Bug 178526 - Can't set policy `FORWARD' on `ACCEPT' line 5: Bad built-in chain name
Can't set policy `FORWARD' on `ACCEPT' line 5: Bad built-in chain name
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
rawhide
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Dave Jones
Brian Brock
:
: 178611 178917 178966 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-01-21 07:11 EST by John Ellson
Modified: 2015-01-04 17:24 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-01-27 15:41:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
iptables (911 bytes, text/plain)
2006-01-21 07:11 EST, John Ellson
no flags Details

  None (edit)
Description John Ellson 2006-01-21 07:11:51 EST
Created attachment 123526 [details]
iptables
Comment 1 John Ellson 2006-01-21 07:11:51 EST
Description of problem:
Using a "vanilla" iptables from system-config-securitylevel, iptables fails with:
   Applying iptables firewall rules: iptables-restore v1.3.4: Can't set policy
`FORWARD' on `ACCEPT' line 5: Bad built-in chain name


Version-Release number of selected component (if applicable):
iptables-1.3.4-2.1

How reproducible:
100%

Steps to Reproduce:
1. service iptables restart
2.
3.
  
Actual results:
root@samadams:sysconfig# service iptables start
Applying iptables firewall rules: iptables-restore v1.3.4: Can't set policy
`FORWARD' on `ACCEPT' line 5: Bad built-in chain name

                                                           [FAILED]


Expected results:


Additional info:
Comment 2 bkyoung 2006-01-22 21:16:23 EST
Similar problem after updating today with:
yum update

to kernel 1865_FC5smp and gcc-4.1.0-0.16.

BEGIN LISTING
[root@flood i386]# iptables -L
iptc_init: valid_hooks=0x0000000e, num_entries=4, size=620
cache_add_entry: entering...0:0 new builtin chain: 0x8c24310 (rules=0x8c24360)
0:0 normal rule: 0x8c24380: iptc_first_chain: : returning `INPUT'
iptc_get_policy: called for chain INPUT
ERROR: 0 not a valid target)
Aborted
[root@flood i386]# gdb /sbin/iptables
GNU gdb Red Hat Linux (6.3.0.0-1.98rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db
library "/lib/libthread_db.so.1".

(gdb) set args -L
(gdb) b iptc_get_policy
Breakpoint 1 at 0x8052144: file libiptc/libiptc.c, line 1184.
(gdb) r
Starting program: /sbin/iptables -L
Reading symbols from shared object read from target memory...done.
Loaded system supplied DSO at 0x621000
iptc_init: valid_hooks=0x0000000e, num_entries=4, size=620
cache_add_entry: entering...0:0 new builtin chain: 0x984c310 (rules=0x984c360)
0:0 normal rule: 0x984c380: iptc_first_chain: : returning `INPUT'

Breakpoint 1, iptc_get_policy (chain=0x984c318 "INPUT", counters=0xbf80c12c, 
    handle=0xbf80c344) at libiptc/libiptc.c:1184
1184		iptc_fn = TC_GET_POLICY;
(gdb) b 1199
Breakpoint 2 at 0x80521e1: file libiptc/libiptc.c, line 1199.
(gdb) c
Continuing.
iptc_get_policy: called for chain INPUT

Breakpoint 2, iptc_get_policy (chain=0x984c318 "INPUT", counters=0xbf80c12c, 
    handle=0xbf80c344) at libiptc/libiptc.c:1199
1199		return standard_target_map(c->verdict);
(gdb) s
standard_target_map (verdict=0) at libiptc/libiptc.c:1107
1107		switch (verdict) {
(gdb) n
1121				fprintf(stderr, "ERROR: %d not a valid target)\n",
(gdb) n
ERROR: 0 not a valid target)
1123				abort();
(gdb) quit
The program is running.  Exit anyway? (y or n) y
[root@flood i386]# exit

Process shell finished
END LISTING
Comment 3 Thomas Woerner 2006-01-24 06:46:02 EST
*** Bug 178611 has been marked as a duplicate of this bug. ***
Comment 4 Thomas Woerner 2006-01-24 06:51:37 EST
This is not an iptables problem. Rebuilding iptables does not help, but the
usage of an older kernel (e.g. 2.6.15-1.1826.2.5_FC5) did. 

The problem only occurs on i686 for me, x86_64 is working without any problems
even with the newest kernel. It seems that the netfilter interface changed on
i686 - there is a new kernel module x_filter which is in use by the ip_tables
module.

Assigning to kernel.
Comment 5 Steven Haigh 2006-01-25 09:15:42 EST
This is almost the same with kernel-2.6.15-1.1871_FC5 - except I get a slightly
different error message - although quite possibly the same error.

# service iptables start
Flushing firewall rules: iptables: Too many levels of symbolic links
iptables: Too many levels of symbolic links
                                                           [FAILED]
Setting chains to policy ACCEPT: filter iptables: Invalid argument
                                                           [FAILED]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules: iptables-restore v1.3.4: Can't set policy
`FORWARD' on `ACCEPT' line 21: Bad built-in chain name

                                                           [FAILED]
Comment 6 Thomas Woerner 2006-01-25 09:48:25 EST
*** Bug 178917 has been marked as a duplicate of this bug. ***
Comment 7 dex 2006-01-25 21:03:39 EST
(In reply to comment #6)
more info:

similar problem here at startup Im getting:
Fatal error: your kernel does not support iptables Firewall not started.
but /sbin/lsmod shows all mods loaded !

Module                  Size  Used by
iptable_mangle          2881  0
ipt_LOG                 6081  0
ipt_MASQUERADE          3777  0
ip_nat                 16621  1 ipt_MASQUERADE
ipt_TOS                 2497  0
ipt_REJECT              5441  0
ip_conntrack_irc        6833  0
ip_conntrack_ftp        7601  0
xt_state                2241  0
ip_conntrack           49261  5
ipt_MASQUERADE,ip_nat,ip_conntrack_irc,ip_conntrack_ftp,xt_state
nfnetlink               6489  2 ip_nat,ip_conntrack
iptable_filter          3137  0
ip_tables              11529  2 iptable_mangle,iptable_filter
x_tables               12613  6
ipt_LOG,ipt_MASQUERADE,ipt_TOS,ipt_REJECT,xt_state,ip_tables
Comment 8 Jim Cornette 2006-01-25 22:36:41 EST
iptables failed. The error was: Applying iptables firewall rules:
iptables-restore v1.3.4: Can't set policy `FORWARD' on `ACCEPT' line 5: Bad
built-in chain name

[FAILED]

Table: filter
ERROR: 0 not a valid target)
/etc/init.d/iptables: line 274: 24966 Aborted                 $IPTABLES -t
$table --list $NUM $VERBOSE $COUNT

Stopping from the root terminal results in:
 service iptables stop
Flushing firewall rules: iptables: Too many levels of symbolic links
iptables: Too many levels of symbolic links
                                                           [FAILED]
Setting chains to policy ACCEPT: filter iptables: Invalid argument
                                                           [FAILED]
Unloading iptables modules:                                [  OK  ]


Starting at the terminal results in this output.
 service iptables start
Applying iptables firewall rules: iptables-restore v1.3.4: Can't set policy
`FORWARD' on `ACCEPT' line 5: Bad built-in chain name

 lsmod |grep ip
iptable_filter          3137  0
ip_tables              11529  1 iptable_filter
x_tables               12613  1 ip_tables
ipv6                  226849  8

when firewall stopped:
 lsmod |grep ip
ipv6                  226849  8

The service was disabled to my surprise. I am searching for why ipv6 is busy
with or without the firewall and with or without the network started.
Comment 9 Thomas Woerner 2006-01-26 07:56:47 EST
*** Bug 178966 has been marked as a duplicate of this bug. ***
Comment 10 bkyoung 2006-01-27 11:38:33 EST
Todays yum update:

#iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

This package combination works for me.
kernel-smp-2.6.15-1.1878_FC5
glibc-2.3.90-30
gcc-4.1.0-0.16
iptables-1.3.4-3
Comment 11 Jim Cornette 2006-01-27 23:30:00 EST
Running kernel-2.6.15-1.1878_FC5 allows the firewall to start normally now on my
laptop. The status shows intended rules that I setup.

Note You need to log in before you can comment on or make changes to this bug.