Bug 129344 - Connection tracking information lost when reloading firewall rules
Summary: Connection tracking information lost when reloading firewall rules
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: iptables
Version: 2
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-08-06 18:41 UTC by Aleksandar Milivojevic
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2004-08-23 12:14:40 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Aleksandar Milivojevic 2004-08-06 18:41:26 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7)
Gecko/20040626 Firefox/0.9.1

Description of problem:
If /etc/sysconfig/iptables file is edited, and than reloaded using
iptables restart, connection tracking information is lost.  This is
because ip_conntrack module is unloaded during restart.

If connection tracking match is used to build stateless firewall this
might cause packets from previously established connection to be
dropped.  For example, take this two simplified rules for HTTP server:

  -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
  -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

When iptables restart is run, packets from connections established
before iptables were restarted will start to get dropped until there
is another packet from client to server (that would match NEW state).
 This will affect more seriously connections where traffic is mostly
unidirectional, and direction of traffic matches second line that has
only "ESTABLISHED" match.

Possible solution for this would be to implement "reload" command in
iptables script, that would ignore value of IPTABLES_MODULES_UNLOAD
from /etc/sysconfig/iptables-config (or alternatively, there could be
new variable IPTABLES_MODULES_UNLOAD_ON_RELOAD or such).  Something
along the lines:

reload() {
    IPTABLES_MODULES_UNLOAD = "no"
    stop
    start
}

Version-Release number of selected component (if applicable):
iptables-1.2.9-2.3.1

How reproducible:
Always

Steps to Reproduce:
1. Make sure IPTABLES_MODULES_UNLOAD is set to "yes" (default)
2. Restart firewall
3. Watch packets from previously established connections dropped
    

Additional info:

Comment 1 Aleksandar Milivojevic 2004-08-09 15:58:10 UTC
I've just noticed a typo I made.  "Stateless fierwall" should read
"statefull firewall".  Stateless firewalls do not use connection
tracking and are not impacted by this.

Comment 2 Thomas Woerner 2004-08-23 12:14:40 UTC
Just set IPTABLES_MODULES_UNLOAD="no" in /etc/sysconfig/iptables-config.

Closing as "NOT A BUG".


Note You need to log in before you can comment on or make changes to this bug.