Bug 103033 - upgrade iptables 1.2.6a -> 1.2.8 stops firewall from working after reboot : all tables open !
upgrade iptables 1.2.6a -> 1.2.8 stops firewall from working after reboot : a...
Product: Red Hat Linux
Classification: Retired
Component: iptables (Show other bugs)
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Ben Levenson
: Security
Depends On:
  Show dependency treegraph
Reported: 2003-08-25 14:20 EDT by PhM
Modified: 2007-03-27 00:09 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-08-26 11:24:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description PhM 2003-08-25 14:20:46 EDT
Description of problem:
upgrade of iptables to 1.2.8 on RedHat 8/2.4.20-20.8 stops firewall !

Version-Release number of selected component (if applicable):

How reproducible:
patch an RedHat 8/2.4.20-20.8 machine using up2date : after restarting 
iptables's services the firewall's status stays on "stopped"

Steps to Reproduce:
1. on a Redhat 8/2.4.20-20.8 up2date install iptables 1.2.8 via up2date
2. reboot machine
3. service iptables status
Actual results:
until the file /etc/sysconfig/iptables-config is modified and all options set 
to "yes", the iptables's service will not start.

Expected results:
by modifying the /etc/sysconfig/iptables-config file and setting all options 
set to "yes" the iptables's service will start.

Additional info:
new content of /etc/sysconfig/iptables-config:
# Additional iptables modules (nat helper)
# Default: -empty-

# Save current firewall rules on stop.
# Value: yes|no,  default: no

# Save current firewall rules on restart.
# Value: yes|no,  default: no

# Save (and restore) rule counter.
# Value: yes|no,  default: no

# Numeric status output
# Value: yes|no,  default: no
Comment 1 Thomas Woerner 2003-08-26 09:13:58 EDT
I am sorry, but iptables-1.2.8-8.80.2 is working for me without any problems
with the kernel 2.4.20-20.8.

Can you send me the output of the following command, please:
sh -x /etc/init.d/iptables start
Comment 2 PhM 2003-08-26 09:37:21 EDT

Thanks for looking at the bug.

I cannot do sh -x /etc/init.d/iptables start anymore because I patched all my 
machines since.  Sorry.

I did debug the init script though.  If we look at the iptables' init script, 
start case, it is based on the existence of a saved iptables's ruleset, which 
on our firewall this does not exist (the rules are not restored, they are 
created at init time by a specialized script).
Now, let's see around line 140-150 :

if no file -> no message, no start:
[ -f $IPTABLES_DATA ] || return 1 

If no tables and rules have been previously saved before doing the upgrade of 
iptables, the init stops there (return 1) and then there are 
no /etc/sysconfig/iptables rules -> iptables won't start.

if [ $? -eq 0 ]; then
	success; echo
	failure; echo; return 1

Comment 3 Thomas Woerner 2003-08-26 09:49:17 EDT
iptables wil not load changes to the iptables data file automatically.
Comment 4 PhM 2003-08-26 10:09:33 EDT
The last answer left me with some questionning...

How come was it working under iptables for more than a year on multiple 
machines, some of which are rebooted almost every day, and when I upgraded 
iptables from 1.2.6a to 1.2.8, iptables would suddenly not start anymore !

For example, take an empty rule firewall where the /etc/sysconfig/iptables file 
does no exists and iptables won't start !
Comment 5 Thomas Woerner 2003-08-26 11:24:11 EDT
The only thing that was done before with a missing filewall rule file, was to
load the netfilter modules. 

The modules create the default tables with the policy 'ACCEPT' and no rules
while loading. If there are no rules, chains or other policies defined, it makes
no difference if the modules are loaded or not: No filtering, nat or connection

Therefore the service iptables does not start anymore, if there is no firewall
rule file.

Note You need to log in before you can comment on or make changes to this bug.