1324102 – nf_conntrack won't be unloaded even with IPTABLES_MODULES_UNLOAD="yes"

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1324102 - nf_conntrack won't be unloaded even with IPTABLES_MODULES_UNLOAD="yes"

Summary: nf_conntrack won't be unloaded even with IPTABLES_MODULES_UNLOAD="yes"

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	iptables
Sub Component:
Version:	7.4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Thomas Woerner
QA Contact:	Tomas Dolezal
Docs Contact:
URL:
Whiteboard:
Depends On:	1324101
Blocks:
TreeView+	depends on / blocked

Reported:	2016-04-05 14:06 UTC by Masaki Furuta ( RH )
Modified:	2019-10-10 11:47 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1324101
Environment:
Last Closed:	2016-11-04 07:51:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2521	0	normal	SHIPPED_LIVE	iptables bug fix update	2016-11-03 14:15:35 UTC

Description Masaki Furuta ( RH ) 2016-04-05 14:06:27 UTC

+++ This bug was initially created as a clone of Bug #1324101 +++

Description of problem:

1) Set or leave it as default IPTABLES_MODULES_UNLOAD="yes" in /etc/sysconfig/iptables.

  I think /usr/libexec/iptables/iptables.init has bug.
  It still has older version check method, but on RHEL7 and Fedora I think we can assume we're using newer modutils safely.
  
  [root@localhost ~]# rpm -q iptables-services
  iptables-services-1.4.21-16.fc24.x86_64

  [root@localhost ~]# head -14 /etc/sysconfig/iptables-config 
  # Load additional iptables modules (nat helpers)
  #   Default: -none-
  # Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
  # are loaded after the firewall rules are applied. Options for the helpers are
  # stored in /etc/modprobe.conf.
  IPTABLES_MODULES=""
  
  # Unload modules on restart and stop
  #   Value: yes|no,  default: yes
  # This option has to be 'yes' to get to a sane state for a firewall
  # restart or stop. Only set to 'no' if there are problems unloading netfilter
  # modules.
  IPTABLES_MODULES_UNLOAD="yes"

2) Start iptables
  
  [root@localhost ~]# systemctl start iptables
  [root@localhost ~]# lsmod |grep '^nf_conntrack '
  nf_conntrack          106496  2 xt_conntrack,nf_conntrack_ipv4

3) Stop iptables and nf_conntrack is still loaded.

  [root@localhost ~]# systemctl stop iptables
  [root@localhost ~]# lsmod |grep '^nf_conntrack '
  nf_conntrack          106496  2 xt_conntrack,nf_conntrack_ipv4



Following patch will fix issue.


  [root@localhost ~]# diff -u /usr/libexec/iptables/iptables.init-2016-04-05 /usr/libexec/iptables/iptables.init
  --- /usr/libexec/iptables/iptables.init-2016-04-05	2016-04-05 23:02:40.274944559 +0900
  +++ /usr/libexec/iptables/iptables.init	2016-04-05 23:03:38.687006594 +0900
  @@ -36,7 +36,7 @@
   fi
 
   # Old or new modutils
  -/sbin/modprobe --version 2>&1 | grep -q module-init-tools \
  +/sbin/modprobe --version 2>&1 | grep -q 'kmod version' \
       && NEW_MODUTILS=1 \
       || NEW_MODUTILS=0

  [root@localhost ~]# systemctl start iptables
  [root@localhost ~]# lsmod |grep '^nf_conntrack '
  nf_conntrack          106496  2 xt_conntrack,nf_conntrack_ipv4

  [root@localhost ~]# systemctl stop iptables
  [root@localhost ~]# lsmod |grep '^nf_conntrack '





Version-Release number of selected component (if applicable):

  iptables-services-1.4.21-16.fc24.x86_64


How reproducible:

  Always


Steps to Reproduce:
1. Set or leave it as default IPTABLES_MODULES_UNLOAD="yes" in /etc/sysconfig/iptables.
2. Start iptables
3. Stop iptables and nf_conntrack is still loaded.

Actual results:


Expected results:


Additional info:

 
  
  - /usr/libexec/iptables/iptables.init
  ~~~
   44 # Old or new modutils
   45 /sbin/modprobe --version 2>&1 | grep -q module-init-tools \  <===== This will fail!
   46     && NEW_MODUTILS=1 \
   47     || NEW_MODUTILS=0
  <...>
   71 rmmod_r() {
   72     # Unload module with all referring modules.
   73     # At first all referring modules will be unloaded, then the module itself.
   74     local mod=$1
   75     local ret=0
   76     local ref=
   77 
   78     # Get referring modules.
   79     # New modutils have another output format.
   80     [ $NEW_MODUTILS = 1 ] \
   81         && ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \   <========= This'll also fail!
   82         || ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1)
   83 
   84     # recursive call for all referring modules
   85     for i in $ref; do <=========== This has no modules
   86         rmmod_r $i    <=========== Finally this'll fail.
   87         let ret+=$?;
   88     done
  <...>
  256 stop() {
  257     # Do not stop if iptables module is not loaded.
  258     [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
  259 
  260     # Set default chain policy to ACCEPT, in order to not break shutdown
  261     # on systems where the default policy is DROP and root device is
  262     # network-based (i.e.: iSCSI, NFS)
  263     set_policy ACCEPT
  264     # And then, flush the rules and delete chains
  265     flush_n_delete
  266 
  267     if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
  268         echo -n $"${IPTABLES}: Unloading modules: "
  269         ret=0
  270         for mod in ${NF_MODULES[*]}; do
  271             rmmod_r $mod
  272             let ret+=$?;
  273         done
  274         # try to unload remaining netfilter modules used by ipv4 and ipv6 
  275         # netfilter
  276         for mod in ${NF_MODULES_COMMON[*]}; do
  277             rmmod_r $mod >/dev/null
  278         done
  ~~~
  
  RHEL6 has 'module-init-tools' string.
  
  RHEL6.7:
  
  ~~~
  [root@el67 ~]# modprobe --version
  module-init-tools version 3.9
  ~~~
  
  RHEL7 and newer doesn't have it and it won't be detected as NEW_MODUTILS and due to that , $ref is empty and dependency of nf_conntrack is not resolved and nf_conntrack remained loaded.
  
  RHEL7.2:
  
  ~~~
  [root@localhost ~]# /sbin/modprobe --version 
  kmod version 20
  ~~~
  
  Fedora23:
  
  ~~~
  [root@f23] modprobe --version
  kmod version 22
  +XZ +ZLIB -EXPERIMENTAL
  ~~~

Comment 2 Masaki Furuta ( RH ) 2016-04-05 14:53:21 UTC

(In reply to Masaki Furuta from comment #0)
>    80     [ $NEW_MODUTILS = 1 ] \
>    81         && ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ')
> \   <========= This'll also fail!

I mean .. it's not fail but '&&' and followings are not executed.

Comment 8 errata-xmlrpc 2016-11-04 07:51:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2521.html

Note You need to log in before you can comment on or make changes to this bug.