Bug 432617 - RFE: Add "reload" option to startup script.
Summary: RFE: Add "reload" option to startup script.
Alias: None
Product: Fedora
Classification: Fedora
Component: iptables
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2008-02-13 13:13 UTC by Pekka Pietikäinen
Modified: 2018-05-04 14:40 UTC (History)
3 users (show)

Clone Of:
Last Closed: 2018-05-04 14:40:26 UTC

Attachments (Terms of Use)
Add reload action to iptables startup script (538 bytes, patch)
2008-02-13 13:13 UTC, Pekka Pietikäinen
no flags Details | Diff

Description Pekka Pietikäinen 2008-02-13 13:13:38 UTC
Description of problem:

When a /etc/init.d/iptables restart is done, existing connections to the host
get dropped (some of them. This is caused by the conntrack modules getting
unloaded -> no more states.

# Unload modules on restart and stop
#   Value: yes|no,  default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.

In the use case of "Add new allowed incoming port" that's pretty overkill.
I attached a patch that adds a "reload" target that sets
IPTABLES_MODULES_UNLOAD="no" and restarts.

Comment 1 Pekka Pietikäinen 2008-02-13 13:13:38 UTC
Created attachment 294769 [details]
Add reload action to iptables startup script

Comment 2 Christopher Cashell 2008-06-25 16:36:07 UTC
I'd really like to see this implemented, as well.

I've got a junior admin who broke existing connections to a production database
because he went to add an iptables rule, tried to do a 'reload', saw that there
was no 'reload', then did a 'restart'.

I've never understood why 'reload' wasn't included on RH platforms.  Unloading
and reloading modules is rarely needed, and causes too many problems, especially
when it's the only action supported by the init script.

Comment 3 Christopher Cashell 2008-06-25 16:57:33 UTC
Hrm.  Looks like this has actually be requested previously, back about 4 years
ago: https://bugzilla.redhat.com/show_bug.cgi?id=115655

Such a simple fix, for so long of a wait.

Comment 4 Thomas Woerner 2008-07-01 10:13:23 UTC
The problem with a reload without unloading the netfilter kernel modules is that
you are not unloading the kernel modules. If a kernel module is there, it is
active and will be used.

Please think of this scenario: Disabling a service, which needs a helper module,
gets deactivated and then you do a reload instead of a restart. The helper
module will be there and will behave as before. This will be really unexpected, too.

A reload could only work if you are adding rules, not if you are removing them.

Comment 5 Pekka Pietikäinen 2008-11-18 00:37:48 UTC
Urgh, found this in my needinfo pile :P

What about only reloading the special helper modules (anything in IPTABLES_MODULES vs. IPTABLES_MODULES_COMMON)? People really only get annoyed when their ssh and irc (and sql :) ) gets disconnected just to add/remove one port.

That or calling my idea of reload /etc/init.d/iptables flush-and-start or whatnot :P

Or even REALLY_DONT_RELOAD_MODULES=1 iptables restart, and I can just do a /usr/local/sbin/fwreload locally ;)

Comment 6 Thomas Woerner 2009-06-03 09:21:55 UTC
I will have to test this with latest netfilter versions in the kernel. With older versions this lead to enexpected behaviour.

Comment 7 Phil Sutter 2018-05-04 14:40:26 UTC
Please note that module unloading as a whole was dropped from iptables init script in F26.

Note You need to log in before you can comment on or make changes to this bug.