Description of problem: When a /etc/init.d/iptables restart is done, existing connections to the host get dropped (some of them. This is caused by the conntrack modules getting unloaded -> no more states. # Unload modules on restart and stop # Value: yes|no, default: yes # This option has to be 'yes' to get to a sane state for a firewall # restart or stop. Only set to 'no' if there are problems unloading netfilter # modules. IPTABLES_MODULES_UNLOAD="yes" In the use case of "Add new allowed incoming port" that's pretty overkill. I attached a patch that adds a "reload" target that sets IPTABLES_MODULES_UNLOAD="no" and restarts.
Created attachment 294769 [details] Add reload action to iptables startup script
I'd really like to see this implemented, as well. I've got a junior admin who broke existing connections to a production database because he went to add an iptables rule, tried to do a 'reload', saw that there was no 'reload', then did a 'restart'. I've never understood why 'reload' wasn't included on RH platforms. Unloading and reloading modules is rarely needed, and causes too many problems, especially when it's the only action supported by the init script.
Hrm. Looks like this has actually be requested previously, back about 4 years ago: https://bugzilla.redhat.com/show_bug.cgi?id=115655 Such a simple fix, for so long of a wait.
The problem with a reload without unloading the netfilter kernel modules is that you are not unloading the kernel modules. If a kernel module is there, it is active and will be used. Please think of this scenario: Disabling a service, which needs a helper module, gets deactivated and then you do a reload instead of a restart. The helper module will be there and will behave as before. This will be really unexpected, too. A reload could only work if you are adding rules, not if you are removing them.
Urgh, found this in my needinfo pile :P What about only reloading the special helper modules (anything in IPTABLES_MODULES vs. IPTABLES_MODULES_COMMON)? People really only get annoyed when their ssh and irc (and sql :) ) gets disconnected just to add/remove one port. That or calling my idea of reload /etc/init.d/iptables flush-and-start or whatnot :P Or even REALLY_DONT_RELOAD_MODULES=1 iptables restart, and I can just do a /usr/local/sbin/fwreload locally ;)
I will have to test this with latest netfilter versions in the kernel. With older versions this lead to enexpected behaviour.
Please note that module unloading as a whole was dropped from iptables init script in F26.