Bug 191331 - netfilter and iptables module missmatch
Summary: netfilter and iptables module missmatch
Alias: None
Product: Fedora
Classification: Fedora
Component: iptables (Show other bugs)
(Show other bugs)
Version: 5
Hardware: i386 Linux
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2006-05-10 21:11 UTC by DaveG
Modified: 2007-11-30 22:11 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-08-29 12:30:18 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
iptables module status (18.02 KB, text/html)
2006-10-21 12:06 UTC, DaveG
no flags Details
Suggested patch for iptables (1.84 KB, patch)
2007-07-22 15:44 UTC, DaveG
no flags Details | Diff
Identify 'missing' iptables modules. (1.38 KB, text/plain)
2007-07-22 15:46 UTC, DaveG
no flags Details
Identify 'missing' kernel modules. (797 bytes, text/plain)
2007-07-22 15:47 UTC, DaveG
no flags Details

Description DaveG 2006-05-10 21:11:39 UTC
Description of problem:
FC5 kernel (netfilter) and iptables packages include a different set of modules.

Version-Release number of selected component (if applicable):

How reproducible:
ls /lib/modules/`uname -r`/kernel/net{,/ipv4}/netfilter
ls /lib/iptables

Steps to Reproduce:
Try any of the missmatched modules or a complex, generated firewall script e.g.:
iptables -A INPUT -m unclean -j LOG
iptables -A INPUT -m string ...
Actual results:
Either iptables syntax errors or library/module errors e.g.
iptables: Unknown error 4294967295

Expected results:
iptables modules should match the kernel modules.

Additional info:
Run patch-o-matic-ng on kernel and iptables packages?
May have security implications for some firewall configurations (iptables-
reload may fail on boot, especially after upgrade).
May relate to a number of other iptables bug reports.

Comment 1 DaveG 2006-05-25 17:21:49 UTC
Further investigation:
* iptables modules but no kernel IPv4 module: connlimit, rpc, unclean, MIRROR, 
* Kernel IPv4 modules but no iptables module: connbytes, dccp, string and 
Some missing iptables modules are due to missing header files 
e.g. /usr/include/linux/netfilter_ipv4/ipt_string.h at iptable build time as 
they are not part of glibc-kernheaders.

Comment 2 Dave Jones 2006-10-16 18:29:33 UTC
A new kernel update has been released (Version: 2.6.18-1.2200.fc5)
based upon a new upstream kernel release.

Please retest against this new kernel, as a large number of patches
go into each upstream release, possibly including changes that
may address this problem.

This bug has been placed in NEEDINFO state.
Due to the large volume of inactive bugs in bugzilla, if this bug is
still in this state in two weeks time, it will be closed.

Should this bug still be relevant after this period, the reporter
can reopen the bug at any time. Any other users on the Cc: list
of this bug can request that the bug be reopened by adding a
comment to the bug.

In the last few updates, some users upgrading from FC4->FC5
have reported that installing a kernel update has left their
systems unbootable. If you have been affected by this problem
please check you only have one version of device-mapper & lvm2
installed.  See bug 207474 for further details.

If this bug is a problem preventing you from installing the
release this version is filed against, please see bug 169613.

If this bug has been fixed, but you are now experiencing a different
problem, please file a separate bug for the new problem.

Thank you.

Comment 3 DaveG 2006-10-17 16:40:10 UTC
I have check the kernel-2.6.18-1.2200.fc5 and iptables-1.3.5-1.2 sources and 
module libraries and the problem remains.

The following have kernel modules but no iptables modules:
    CLUSTERIP, conbytes, dccp, quota and string.
This appears to be due to the definition of "KERNEL_DIR=/usr" in the iptables 
spec file. This path is used to test for the presence of patches in the kernel 
source tree and "/usr" is providing false information.

The following have iptables modules by no kernel modules:
    connlimit, MIRROR, rpc, TARPIT, TRACE and unclean.
To include these would require a decision as to their use within FC5. Kernel 
patches would need to be made to include them or patches made to the iptables 
package to exclude them.

Reassign/move/copy/split bug to iptables?

Comment 4 Matti R 2006-10-18 05:56:38 UTC
I have same kernel and iptables version as DaveG has.

Additional information:
- statistics kernel module exists, but not iptables module

(and there are missing lots of extensions mentioned on man pages: time, nth,
random, fuzzy, account...)

Iptables 1.3.5 should be rebuild to match kernel modules. How about iptables 1.3.6?

Comment 5 Dave Jones 2006-10-20 19:39:07 UTC
userspace should not be referencing any modules that need kernel patches.  We
have enough bugs with the stuff that's already in-tree, adding out-of-tree
patches is a quick way to drive me completely insane.

Comment 6 DaveG 2006-10-21 12:06:26 UTC
Created attachment 139054 [details]
iptables module status

Table of iptables extension modules and current status.

Comment 8 DaveG 2007-07-22 15:40:20 UTC
In an attempt to move things forward...

1 iptables does not build the way it should. This is due to the KERNEL_DIR used
  in the iptables.spec file being set to "/usr" rather than to a valid kernel
  source tree. Test scripts are used to detect the availability of kernel
  facilities and arrive at the wrong conclusion.
2 Some of the kernel netfilter modules assumed by iptables are not in the
  Fedora kernel package.

1 Decide on the set of required IPv4/IPv6 modules and facilities for each
2 Update the kernel and/or iptables builds to include only the required module

The optional iptables features provided by patch-o-matic may include patches to
kernel source, this will require further review and inclusion in the kernel
patch set if required.
I don't use IPv6, so this will need further checking.

1 Make kernel source a build requirement and set KERNEL_DIR in iptables.spec
  to use the source.
  Is there any RPM mechanism to require a SOURCE package?
  The close relationship between iptables and the kernel will remain a problem
  if packages are to remain independent.
2 Make kernel-devel a build requirement and set KERNEL_DIR in iptables.spec
  to use the kernel module tree (/lib/modules/<kver>/build?).
  Will still require some modifications to iptables test files to always check
  for header files rather than C source files (extensions/.*{-test,-test6}).
  Each change would need to be verified to ensure that the test was valid and, 
  ideally, propagated upstream.
3 Modify all test scripts to look directly for a kernel module rather than
  header or source files.
4 Bypass the iptables optional test/build mechanism (extensions/Makefile) by
  setting the module list variables statically to match the kernel source.

* The range of modules and facilities are a matter for Fedora policy makers.
* iptables may require closer coupling to the kernel package to ensure that
  feature sets remain in step. But, since modules have been out-of-step since
  FC5 (or before), close coupling may not be an serious issue.
* Initial changes should be limited to bringing iptables in-line with the
  current kernel. i.e. within iptables:
    add: CLUSTERIP quota statistic
    remove: connlimit MIRROR rpc TARPIT TRACE unclean
* The simples solution would appear to be to hard-code the modules set in the
  iptables extensions/Makefile.

Also added three attachments: A sample iptables patch and two scripts to 
highlight modules differences between iptables and kernel.

Comment 9 DaveG 2007-07-22 15:44:22 UTC
Created attachment 159745 [details]
Suggested patch for iptables

Change default modules sets to match kernel and hard code the list of optional

Comment 10 DaveG 2007-07-22 15:46:29 UTC
Created attachment 159746 [details]
Identify 'missing' iptables modules.

Comment 11 DaveG 2007-07-22 15:47:12 UTC
Created attachment 159747 [details]
Identify 'missing' kernel modules.

Comment 12 Thomas Woerner 2007-08-29 12:30:18 UTC
This has been fixed in iptables-1.3.8-2 in rawhide and for testing packages in
FC-6 and F-7.

I am sorry, but FC-5 is EOL.

Closing as "WONTFIX"

Note You need to log in before you can comment on or make changes to this bug.