Bug 190146 - iptables init script doesn't properly unload x_tables (and any other top-level x_ module)
iptables init script doesn't properly unload x_tables (and any other top-leve...
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: iptables (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-04-27 22:08 EDT by Kevin White
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-29 08:26:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kevin White 2006-04-27 22:08:35 EDT
Description of problem:
The 2.6.16.x kernel changes Netfilter modules: there are now things like
x_tables instead of ip_tables.  The iptables init script does not properly
unload these new modules


Version-Release number of selected component (if applicable):
iptables-1.3.5-1.2
kernel-2.6.16-2.2080_FC5

How reproducible:
Completely.
  , then /etc/init.d/iptable stop.  Do an lsmod.  Confirm that x_tables (and any
modules that only it depended on) are still loaded.

Steps to Reproduce:
1.  Boot without a firewall.  Run lsmod.  Note that x_tables is not present.
2.  Generate a simple firewall ruleset.  I just use the firewall tool to
generate something very simple, but complexity doesn't matter.
3.  Run /etc/init.d/iptables start
4.  Do an lsmod.  Confirm that x_tables is loaded.
5.  Run /etc/init.d/iptables stop
6.  Do an lsmod.  Confirm that x_tables (and any modules that only it depended
on) are still loaded.
  
Actual results:
x_tables is still loaded


Expected results:
x_tables should be unloaded

Additional info:
Comment 1 Larionov Andrew 2006-05-03 01:17:29 EDT
A have FC5 x86_64  Acer laptop with broadcom wireless card. To anble wireless i
using acer_acpi mdoule. if i load acer_acpi and enable wireless then when i try
to stop iptables i see what inin.d script freezes on modprobe -r xt_state. It 
consume almost all CPU resources and cant be killed
Comment 2 Thomas Woerner 2006-09-12 11:47:05 EDT
PLease verify this with the latest kernel and iptables packages for FC-5.
Comment 3 Kevin White 2006-09-15 21:47:30 EDT
Verified.  I have a simple firewall (generated by the Red Hat tool):

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

If I make sure x_tables isn't running, then I run /etc/init.d/iptables start
then /etc/init.d/iptables stop, this is what's left:

ipt_REJECT             39233  0
xt_tcpudp              36929  0
x_tables               54217  2 ipt_REJECT,xt_tcpudp

I can manually rmmod all three of them, but the iptables init script is not
doing it properly.
Comment 4 Kevin White 2006-09-15 21:49:09 EDT
Forgot:

[kwhite@hornet2 log]$ uname -a
Linux hornet2.kevbo.org 2.6.17-1.2187_FC5 #1 SMP Mon Sep 11 01:16:59 EDT 2006
x86_64 x86_64 x86_64 GNU/Linux

[kwhite@hornet2 log]$ rpm -q kernel
kernel-2.6.17-1.2187_FC5

[kwhite@hornet2 log]$ rpm -q iptables
iptables-1.3.5-1.2

Comment 6 Thomas Woerner 2007-08-29 08:26:28 EDT
This has been fixed in iptables-1.3.8-2 in rawhide and for testing packages in
FC-6 and F-7.

I am sorry, but FC-5 is EOL.

Closing as "WONTFIX"

Note You need to log in before you can comment on or make changes to this bug.