Created attachment 123526 [details] iptables
Description of problem: Using a "vanilla" iptables from system-config-securitylevel, iptables fails with: Applying iptables firewall rules: iptables-restore v1.3.4: Can't set policy `FORWARD' on `ACCEPT' line 5: Bad built-in chain name Version-Release number of selected component (if applicable): iptables-1.3.4-2.1 How reproducible: 100% Steps to Reproduce: 1. service iptables restart 2. 3. Actual results: root@samadams:sysconfig# service iptables start Applying iptables firewall rules: iptables-restore v1.3.4: Can't set policy `FORWARD' on `ACCEPT' line 5: Bad built-in chain name [FAILED] Expected results: Additional info:
Similar problem after updating today with: yum update to kernel 1865_FC5smp and gcc-4.1.0-0.16. BEGIN LISTING [root@flood i386]# iptables -L iptc_init: valid_hooks=0x0000000e, num_entries=4, size=620 cache_add_entry: entering...0:0 new builtin chain: 0x8c24310 (rules=0x8c24360) 0:0 normal rule: 0x8c24380: iptc_first_chain: : returning `INPUT' iptc_get_policy: called for chain INPUT ERROR: 0 not a valid target) Aborted [root@flood i386]# gdb /sbin/iptables GNU gdb Red Hat Linux (6.3.0.0-1.98rh) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db library "/lib/libthread_db.so.1". (gdb) set args -L (gdb) b iptc_get_policy Breakpoint 1 at 0x8052144: file libiptc/libiptc.c, line 1184. (gdb) r Starting program: /sbin/iptables -L Reading symbols from shared object read from target memory...done. Loaded system supplied DSO at 0x621000 iptc_init: valid_hooks=0x0000000e, num_entries=4, size=620 cache_add_entry: entering...0:0 new builtin chain: 0x984c310 (rules=0x984c360) 0:0 normal rule: 0x984c380: iptc_first_chain: : returning `INPUT' Breakpoint 1, iptc_get_policy (chain=0x984c318 "INPUT", counters=0xbf80c12c, handle=0xbf80c344) at libiptc/libiptc.c:1184 1184 iptc_fn = TC_GET_POLICY; (gdb) b 1199 Breakpoint 2 at 0x80521e1: file libiptc/libiptc.c, line 1199. (gdb) c Continuing. iptc_get_policy: called for chain INPUT Breakpoint 2, iptc_get_policy (chain=0x984c318 "INPUT", counters=0xbf80c12c, handle=0xbf80c344) at libiptc/libiptc.c:1199 1199 return standard_target_map(c->verdict); (gdb) s standard_target_map (verdict=0) at libiptc/libiptc.c:1107 1107 switch (verdict) { (gdb) n 1121 fprintf(stderr, "ERROR: %d not a valid target)\n", (gdb) n ERROR: 0 not a valid target) 1123 abort(); (gdb) quit The program is running. Exit anyway? (y or n) y [root@flood i386]# exit Process shell finished END LISTING
*** Bug 178611 has been marked as a duplicate of this bug. ***
This is not an iptables problem. Rebuilding iptables does not help, but the usage of an older kernel (e.g. 2.6.15-1.1826.2.5_FC5) did. The problem only occurs on i686 for me, x86_64 is working without any problems even with the newest kernel. It seems that the netfilter interface changed on i686 - there is a new kernel module x_filter which is in use by the ip_tables module. Assigning to kernel.
This is almost the same with kernel-2.6.15-1.1871_FC5 - except I get a slightly different error message - although quite possibly the same error. # service iptables start Flushing firewall rules: iptables: Too many levels of symbolic links iptables: Too many levels of symbolic links [FAILED] Setting chains to policy ACCEPT: filter iptables: Invalid argument [FAILED] Unloading iptables modules: [ OK ] Applying iptables firewall rules: iptables-restore v1.3.4: Can't set policy `FORWARD' on `ACCEPT' line 21: Bad built-in chain name [FAILED]
*** Bug 178917 has been marked as a duplicate of this bug. ***
(In reply to comment #6) more info: similar problem here at startup Im getting: Fatal error: your kernel does not support iptables Firewall not started. but /sbin/lsmod shows all mods loaded ! Module Size Used by iptable_mangle 2881 0 ipt_LOG 6081 0 ipt_MASQUERADE 3777 0 ip_nat 16621 1 ipt_MASQUERADE ipt_TOS 2497 0 ipt_REJECT 5441 0 ip_conntrack_irc 6833 0 ip_conntrack_ftp 7601 0 xt_state 2241 0 ip_conntrack 49261 5 ipt_MASQUERADE,ip_nat,ip_conntrack_irc,ip_conntrack_ftp,xt_state nfnetlink 6489 2 ip_nat,ip_conntrack iptable_filter 3137 0 ip_tables 11529 2 iptable_mangle,iptable_filter x_tables 12613 6 ipt_LOG,ipt_MASQUERADE,ipt_TOS,ipt_REJECT,xt_state,ip_tables
iptables failed. The error was: Applying iptables firewall rules: iptables-restore v1.3.4: Can't set policy `FORWARD' on `ACCEPT' line 5: Bad built-in chain name [FAILED] Table: filter ERROR: 0 not a valid target) /etc/init.d/iptables: line 274: 24966 Aborted $IPTABLES -t $table --list $NUM $VERBOSE $COUNT Stopping from the root terminal results in: service iptables stop Flushing firewall rules: iptables: Too many levels of symbolic links iptables: Too many levels of symbolic links [FAILED] Setting chains to policy ACCEPT: filter iptables: Invalid argument [FAILED] Unloading iptables modules: [ OK ] Starting at the terminal results in this output. service iptables start Applying iptables firewall rules: iptables-restore v1.3.4: Can't set policy `FORWARD' on `ACCEPT' line 5: Bad built-in chain name lsmod |grep ip iptable_filter 3137 0 ip_tables 11529 1 iptable_filter x_tables 12613 1 ip_tables ipv6 226849 8 when firewall stopped: lsmod |grep ip ipv6 226849 8 The service was disabled to my surprise. I am searching for why ipv6 is busy with or without the firewall and with or without the network started.
*** Bug 178966 has been marked as a duplicate of this bug. ***
Todays yum update: #iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination This package combination works for me. kernel-smp-2.6.15-1.1878_FC5 glibc-2.3.90-30 gcc-4.1.0-0.16 iptables-1.3.4-3
Running kernel-2.6.15-1.1878_FC5 allows the firewall to start normally now on my laptop. The status shows intended rules that I setup.