Bug 236669 - protocols should not come from ldap
protocols should not come from ldap
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: authconfig (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
:
Depends On: 380551
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-16 22:09 EDT by Gordon Messmer
Modified: 2008-05-21 10:29 EDT (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2008-0375
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 10:29:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
A patch workaround for ip6tables (489 bytes, patch)
2007-07-05 19:35 EDT, Richard Bullington-McGuire
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Bugzilla 214141 None None None Never

  None (edit)
Description Gordon Messmer 2007-04-16 22:09:05 EDT
Description of problem:
ip6tables-restore makes a call to "getprotobyname" before the network is up.  If
authconfig has configured "protocols" to use ldap as a db source, it will take a
very long time to complete.  In order to prevent this from being a problem,
authconfig should avoid listing ldap as a source for "protocols".

Version-Release number of selected component (if applicable):
authconfig-5.3.12-2.el5

How reproducible:
always

Steps to Reproduce:
1. configure a system to use ldap for user info, using authconfig
2. reboot
Comment 1 Richard Bullington-McGuire 2007-07-05 19:08:16 EDT
This looks related to Fedora Core 6 bug # 214141.
Comment 2 Richard Bullington-McGuire 2007-07-05 19:35:55 EDT
Created attachment 158631 [details]
A patch workaround for ip6tables

This patch to /etc/sysconfig/ip6tables.conf works around the problem by
eliminating the use of the symbolic protocol specified, replacing it with a
literal number. The protocol number for IPv6 ICMP is 58.

So, this works in ip6tables.conf to accept ipv6-icmp traffic:

-A RH-Firewall-1-INPUT -p 58 -j ACCEPT


Putting any symbolic value in the protocol makes ip6tables-restore hang:

-A RH-Firewall-1-INPUT -p icmp6 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-icmp -j ACCEPT
-A RH-Firewall-1-INPUT -p foo -j ACCEPT

These all yield the same result.
Comment 3 Richard Bullington-McGuire 2007-07-05 19:40:53 EDT
Ooops, I meant just "A patch workaround for /etc/sysconfig/ip6tables".

The fix for this should probably go into system-config-securitylevel, since that
is what is generating the "-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT" line.
ip6tables-restore could probably also be patched to hardcode the icmpv6 protocol
number to avoid a lookup. It's not as if that is going to change any time soon.

I wonder why ip6tables-restore has this issue, but iptables-restore does not,
though /etc/sysconfig/iptables has "icmp" as a symbol.
Comment 4 Richard Bullington-McGuire 2007-07-06 07:38:09 EDT
Changing /etc/nsswitch.conf so that protocols are only looked up from files also
resolves the issue:

protocols:  files
Comment 5 RHEL Product and Program Management 2007-10-31 14:25:37 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 11 errata-xmlrpc 2008-05-21 10:29:29 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0375.html

Note You need to log in before you can comment on or make changes to this bug.