From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7)
Gecko/20040626 Firefox/0.9.1

Description of problem:
If /etc/sysconfig/iptables file is edited, and than reloaded using
iptables restart, connection tracking information is lost.  This is
because ip_conntrack module is unloaded during restart.

If connection tracking match is used to build stateless firewall this
might cause packets from previously established connection to be
dropped.  For example, take this two simplified rules for HTTP server:

  -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
  -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

When iptables restart is run, packets from connections established
before iptables were restarted will start to get dropped until there
is another packet from client to server (that would match NEW state).
 This will affect more seriously connections where traffic is mostly
unidirectional, and direction of traffic matches second line that has
only "ESTABLISHED" match.

Possible solution for this would be to implement "reload" command in
iptables script, that would ignore value of IPTABLES_MODULES_UNLOAD
from /etc/sysconfig/iptables-config (or alternatively, there could be
new variable IPTABLES_MODULES_UNLOAD_ON_RELOAD or such).  Something
along the lines:

reload() {
    IPTABLES_MODULES_UNLOAD = "no"
    stop
    start
}

Version-Release number of selected component (if applicable):
iptables-1.2.9-2.3.1

How reproducible:
Always

Steps to Reproduce:
1. Make sure IPTABLES_MODULES_UNLOAD is set to "yes" (default)
2. Restart firewall
3. Watch packets from previously established connections dropped
    

Additional info: