Bug 980390

Summary: If I install openswan package, after collecting sosreport, iptables will be started even though iptables is stopped and chkconfig off before collecting the sosreport.
Product: Red Hat Enterprise Linux 6 Reporter: Chen <cchen>
Component: openswanAssignee: Paul Wouters <pwouters>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: high    
Version: 6.4CC: agk, bmr, eparis, gavin, iptables-maint-list
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-23 19:34:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chen 2013-07-02 08:53:16 UTC 
Description of problem:

If I install openswan package, after collecting sosreport, iptables will be started even though iptables is stopped and chkconfig off before collecting the sosreport. 

Version-Release number of selected component (if applicable):

RHEL6.4

How reproducible:

Always

Steps to Reproduce:

1. Stop iptables.

# service iptables stop

2. Install openswan.

# yum install openswan

3. Collect iptables.

# sosreport

4. Check iptables status

# service iptables status

Actual results:

Iptables is started.

Expected results:

Iptables should be stop

Additional info:
Comment 1 Chen 2013-07-02 09:02:18 UTC 
Per my investigation, first we have

# cat /usr/lib/python2.6/site-packages/sos/plugins/openswan.py

self.collectExtOutput("/usr/sbin/ipsec barf")

Then, in /usr/libexec/ipsec/barf we have 

# cat /usr/libexec/ipsec/barf

if test -r /sbin/iptables-save
then
        iptables-save
        _________________________ iptables-nat
        iptables-save -t nat
        _________________________ iptables-mangle
        iptables-save -t mangle

After iptables-save -t nat, the iptables is started.

I think we should do something to stop iptables from being started after collecting sosreport.

Best regards,

Chen
Comment 3 Bryn M. Reeves 2013-07-02 09:07:33 UTC 
This is a bug in ipsec's barf command. It should not modify system state. Please report a bug against the openswan pacakge (or move this bug to that component).

We are already intending to disable ipsec barf collection in sos due to bug 924925 (openswan bug 771612).
Comment 5 Eric Paris 2013-07-23 19:34:22 UTC 
Marking this bug as a duplicate.  This has been fixed for 6.5

*** This bug has been marked as a duplicate of bug 954249 ***