From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7b) Gecko/20040421 Description of problem: After a period of time it becomes impossible to restart iptables. I receive a series of errors, it seems to stem from the failure to remove the ip_conntrack module. Version-Release number of selected component (if applicable): iptables-1.2.8-12.3 kernel-2.4.21-15.EL How reproducible: Sometimes Steps to Reproduce: 1.Leave server up for a period of time (I encountered it this time after 45 days uptime) 2.run server with a series of iptables rules 3.run service iptables restart Actual Results: service iptables restart Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [FAILED] Applying iptables firewall rules: iptables-restore: line 19 failed [FAILED] ################################### Jun 1 18:58:37 burrow iptables: succeeded Jun 1 18:58:38 burrow iptables: failed Jun 1 18:58:38 burrow kernel: ip_tables: (C) 2000-2002 Netfilter core team Jun 1 18:58:39 burrow insmod: /lib/modules/2.4.21-9.0.3.EL/kernel/net/ipv4/netfilter/ipt_state.o: insmod ipt_state failed Jun 1 18:58:39 burrow iptables: failed ###################################### modprobe ipt_state /lib/modules/2.4.21-9.0.3.EL/kernel/net/ipv4/netfilter/ipt_state.o: unresolved symbol ip_conntrack_get_Ra6f02512 /lib/modules/2.4.21-9.0.3.EL/kernel/net/ipv4/netfilter/ipt_state.o: unresolved symbol ip_conntrack_module_Rb0361033 /lib/modules/2.4.21-9.0.3.EL/kernel/net/ipv4/netfilter/ipt_state.o: insmod /lib/modules/2.4.21-9.0.3.EL/kernel/net/ipv4/netfilter/ipt_state.o failed /lib/modules/2.4.21-9.0.3.EL/kernel/net/ipv4/netfilter/ipt_state.o: insmod ipt_state failed Expected Results: iptables modules should be reloaded cleanly and the firewall restarted Additional info: lsmod output: Module Size Used by Not tainted iptable_filter 2412 0 (autoclean) (unused) ip_tables 15776 1 [iptable_filter] ip_conntrack 0 0 (deleted) cls_route 5400 0 (unused) cls_u32 6268 0 cls_fw 3512 0 (unused) sch_prio 3936 0 (unused) sch_sfq 4128 0 (unused) sch_tbf 4288 0 sch_cbq 14880 0 autofs 13204 0 (autoclean) (unused) ne2k-pci 7072 1 8390 8064 0 [ne2k-pci] crc32 3712 0 [8390] 3c59x 29616 1 natsemi 19040 1 ipv6 221344 -1 floppy 56592 0 (autoclean) sg 36140 0 (autoclean) (unused) scsi_mod 103464 1 (autoclean) [sg] loop 11928 0 (autoclean) lvm-mod 64224 0 keybdev 2976 0 (unused) mousedev 5492 0 (unused) hid 22084 0 (unused) input 5856 0 [keybdev mousedev hid] usb-uhci 25836 0 (unused) usbcore 77152 1 [hid usb-uhci] ext3 85704 4 jbd 50572 4 [ext3]
This is a kernel netfilter problem. Assigning to kernel.
I also encounter this bug. In attempting to reproduce, I stumbled upon a way to oops the kernel by unloading and reloading iptables modules. I've opened a bugzilla entry against the kernel at: http://bugzilla.kernel.org/show_bug.cgi?id=5248 Don't know for sure if it's the same issue or not, but I've definitely seen this too...
A workaround for this appears to be: service network restart Seems to free up whatever the modprobe is waiting on...
This bug is filed against RHEL 3, which is in maintenance phase. During the maintenance phase, only security errata and select mission critical bug fixes will be released for enterprise products. Since this bug does not meet that criteria, it is now being closed. For more information of the RHEL errata support policy, please visit: http://www.redhat.com/security/updates/errata/ If you feel this bug is indeed mission critical, please contact your support representative. You may be asked to provide detailed information on how this bug is affecting you.