Bug 129344 - Connection tracking information lost when reloading firewall rules
Connection tracking information lost when reloading firewall rules
Product: Fedora
Classification: Fedora
Component: iptables (Show other bugs)
All Linux
medium Severity low
: ---
: ---
Assigned To: Thomas Woerner
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2004-08-06 14:41 EDT by Aleksandar Milivojevic
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-08-23 08:14:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Aleksandar Milivojevic 2004-08-06 14:41:26 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7)
Gecko/20040626 Firefox/0.9.1

Description of problem:
If /etc/sysconfig/iptables file is edited, and than reloaded using
iptables restart, connection tracking information is lost.  This is
because ip_conntrack module is unloaded during restart.

If connection tracking match is used to build stateless firewall this
might cause packets from previously established connection to be
dropped.  For example, take this two simplified rules for HTTP server:

  -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
  -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

When iptables restart is run, packets from connections established
before iptables were restarted will start to get dropped until there
is another packet from client to server (that would match NEW state).
 This will affect more seriously connections where traffic is mostly
unidirectional, and direction of traffic matches second line that has
only "ESTABLISHED" match.

Possible solution for this would be to implement "reload" command in
iptables script, that would ignore value of IPTABLES_MODULES_UNLOAD
from /etc/sysconfig/iptables-config (or alternatively, there could be
new variable IPTABLES_MODULES_UNLOAD_ON_RELOAD or such).  Something
along the lines:

reload() {

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Make sure IPTABLES_MODULES_UNLOAD is set to "yes" (default)
2. Restart firewall
3. Watch packets from previously established connections dropped

Additional info:
Comment 1 Aleksandar Milivojevic 2004-08-09 11:58:10 EDT
I've just noticed a typo I made.  "Stateless fierwall" should read
"statefull firewall".  Stateless firewalls do not use connection
tracking and are not impacted by this.
Comment 2 Thomas Woerner 2004-08-23 08:14:40 EDT
Just set IPTABLES_MODULES_UNLOAD="no" in /etc/sysconfig/iptables-config.

Closing as "NOT A BUG".

Note You need to log in before you can comment on or make changes to this bug.