Bug 103033 - upgrade iptables 1.2.6a -> 1.2.8 stops firewall from working after reboot : all tables open !
Summary: upgrade iptables 1.2.6a -> 1.2.8 stops firewall from working after reboot : a...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: iptables
Version: 8.0
Hardware: i386
OS: Linux
high
medium
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-08-25 18:20 UTC by PhM
Modified: 2007-03-27 04:09 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2003-08-26 15:24:11 UTC
Embargoed:


Attachments (Terms of Use)

Description PhM 2003-08-25 18:20:46 UTC
Description of problem:
upgrade of iptables to 1.2.8 on RedHat 8/2.4.20-20.8 stops firewall !

Version-Release number of selected component (if applicable):
1.2.8

How reproducible:
patch an RedHat 8/2.4.20-20.8 machine using up2date : after restarting 
iptables's services the firewall's status stays on "stopped"

Steps to Reproduce:
1. on a Redhat 8/2.4.20-20.8 up2date install iptables 1.2.8 via up2date
2. reboot machine
3. service iptables status
    
Actual results:
until the file /etc/sysconfig/iptables-config is modified and all options set 
to "yes", the iptables's service will not start.

Expected results:
by modifying the /etc/sysconfig/iptables-config file and setting all options 
set to "yes" the iptables's service will start.


Additional info:
new content of /etc/sysconfig/iptables-config:
# Additional iptables modules (nat helper)
# Default: -empty-
IPTABLES_MODULES="ip_nat_ftp"

# Save current firewall rules on stop.
# Value: yes|no,  default: no
IPTABLES_SAVE_ON_STOP="yes"

# Save current firewall rules on restart.
# Value: yes|no,  default: no
IPTABLES_SAVE_ON_RESTART="yes"

# Save (and restore) rule counter.
# Value: yes|no,  default: no
IPTABLES_SAVE_COUNTER="yes"

# Numeric status output
# Value: yes|no,  default: no
IPTABLES_STATUS_NUMERIC="yes"

Comment 1 Thomas Woerner 2003-08-26 13:13:58 UTC
I am sorry, but iptables-1.2.8-8.80.2 is working for me without any problems
with the kernel 2.4.20-20.8.

Can you send me the output of the following command, please:
sh -x /etc/init.d/iptables start


Comment 2 PhM 2003-08-26 13:37:21 UTC
Hi,

Thanks for looking at the bug.

I cannot do sh -x /etc/init.d/iptables start anymore because I patched all my 
machines since.  Sorry.

I did debug the init script though.  If we look at the iptables' init script, 
start case, it is based on the existence of a saved iptables's ruleset, which 
on our firewall this does not exist (the rules are not restored, they are 
created at init time by a specialized script).
Now, let's see around line 140-150 :

if no file -> no message, no start:
[ -f $IPTABLES_DATA ] || return 1 

If no tables and rules have been previously saved before doing the upgrade of 
iptables, the init stops there (return 1) and then there are 
no /etc/sysconfig/iptables rules -> iptables won't start.

moreover:
$IPTABLES-restore $OPT $IPTABLES_DATA
if [ $? -eq 0 ]; then
	success; echo
else
	failure; echo; return 1
fi



Comment 3 Thomas Woerner 2003-08-26 13:49:17 UTC
iptables wil not load changes to the iptables data file automatically.

Comment 4 PhM 2003-08-26 14:09:33 UTC
The last answer left me with some questionning...

How come was it working under iptables for more than a year on multiple 
machines, some of which are rebooted almost every day, and when I upgraded 
iptables from 1.2.6a to 1.2.8, iptables would suddenly not start anymore !

For example, take an empty rule firewall where the /etc/sysconfig/iptables file 
does no exists and iptables won't start !

Comment 5 Thomas Woerner 2003-08-26 15:24:11 UTC
The only thing that was done before with a missing filewall rule file, was to
load the netfilter modules. 

The modules create the default tables with the policy 'ACCEPT' and no rules
while loading. If there are no rules, chains or other policies defined, it makes
no difference if the modules are loaded or not: No filtering, nat or connection
tracking.

Therefore the service iptables does not start anymore, if there is no firewall
rule file.



Note You need to log in before you can comment on or make changes to this bug.