Description of problem:

1) Set or leave it as default IPTABLES_MODULES_UNLOAD="yes" in /etc/sysconfig/iptables.

  I think /usr/libexec/iptables/iptables.init has bug.
  It still has older version check method, but on RHEL7 and Fedora I think we can assume we're using newer modutils safely.
  
  [root@localhost ~]# rpm -q iptables-services
  iptables-services-1.4.21-16.fc24.x86_64

  [root@localhost ~]# head -14 /etc/sysconfig/iptables-config 
  # Load additional iptables modules (nat helpers)
  #   Default: -none-
  # Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
  # are loaded after the firewall rules are applied. Options for the helpers are
  # stored in /etc/modprobe.conf.
  IPTABLES_MODULES=""
  
  # Unload modules on restart and stop
  #   Value: yes|no,  default: yes
  # This option has to be 'yes' to get to a sane state for a firewall
  # restart or stop. Only set to 'no' if there are problems unloading netfilter
  # modules.
  IPTABLES_MODULES_UNLOAD="yes"

2) Start iptables
  
  [root@localhost ~]# systemctl start iptables
  [root@localhost ~]# lsmod |grep '^nf_conntrack '
  nf_conntrack          106496  2 xt_conntrack,nf_conntrack_ipv4

3) Stop iptables and nf_conntrack is still loaded.

  [root@localhost ~]# systemctl stop iptables
  [root@localhost ~]# lsmod |grep '^nf_conntrack '
  nf_conntrack          106496  2 xt_conntrack,nf_conntrack_ipv4



Following patch will fix issue.


  [root@localhost ~]# diff -u /usr/libexec/iptables/iptables.init-2016-04-05 /usr/libexec/iptables/iptables.init
  --- /usr/libexec/iptables/iptables.init-2016-04-05	2016-04-05 23:02:40.274944559 +0900
  +++ /usr/libexec/iptables/iptables.init	2016-04-05 23:03:38.687006594 +0900
  @@ -36,7 +36,7 @@
   fi
 
   # Old or new modutils
  -/sbin/modprobe --version 2>&1 | grep -q module-init-tools \
  +/sbin/modprobe --version 2>&1 | grep -q 'kmod version' \
       && NEW_MODUTILS=1 \
       || NEW_MODUTILS=0

  [root@localhost ~]# systemctl start iptables
  [root@localhost ~]# lsmod |grep '^nf_conntrack '
  nf_conntrack          106496  2 xt_conntrack,nf_conntrack_ipv4

  [root@localhost ~]# systemctl stop iptables
  [root@localhost ~]# lsmod |grep '^nf_conntrack '





Version-Release number of selected component (if applicable):

  iptables-services-1.4.21-16.fc24.x86_64


How reproducible:

  Always


Steps to Reproduce:
1. Set or leave it as default IPTABLES_MODULES_UNLOAD="yes" in /etc/sysconfig/iptables.
2. Start iptables
3. Stop iptables and nf_conntrack is still loaded.

Actual results:


Expected results:


Additional info:

 
  
  - /usr/libexec/iptables/iptables.init
  ~~~
   44 # Old or new modutils
   45 /sbin/modprobe --version 2>&1 | grep -q module-init-tools \  <===== This will fail!
   46     && NEW_MODUTILS=1 \
   47     || NEW_MODUTILS=0
  <...>
   71 rmmod_r() {
   72     # Unload module with all referring modules.
   73     # At first all referring modules will be unloaded, then the module itself.
   74     local mod=$1
   75     local ret=0
   76     local ref=
   77 
   78     # Get referring modules.
   79     # New modutils have another output format.
   80     [ $NEW_MODUTILS = 1 ] \
   81         && ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \   <========= This'll also fail!
   82         || ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1)
   83 
   84     # recursive call for all referring modules
   85     for i in $ref; do <=========== This has no modules
   86         rmmod_r $i    <=========== Finally this'll fail.
   87         let ret+=$?;
   88     done
  <...>
  256 stop() {
  257     # Do not stop if iptables module is not loaded.
  258     [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
  259 
  260     # Set default chain policy to ACCEPT, in order to not break shutdown
  261     # on systems where the default policy is DROP and root device is
  262     # network-based (i.e.: iSCSI, NFS)
  263     set_policy ACCEPT
  264     # And then, flush the rules and delete chains
  265     flush_n_delete
  266 
  267     if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
  268         echo -n $"${IPTABLES}: Unloading modules: "
  269         ret=0
  270         for mod in ${NF_MODULES[*]}; do
  271             rmmod_r $mod
  272             let ret+=$?;
  273         done
  274         # try to unload remaining netfilter modules used by ipv4 and ipv6 
  275         # netfilter
  276         for mod in ${NF_MODULES_COMMON[*]}; do
  277             rmmod_r $mod >/dev/null
  278         done
  ~~~
  
  RHEL6 has 'module-init-tools' string.
  
  RHEL6.7:
  
  ~~~
  [root@el67 ~]# modprobe --version
  module-init-tools version 3.9
  ~~~
  
  RHEL7 and newer doesn't have it and it won't be detected as NEW_MODUTILS and due to that , $ref is empty and dependency of nf_conntrack is not resolved and nf_conntrack remained loaded.
  
  RHEL7.2:
  
  ~~~
  [root@localhost ~]# /sbin/modprobe --version 
  kmod version 20
  ~~~
  
  Fedora23:
  
  ~~~
  [root@f23] modprobe --version
  kmod version 22
  +XZ +ZLIB -EXPERIMENTAL
  ~~~