Red Hat Bugzilla – Bug 199906
iptable_nat, ip_conntrack drivers are loaded after sysreport run
Last modified: 2007-11-30 17:07:26 EST
Description of problem: Even though I didn't configure and load iptables drivers into kernel, after run sysreport, the drivers are loaded. Version-Release number of selected component (if applicable): sysreport-1.3.15-5 How reproducible: Steps to Reproduce: 1. Confirm no iptables drivers are loaded. # lsmod |grep ip dm_multipath 22345 0 ipv6 240097 14 dm_mod 58949 7 dm_multipath,dm_snapshot,dm_zero,dm_mirror 2. run sysreport 3. Find out iptables modules again. # lsmod |grep ip Actual results: iptable_nat, ip_conntrack, iptable_filter, iptables are loaded. They were not loaded before sysreport run. # lsmod |grep ip iptable_nat 27229 0 ip_conntrack 45573 1 iptable_nat iptable_filter 6721 0 ip_tables 21441 2 iptable_nat,iptable_filter dm_multipath 22345 0 ipv6 240097 16 dm_mod 58949 7 dm_multipath,dm_snapshot,dm_zero,dm_mirror Expected results: iptables related drivers are not installed after sysrport runs. # lsmod |grep ip dm_multipath 22345 0 ipv6 240097 14 dm_mod 58949 7 dm_multipath,dm_snapshot,dm_zero,dm_mirror Additional info: After I update the system, I run sysreport to record the latest system config. It was a few month ago. Then I got following error message from ip_conntrack module, even though I didn't configured it by myself. Jul 18 17:44:41 abc001 kernel: ip_conntrack: table full, dropping packet. Jul 18 17:44:46 abc001 kernel: NET: 1492 messages suppressed. Jul 18 17:44:46 abc001 kernel: ip_conntrack: table full, dropping packet. Jul 18 17:44:51 abc001 kernel: NET: 1782 messages suppressed. It turned out, iptables related drivers were loaded when I run sysreport for long time ago. I believe sysreport should not change which kenrel modules are loaded. If it really required ip_conntrack, it may load temporary. But at least, sysreport should change it back what it used to be. It is because sysreport use issue iptables -t nat, iptables_nat and ip_conntrak are loaded into kernel. The ip_conntrak not only report the number of connection, it also limit the number of connection, if it exceeds ip_conntrack_max. Then "ip_conntrack: table full, dropping packet." is logged. AND even though customer set custom ip_conntrack_max value into sysctl.conf, it doesn't use when ip_conntrack is loaded by command. (only when rc.sysinit is executed at system boot, sysctl.conf may issued. But at the moment, network is still not active, ip_conntrack driver may not be loaded...so it is useless. ) The bad news is that default value of ip_conntrack_max is not large enough for the heavily loaded system. This is why, I believe sysreport should unload ip_contrack it it was not loaded before it runs. (Request for fix) (1) sysreport should not keep forgettig iptable_nat,ip_conntrack drivers. (2) iptable startup script should read /etc/sysctl.conf to find out net.ipv4.netfilter.ip_conntrack_max. If it is exist, iptables start up script should set the custom value after the ip_conntrak is loaded.
Created attachment 138394 [details] Patch to add --nofirewall switch to deny the probing of iptables rules. This option stops the query of iptables rules. This can be if there are sensitive information about network infrastructure that the customer may not wish to reveal, or that the loading probing of certain tables can cause unwanted modules to load, therefore changing the system behavior. --nofirewall option added to sysreport. Seems to work with initial testing on my end. This patch might already be uploaded, but I'll do this anyway because I can't see the private information in this bug. Wade
Created attachment 138974 [details] final fix The patch looks ok for me. I have modified the path and there's the final fix for the issue. Wade, thanks for the fix
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2006-0723.html
As I installed latest sysreport, I found Red Hat engineer add "--firewall" option, instead of "--nofirewall" option. This last min change should be noted here, unless I have to report that I found some typo in the official release :)
The change in the final fix has been modified. It's '-firewall' now and is disable by default.