Bug 98241

Summary: (presumably buggy) depmod causes iptables firewall not to work
Product: [Retired] Red Hat Linux Beta Reporter: Nils Philippsen <nphilipp>
Component: kernelAssignee: Arjan van de Ven <arjanv>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: alpha 3CC: aoliva, blocke, gt, krmaxwell, pp, twaugh, vonbrand, wtogami
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-09-08 09:14:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 100644    

Description Nils Philippsen 2003-06-28 21:50:16 UTC 
Description of problem:

depmod messes up modules.dep, e.g. it build this entry:

/lib/modules/2.4.20-20.1.2013.nptl/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o:
/lib/modules/2.4.20-20.1.2013.nptl/kernel/net/ipv4/netfilter/ip_tables.o \
       
/lib/modules/2.4.20-20.1.2013.nptl/kernel/net/ipv4/netfilter/ip_conntrack.o \
        /lib/modules/2.4.20-20.1.2013.nptl/kernel/net/ipv4/netfilter/ipchains.o

Obviously, the ipchains dependancy is wrong (it should depend on iptable_nat
instead). This causes iptables-restore to fail (on MASQUERADE targets), which in
turn leaves the machine without a packet filter.

Version-Release number of selected component (if applicable):

modutils-2.4.25-6
kernel-2.4.20-20.1.2013.nptl
glibc-2.3.2-57

How reproducible:

reproducible

Steps to Reproduce:
1. depmod -a
2. modprobe ipt_MASQUERADE
3. or: service iptables start
    
Actual results:

iptables firewall doesn't get loaded

Expected results:

iptables firewall gets loaded
Comment 1 Nils Philippsen 2003-06-28 22:00:12 UTC 
The error shows also with modutils as old as 2.4.18-2, but only with newer
kernels, e.g. not with 2.4.20-18.9, but with all of these:

kernel-2.4.20-20.1.2013.nptl
kernel-2.4.20-20.1.2007.nptl
kernel-2.4.20-20.1.2005.nptl
Comment 2 Nils Philippsen 2003-06-28 22:09:32 UTC 
Forgot to mention that when insmodding the modules by hand (in the correct
order), everything works fine (substituting ipchains with iptables_nat of course).
Comment 3 Bill Nottingham 2003-06-30 16:12:40 UTC 
ipchains is exporting symbols, it probably shouldn't be.
Comment 4 Nils Philippsen 2003-07-08 23:51:07 UTC 
Still the case with 2.4.21-1.2023:

/lib/modules/2.4.21-1.2023/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o: 
/lib/modules/2.4.21-1.2023/kernel/net/ipv4/netfilter/ip_tables.o \
        /lib/modules/2.4.21-1.2023/kernel/net/ipv4/netfilter/ipchains.o \
        /lib/modules/2.4.21-1.2023/kernel/net/ipv4/netfilter/ip_conntrack.o
Comment 6 Pekka Pietikäinen 2003-07-22 12:29:03 UTC 
*** Bug 90647 has been marked as a duplicate of this bug. ***
Comment 7 Pekka Pietikäinen 2003-07-22 12:32:49 UTC 
As I mentioned in #90647, nuking ipchains.o and ipfwadm.o and rerunning depmod -a 
is a workaround for this bug.
Comment 8 Nils Philippsen 2003-07-25 06:06:08 UTC 
Why isn't this considered a blocker bug for Cambridge (#100643)? After all this
_is_ a security issue.
Comment 9 Gerald Teschl 2003-07-26 12:47:09 UTC 
*** Bug 100428 has been marked as a duplicate of this bug. ***
Comment 10 Gerald Teschl 2003-07-26 12:48:30 UTC 
*** Bug 100763 has been marked as a duplicate of this bug. ***
Comment 11 Nils Philippsen 2003-09-08 09:14:07 UTC 
Fixed in kernel-2.4.22-1.2030.nptl
Comment 12 Alexandre Oliva 2003-09-08 12:05:00 UTC 
Err....  -1.2030?  That's a lower version number than -20.1.2024.2.36, that
still has the problem.  Isn't the `20.' missing in this versioning scheme?
Comment 13 Dave Jones 2003-09-08 13:56:17 UTC 
It's deliberate. The -20 was bogus.