Bug 432617 - RFE: Add "reload" option to startup script.
RFE: Add "reload" option to startup script.
Product: Fedora
Classification: Fedora
Component: iptables (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-02-13 08:13 EST by Pekka Pietikäinen
Modified: 2009-06-03 05:21 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add reload action to iptables startup script (538 bytes, patch)
2008-02-13 08:13 EST, Pekka Pietikäinen
no flags Details | Diff

  None (edit)
Description Pekka Pietikäinen 2008-02-13 08:13:38 EST
Description of problem:

When a /etc/init.d/iptables restart is done, existing connections to the host
get dropped (some of them. This is caused by the conntrack modules getting
unloaded -> no more states.

# Unload modules on restart and stop
#   Value: yes|no,  default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.

In the use case of "Add new allowed incoming port" that's pretty overkill.
I attached a patch that adds a "reload" target that sets
IPTABLES_MODULES_UNLOAD="no" and restarts.
Comment 1 Pekka Pietikäinen 2008-02-13 08:13:38 EST
Created attachment 294769 [details]
Add reload action to iptables startup script
Comment 2 Christopher Cashell 2008-06-25 12:36:07 EDT
I'd really like to see this implemented, as well.

I've got a junior admin who broke existing connections to a production database
because he went to add an iptables rule, tried to do a 'reload', saw that there
was no 'reload', then did a 'restart'.

I've never understood why 'reload' wasn't included on RH platforms.  Unloading
and reloading modules is rarely needed, and causes too many problems, especially
when it's the only action supported by the init script.
Comment 3 Christopher Cashell 2008-06-25 12:57:33 EDT
Hrm.  Looks like this has actually be requested previously, back about 4 years
ago: https://bugzilla.redhat.com/show_bug.cgi?id=115655

Such a simple fix, for so long of a wait.
Comment 4 Thomas Woerner 2008-07-01 06:13:23 EDT
The problem with a reload without unloading the netfilter kernel modules is that
you are not unloading the kernel modules. If a kernel module is there, it is
active and will be used.

Please think of this scenario: Disabling a service, which needs a helper module,
gets deactivated and then you do a reload instead of a restart. The helper
module will be there and will behave as before. This will be really unexpected, too.

A reload could only work if you are adding rules, not if you are removing them.
Comment 5 Pekka Pietikäinen 2008-11-17 19:37:48 EST
Urgh, found this in my needinfo pile :P

What about only reloading the special helper modules (anything in IPTABLES_MODULES vs. IPTABLES_MODULES_COMMON)? People really only get annoyed when their ssh and irc (and sql :) ) gets disconnected just to add/remove one port.

That or calling my idea of reload /etc/init.d/iptables flush-and-start or whatnot :P

Or even REALLY_DONT_RELOAD_MODULES=1 iptables restart, and I can just do a /usr/local/sbin/fwreload locally ;)
Comment 6 Thomas Woerner 2009-06-03 05:21:55 EDT
I will have to test this with latest netfilter versions in the kernel. With older versions this lead to enexpected behaviour.

Note You need to log in before you can comment on or make changes to this bug.