Bug 867960

Summary: upgraded systems loses their iptables firewall
Product: [Fedora] Fedora Reporter: Mads Kiilerich <mads>
Component: iptablesAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: awilliam, jpopelka, mads, psabata, robatino, tflink, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-13 17:01:50 EST Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 752661    

Description Mads Kiilerich 2012-10-18 13:01:29 EDT
iptables.service has been split out to iptables-services-1.4.16.2-3.fc18 (with some reference to Bug 862922 - RFE: rework service packaging). That is probably ok now when we have firewalld. (It is however misleading that /etc/sysconfig/iptables-config is in iptables - it seems like it belongs in -services.)

But AFAICS it is a critical problem that upgraded systems will get iptables-1.4.16.2-3.fc18.x86_64 without iptables.services and thus no longer get their firewall rules applied. That could compromise system security or availability.

I would expect that some rpm magic was applied so systems upgraded from iptables < 18 also got iptables-services.

I don't know if anaconda will handle this somehow, but it seems to me like it would be NTH.
Comment 1 Fedora Update System 2012-11-02 09:33:57 EDT
iptables-1.4.16.2-4.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/iptables-1.4.16.2-4.fc18
Comment 2 Mads Kiilerich 2012-11-02 09:44:37 EDT
http://pkgs.fedoraproject.org/cgit/iptables.git/commit/?id=dd96cc55858e1fbd66f07a9e383c49bd4e79c701

* Fri Nov 02 2012 Thomas Woerner <twoerner@redhat.com> 1.4.16.2-4 
- fixed missing services for update of pre F-18 installations (rhbz#867960) 
- provide and obsolete old main package in services sub package 
- provide and obsolete old ipv6 sub package (pre F-17) in services sub package
Comment 3 Fedora Update System 2012-11-02 14:44:04 EDT
Package iptables-1.4.16.2-4.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing iptables-1.4.16.2-4.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-17528/iptables-1.4.16.2-4.fc18
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2012-11-08 22:17:54 EST
Package iptables-1.4.16.2-5.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing iptables-1.4.16.2-5.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-17528/iptables-1.4.16.2-5.fc18
then log in and leave karma (feedback).
Comment 5 Tim Flink 2012-11-30 14:19:34 EST
This has been ON_QA for almost a month now, has anyone tested the fix to see if this has been fixed?
Comment 6 Adam Williamson 2012-12-13 17:01:50 EST
Looks fixed to me. I just tested a yum upgrade of a minimal F17 install to F18. iptables-services is installed after upgrade, 'systemctl status iptables.service' shows it successfully loaded during boot, and 'iptables -L' shows what looks like a working firewall config. Setting closed, as the update went stable long ago.