Red Hat Bugzilla – Bug 128549
redhat-config-services locks up for 5 minutes if iptables is selected
Last modified: 2007-11-30 17:07:03 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.2)
Description of problem:
I you select iptables or ip6tables in redhat-config-services-0.8.5-19,
the utility locks up for about 5 minutes (even on a 2.4GHz system)
while it does some kind of iptables-save style thing.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Launch redhat-config-services
2. Highlight iptables or ip6tables (whichever is active)
Actual Results: Utility locks up for a long time, at least 5 minutes.
Expected Results: I would expect no lockup. Perhaps if the utilities
mechanism for working out the firewall rules takes that long, why not
just capture the output from an iptables-save or something like that?
I know it isn't quite the same thing as what redhat-config-services
displays, but it would be fast.
Fact is, I though the thing had crashed so I killed it the first few
times. It was by accident only (phone rang) that I left it long
enough to complete its thing.
FC1 & FC2 have the same problem, and presumably more versions.
Internal RFE bug #129467 entered; will be considered for future releases.
When clicking on an entry, system-config-services should run
"/sbin/service <service> status". In the case of iptables, it simply
lists the tables. If this takes as long as you report, my guess is
that it tries to resolve some IP addresses into names and runs into a
timeout. Can you please check whether a manual "/sbin/service iptables
status" as root takes equally long?
I think you may be right; on the system I just tested,
redhat-config-services takes 1 minute 50 seconds, "service iptables
status" takes 1 minute. There is a difference of almost x 2. On the
command line it seems to hang trying to spit out each of these two lines:
LOG all -- 192.0.2.0/24 anywhere LOG level
warning prefix `TEST-NET: '
DROP all -- 192.0.2.0/24 anywhere
I'm thinking about a way to keep the GUI responsive while a called
script is in the works, but for the time being I have opened bug
#129731 which addresses that iptables/ip6tables makes name lookups in
the first place.
Barring any problems in iptables scripts, this is the same bug as bug
This seems to be fixed in system-config-services-0.9.1 as per bug #120579.