Bug 199906 - iptable_nat, ip_conntrack drivers are loaded after sysreport run
Summary: iptable_nat, ip_conntrack drivers are loaded after sysreport run
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: sysreport
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Than Ngo
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-07-24 08:39 UTC by masanari iida
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version: RHBA-2006-0723
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-11-16 19:58:00 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Patch to add --nofirewall switch to deny the probing of iptables rules. (2.89 KB, text/x-patch)
2006-10-13 00:08 UTC, Wade Mealing
no flags Details
final fix (3.24 KB, patch)
2006-10-20 14:15 UTC, Than Ngo
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2006:0723 0 normal SHIPPED_LIVE sysreport bug fix update 2006-11-16 19:57:58 UTC

Description masanari iida 2006-07-24 08:39:21 UTC
Description of problem:
Even though I didn't configure and load iptables drivers into kernel,
after run sysreport, the drivers are loaded.

Version-Release number of selected component (if applicable):
sysreport-1.3.15-5

How reproducible:

Steps to Reproduce:
1. Confirm no iptables drivers are loaded.
# lsmod |grep ip
dm_multipath           22345  0
ipv6                  240097  14
dm_mod                 58949  7 dm_multipath,dm_snapshot,dm_zero,dm_mirror

2. run sysreport

3. Find out iptables modules again.
# lsmod |grep ip

Actual results:
iptable_nat, ip_conntrack, iptable_filter, iptables  are loaded.
They were not loaded before sysreport run.

# lsmod |grep ip
iptable_nat            27229  0
ip_conntrack           45573  1 iptable_nat
iptable_filter          6721  0
ip_tables              21441  2 iptable_nat,iptable_filter
dm_multipath           22345  0
ipv6                  240097  16
dm_mod                 58949  7 dm_multipath,dm_snapshot,dm_zero,dm_mirror


Expected results:
iptables related drivers are not installed after sysrport runs.

# lsmod |grep ip
dm_multipath           22345  0
ipv6                  240097  14
dm_mod                 58949  7 dm_multipath,dm_snapshot,dm_zero,dm_mirror


Additional info:
After I update the system, I run sysreport to record the latest system config.
It was a few month ago. Then I got following error message from ip_conntrack
module, even though I didn't configured it by myself.

Jul 18 17:44:41 abc001 kernel: ip_conntrack: table full, dropping packet.
Jul 18 17:44:46 abc001 kernel: NET: 1492 messages suppressed.
Jul 18 17:44:46 abc001 kernel: ip_conntrack: table full, dropping packet.
Jul 18 17:44:51 abc001 kernel: NET: 1782 messages suppressed.

It turned out, iptables related drivers were loaded when I run sysreport
for long time ago.
I believe sysreport should not change which kenrel modules are loaded.
If it really required ip_conntrack, it may load temporary. 
But at least, sysreport should change it back what it used to be.

It is because sysreport use issue iptables -t nat, iptables_nat and
ip_conntrak are loaded into kernel.

The ip_conntrak not  only report the number of connection,
it also limit the number of connection, if it exceeds ip_conntrack_max.
Then "ip_conntrack: table full, dropping packet." is logged.

AND even though customer set custom ip_conntrack_max value into sysctl.conf,
it doesn't use when  ip_conntrack is loaded by command. (only when rc.sysinit
is executed at system boot, sysctl.conf may issued.  But at the moment,
network is  still  not active, ip_conntrack driver may not be loaded...so
it is useless. ) The bad news is that default value of ip_conntrack_max is
not large enough for the heavily loaded system.

This is why, I believe sysreport should unload ip_contrack it it was 
not loaded before it runs.

(Request for fix)
(1) sysreport should not keep forgettig iptable_nat,ip_conntrack drivers.
(2) iptable startup script should read /etc/sysctl.conf to find out
    net.ipv4.netfilter.ip_conntrack_max. If it is exist, iptables start
    up script should set the custom value after the ip_conntrak is loaded.

Comment 4 Wade Mealing 2006-10-13 00:08:27 UTC
Created attachment 138394 [details]
Patch to add --nofirewall switch to deny the probing of iptables rules.

This option stops the query of iptables rules.	This can be if there are
sensitive information about network infrastructure that the customer may not
wish to reveal, or that the loading probing of certain tables can cause
unwanted modules to load, therefore changing the system  behavior.

--nofirewall option added to sysreport.

Seems to work with initial testing on my end. This patch might already be
uploaded, but I'll do this anyway because I can't see the private information
in this bug.

Wade

Comment 5 Than Ngo 2006-10-20 14:15:42 UTC
Created attachment 138974 [details]
final fix

The patch looks ok for me. I have modified the path and there's the final fix
for the issue. Wade, thanks for the fix

Comment 12 Red Hat Bugzilla 2006-11-16 19:58:00 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0723.html


Comment 14 masanari iida 2006-11-28 11:23:11 UTC
As I installed latest sysreport, I found Red Hat engineer
add "--firewall" option, instead of "--nofirewall" option.
This last min change should be noted here, unless I have to
report that I found some typo in the official release :)



Comment 16 Chris Williams 2006-11-28 17:51:56 UTC
The change in the final fix has been modified. It's '-firewall' now and is 
disable by default.


Note You need to log in before you can comment on or make changes to this bug.