Description of problem: The 2.6.16.x kernel changes Netfilter modules: there are now things like x_tables instead of ip_tables. The iptables init script does not properly unload these new modules Version-Release number of selected component (if applicable): iptables-1.3.5-1.2 kernel-2.6.16-2.2080_FC5 How reproducible: Completely. , then /etc/init.d/iptable stop. Do an lsmod. Confirm that x_tables (and any modules that only it depended on) are still loaded. Steps to Reproduce: 1. Boot without a firewall. Run lsmod. Note that x_tables is not present. 2. Generate a simple firewall ruleset. I just use the firewall tool to generate something very simple, but complexity doesn't matter. 3. Run /etc/init.d/iptables start 4. Do an lsmod. Confirm that x_tables is loaded. 5. Run /etc/init.d/iptables stop 6. Do an lsmod. Confirm that x_tables (and any modules that only it depended on) are still loaded. Actual results: x_tables is still loaded Expected results: x_tables should be unloaded Additional info:
A have FC5 x86_64 Acer laptop with broadcom wireless card. To anble wireless i using acer_acpi mdoule. if i load acer_acpi and enable wireless then when i try to stop iptables i see what inin.d script freezes on modprobe -r xt_state. It consume almost all CPU resources and cant be killed
PLease verify this with the latest kernel and iptables packages for FC-5.
Verified. I have a simple firewall (generated by the Red Hat tool): # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT If I make sure x_tables isn't running, then I run /etc/init.d/iptables start then /etc/init.d/iptables stop, this is what's left: ipt_REJECT 39233 0 xt_tcpudp 36929 0 x_tables 54217 2 ipt_REJECT,xt_tcpudp I can manually rmmod all three of them, but the iptables init script is not doing it properly.
Forgot: [kwhite@hornet2 log]$ uname -a Linux hornet2.kevbo.org 2.6.17-1.2187_FC5 #1 SMP Mon Sep 11 01:16:59 EDT 2006 x86_64 x86_64 x86_64 GNU/Linux [kwhite@hornet2 log]$ rpm -q kernel kernel-2.6.17-1.2187_FC5 [kwhite@hornet2 log]$ rpm -q iptables iptables-1.3.5-1.2
This has been fixed in iptables-1.3.8-2 in rawhide and for testing packages in FC-6 and F-7. I am sorry, but FC-5 is EOL. Closing as "WONTFIX"