Red Hat Bugzilla – Full Text Bug Listing
|Summary:||upgraded systems loses their iptables firewall|
|Product:||[Fedora] Fedora||Reporter:||Mads Kiilerich <mads>|
|Component:||iptables||Assignee:||Thomas Woerner <twoerner>|
|Status:||CLOSED ERRATA||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||18||CC:||awilliam, jpopelka, mads, psabata, robatino, tflink, twoerner|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2012-12-13 17:01:50 EST||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
Description Mads Kiilerich 2012-10-18 13:01:29 EDT
iptables.service has been split out to iptables-services-188.8.131.52-3.fc18 (with some reference to Bug 862922 - RFE: rework service packaging). That is probably ok now when we have firewalld. (It is however misleading that /etc/sysconfig/iptables-config is in iptables - it seems like it belongs in -services.) But AFAICS it is a critical problem that upgraded systems will get iptables-184.108.40.206-3.fc18.x86_64 without iptables.services and thus no longer get their firewall rules applied. That could compromise system security or availability. I would expect that some rpm magic was applied so systems upgraded from iptables < 18 also got iptables-services. I don't know if anaconda will handle this somehow, but it seems to me like it would be NTH.
Comment 1 Fedora Update System 2012-11-02 09:33:57 EDT
iptables-220.127.116.11-4.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/iptables-18.104.22.168-4.fc18
Comment 2 Mads Kiilerich 2012-11-02 09:44:37 EDT
http://pkgs.fedoraproject.org/cgit/iptables.git/commit/?id=dd96cc55858e1fbd66f07a9e383c49bd4e79c701 * Fri Nov 02 2012 Thomas Woerner <firstname.lastname@example.org> 22.214.171.124-4 - fixed missing services for update of pre F-18 installations (rhbz#867960) - provide and obsolete old main package in services sub package - provide and obsolete old ipv6 sub package (pre F-17) in services sub package
Comment 3 Fedora Update System 2012-11-02 14:44:04 EDT
Package iptables-126.96.36.199-4.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing iptables-188.8.131.52-4.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17528/iptables-184.108.40.206-4.fc18 then log in and leave karma (feedback).
Comment 4 Fedora Update System 2012-11-08 22:17:54 EST
Package iptables-220.127.116.11-5.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing iptables-18.104.22.168-5.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17528/iptables-22.214.171.124-5.fc18 then log in and leave karma (feedback).
Comment 5 Tim Flink 2012-11-30 14:19:34 EST
This has been ON_QA for almost a month now, has anyone tested the fix to see if this has been fixed?
Comment 6 Adam Williamson 2012-12-13 17:01:50 EST
Looks fixed to me. I just tested a yum upgrade of a minimal F17 install to F18. iptables-services is installed after upgrade, 'systemctl status iptables.service' shows it successfully loaded during boot, and 'iptables -L' shows what looks like a working firewall config. Setting closed, as the update went stable long ago.