Red Hat Bugzilla – Bug 107105
Restarting iptables can leave modules wedged
Last modified: 2007-04-18 12:58:27 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20030716
Description of problem:
The module loading change in the recent iptables errata can now break a firewall
after a simple "service iptables restart". Previously modules were not
repeatedly loaded and unloaded. Currently module unloading cannot be relied on
by production servers due to the possibility of modules wedging.
I now need to comment out the module loading/unloading from the iptables init
script to reliably restart firewalls under Red Hat Linux.
I have repeated this problem under Red Hat 7.2 and 8.0 on several different
machines. I'm sure it would also occur on 9 and any other version with the
recent iptables errata.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Create a firewall that relies on conntrack (and other modules)
2.service network restart
Actual Results: The init script attempts to unload the modules and fails part
Module Size Used by Not tainted
ip_conntrack 0 0 (deleted)
This partially unloaded module will prevent conntrack loading again until the
system is rebooted.
Expected Results: The iptables modules should not be unloaded. It is too risky.
This would prevent the conntrack (or other) modules from wedging under normal
*** This bug has been marked as a duplicate of 103177 ***
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.