 UTC 
dwmw2:

To fix that, try the following: rpm -e magicdev

Does that work?
Comment 4 Mate Wierdl 2002-11-07 17:29:56 UTC 
I indeed just noticed that ipchans did not work, but my portsentry 
then has not done its job ever since iptables replaced ipchains.  I do not dare
to speculate for how long I was open.  Portsentry never complained, just said
that it blocked the connection via ipchains---but it did not.  

Please keep this "bug" open or solved, and do not mark it "not a bug", because
people like me will keep reporting it since it does not come up during a default
bug search.
Comment 6 Mike A. Harris 2004-05-28 13:24:58 UTC 
As mentioned above, the error message that occurs from ipchains
is just a slightly misleading error message, and does not indicate
a bug in the software.

"iptables" is the preferred and supported IP filter tool in all
OS releases which ship with a 2.4.x or higher kernel.  Users
who require IP filtering functionality can now use "iptables" in
all of our supported OS releases as the supported IP filter
software.

Users who elect to use the unsupported "ipchains" IP filtering
mechanisms, who experience this problem is due to a misconfigured
system.  In order to avoid the error, ensure that the system
is configured to not load the "iptables" module at system startup
by using the "ntsysv" utility to disable the iptables system
service.  Once the system is rebooted, the iptables kernel modules
will no longer load, and the ipchains modules will be able to
load successfully.  The error message will not be displayed, as
there will no longer exist any runtime kernel module contention.

Hope this helps.

Closing as 'NOTABUG'