Bug 236669 - protocols should not come from ldap
Summary: protocols should not come from ldap
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: authconfig
Version: 5.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On: 380551
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-04-17 02:09 UTC by Gordon Messmer
Modified: 2008-05-21 14:29 UTC (History)
2 users (show)

Fixed In Version: RHBA-2008-0375
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-05-21 14:29:29 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
A patch workaround for ip6tables (489 bytes, patch)
2007-07-05 23:35 UTC, Richard Bullington-McGuire
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 214141 0 medium CLOSED ip6tables-restore triggers ldap before network is available 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2008:0375 0 normal SHIPPED_LIVE authconfig bug fix and enhancement update 2008-05-20 13:35:57 UTC

Internal Links: 214141

Description Gordon Messmer 2007-04-17 02:09:05 UTC
Description of problem:
ip6tables-restore makes a call to "getprotobyname" before the network is up.  If
authconfig has configured "protocols" to use ldap as a db source, it will take a
very long time to complete.  In order to prevent this from being a problem,
authconfig should avoid listing ldap as a source for "protocols".

Version-Release number of selected component (if applicable):
authconfig-5.3.12-2.el5

How reproducible:
always

Steps to Reproduce:
1. configure a system to use ldap for user info, using authconfig
2. reboot

Comment 1 Richard Bullington-McGuire 2007-07-05 23:08:16 UTC
This looks related to Fedora Core 6 bug # 214141.

Comment 2 Richard Bullington-McGuire 2007-07-05 23:35:55 UTC
Created attachment 158631 [details]
A patch workaround for ip6tables

This patch to /etc/sysconfig/ip6tables.conf works around the problem by
eliminating the use of the symbolic protocol specified, replacing it with a
literal number. The protocol number for IPv6 ICMP is 58.

So, this works in ip6tables.conf to accept ipv6-icmp traffic:

-A RH-Firewall-1-INPUT -p 58 -j ACCEPT


Putting any symbolic value in the protocol makes ip6tables-restore hang:

-A RH-Firewall-1-INPUT -p icmp6 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-icmp -j ACCEPT
-A RH-Firewall-1-INPUT -p foo -j ACCEPT

These all yield the same result.

Comment 3 Richard Bullington-McGuire 2007-07-05 23:40:53 UTC
Ooops, I meant just "A patch workaround for /etc/sysconfig/ip6tables".

The fix for this should probably go into system-config-securitylevel, since that
is what is generating the "-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT" line.
ip6tables-restore could probably also be patched to hardcode the icmpv6 protocol
number to avoid a lookup. It's not as if that is going to change any time soon.

I wonder why ip6tables-restore has this issue, but iptables-restore does not,
though /etc/sysconfig/iptables has "icmp" as a symbol.

Comment 4 Richard Bullington-McGuire 2007-07-06 11:38:09 UTC
Changing /etc/nsswitch.conf so that protocols are only looked up from files also
resolves the issue:

protocols:  files


Comment 5 RHEL Program Management 2007-10-31 18:25:37 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 11 errata-xmlrpc 2008-05-21 14:29:29 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0375.html



Note You need to log in before you can comment on or make changes to this bug.