Bug 199906 - iptable_nat, ip_conntrack drivers are loaded after sysreport run
iptable_nat, ip_conntrack drivers are loaded after sysreport run
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: sysreport (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ngo Than
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2006-07-24 04:39 EDT by masanari iida
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2006-0723
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-11-16 14:58:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch to add --nofirewall switch to deny the probing of iptables rules. (2.89 KB, text/x-patch)
2006-10-12 20:08 EDT, Wade Mealing
no flags Details
final fix (3.24 KB, patch)
2006-10-20 10:15 EDT, Ngo Than
no flags Details | Diff

  None (edit)
Description masanari iida 2006-07-24 04:39:21 EDT
Description of problem:
Even though I didn't configure and load iptables drivers into kernel,
after run sysreport, the drivers are loaded.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Confirm no iptables drivers are loaded.
# lsmod |grep ip
dm_multipath           22345  0
ipv6                  240097  14
dm_mod                 58949  7 dm_multipath,dm_snapshot,dm_zero,dm_mirror

2. run sysreport

3. Find out iptables modules again.
# lsmod |grep ip

Actual results:
iptable_nat, ip_conntrack, iptable_filter, iptables  are loaded.
They were not loaded before sysreport run.

# lsmod |grep ip
iptable_nat            27229  0
ip_conntrack           45573  1 iptable_nat
iptable_filter          6721  0
ip_tables              21441  2 iptable_nat,iptable_filter
dm_multipath           22345  0
ipv6                  240097  16
dm_mod                 58949  7 dm_multipath,dm_snapshot,dm_zero,dm_mirror

Expected results:
iptables related drivers are not installed after sysrport runs.

# lsmod |grep ip
dm_multipath           22345  0
ipv6                  240097  14
dm_mod                 58949  7 dm_multipath,dm_snapshot,dm_zero,dm_mirror

Additional info:
After I update the system, I run sysreport to record the latest system config.
It was a few month ago. Then I got following error message from ip_conntrack
module, even though I didn't configured it by myself.

Jul 18 17:44:41 abc001 kernel: ip_conntrack: table full, dropping packet.
Jul 18 17:44:46 abc001 kernel: NET: 1492 messages suppressed.
Jul 18 17:44:46 abc001 kernel: ip_conntrack: table full, dropping packet.
Jul 18 17:44:51 abc001 kernel: NET: 1782 messages suppressed.

It turned out, iptables related drivers were loaded when I run sysreport
for long time ago.
I believe sysreport should not change which kenrel modules are loaded.
If it really required ip_conntrack, it may load temporary. 
But at least, sysreport should change it back what it used to be.

It is because sysreport use issue iptables -t nat, iptables_nat and
ip_conntrak are loaded into kernel.

The ip_conntrak not  only report the number of connection,
it also limit the number of connection, if it exceeds ip_conntrack_max.
Then "ip_conntrack: table full, dropping packet." is logged.

AND even though customer set custom ip_conntrack_max value into sysctl.conf,
it doesn't use when  ip_conntrack is loaded by command. (only when rc.sysinit
is executed at system boot, sysctl.conf may issued.  But at the moment,
network is  still  not active, ip_conntrack driver may not be loaded...so
it is useless. ) The bad news is that default value of ip_conntrack_max is
not large enough for the heavily loaded system.

This is why, I believe sysreport should unload ip_contrack it it was 
not loaded before it runs.

(Request for fix)
(1) sysreport should not keep forgettig iptable_nat,ip_conntrack drivers.
(2) iptable startup script should read /etc/sysctl.conf to find out
    net.ipv4.netfilter.ip_conntrack_max. If it is exist, iptables start
    up script should set the custom value after the ip_conntrak is loaded.
Comment 4 Wade Mealing 2006-10-12 20:08:27 EDT
Created attachment 138394 [details]
Patch to add --nofirewall switch to deny the probing of iptables rules.

This option stops the query of iptables rules.	This can be if there are
sensitive information about network infrastructure that the customer may not
wish to reveal, or that the loading probing of certain tables can cause
unwanted modules to load, therefore changing the system  behavior.

--nofirewall option added to sysreport.

Seems to work with initial testing on my end. This patch might already be
uploaded, but I'll do this anyway because I can't see the private information
in this bug.

Comment 5 Ngo Than 2006-10-20 10:15:42 EDT
Created attachment 138974 [details]
final fix

The patch looks ok for me. I have modified the path and there's the final fix
for the issue. Wade, thanks for the fix
Comment 12 Red Hat Bugzilla 2006-11-16 14:58:00 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Comment 14 masanari iida 2006-11-28 06:23:11 EST
As I installed latest sysreport, I found Red Hat engineer
add "--firewall" option, instead of "--nofirewall" option.
This last min change should be noted here, unless I have to
report that I found some typo in the official release :)

Comment 16 Chris Williams 2006-11-28 12:51:56 EST
The change in the final fix has been modified. It's '-firewall' now and is 
disable by default.

Note You need to log in before you can comment on or make changes to this bug.