Bug 214141 - ip6tables-restore triggers ldap before network is available
ip6tables-restore triggers ldap before network is available
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-11-06 02:36 EST by Casey Harkins
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-24 15:58:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Bugzilla 236669 None None None Never

  None (edit)
Description Casey Harkins 2006-11-06 02:36:17 EST
Description of problem:
Boot hangs on "Applying ip6tables firewall rules:" for about 2 minutes on a
machine configured to use nss_ldap. 

Version-Release number of selected component (if applicable):
iptables-ipv6-1.3.5-1.2.1

How reproducible:
Consistantly.

Steps to Reproduce:
1. configure machine to use ldap
2. reboot

Alternate Steps to Reproduce:
1. configure machine to use ldap, using a non-existant server
2. run /etc/init.d/ip6tables restart

Actual results:
Hangs on ip6tables-restore.

Expected results:
ip6tables-restore should complete in a reasonable amount of time.

Additional info:
I'm not sure exactly what is triggering nss_ldap on the ip6tables-restore. The
iptables-restore (ipv4) does not have this problem. If I restart the ip6tables
init script after this machine boots, it finishes in 1/4 second. If I set an
invalid LDAP server (as suggested in Alterate Steps to Reproduce) and restart
ip6tables, it hangs as described with the following syslog messages:

Nov  6 01:20:19 amy ip6tables-restore: nss_ldap: reconnecting to LDAP server
(sleeping 4 seconds)...
Nov  6 01:20:23 amy ip6tables-restore: nss_ldap: reconnecting to LDAP server
(sleeping 8 seconds)...

The ip6tables-config contains all defaults. ip6tables contains:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --sport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 5900 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --sport 5900 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-port-unreachable
COMMIT
Comment 1 Richard Bullington-McGuire 2007-07-05 19:04:45 EDT
I have experienced the same basic problem in RHEL5.
Comment 2 Richard Bullington-McGuire 2007-07-05 19:09:28 EDT
This looks related to RHEL 5 bug # 236669, Protocols Should Not Come From LDAP
Comment 3 Richard Bullington-McGuire 2007-07-05 19:42:42 EDT
Please see my comments in bug # 236669, that contain workarounds.
Comment 4 Tomas Mraz 2007-07-23 06:37:41 EDT
Note that in rawhide and F7-testing updates the authconfig (5.3.15) no longer
adds network services (ldap, nis..) to the protocols and services in
/etc/nsswitch.conf.
Comment 5 Thomas Woerner 2007-09-10 04:54:33 EDT
This is not an iptables problem, assigning to authconfig.

Note You need to log in before you can comment on or make changes to this bug.