Bug 449352 - RHEL4: /etc/init.d/iptables does not know about 'raw' table (or: iptables does conn_tracking on 'trusted' interfaces)
RHEL4: /etc/init.d/iptables does not know about 'raw' table (or: iptables doe...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: iptables (Show other bugs)
4.6
All Linux
medium Severity medium
: rc
: ---
Assigned To: iptables-maint-list
qe-baseos-daemons
: FutureFeature, Tracking
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-02 07:14 EDT by Issue Tracker
Modified: 2012-06-14 15:40 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-14 15:40:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to enable raw (439 bytes, patch)
2008-06-02 07:18 EDT, Martin Poole
no flags Details | Diff

  None (edit)
Description Issue Tracker 2008-06-02 07:14:03 EDT
Escalated to Bugzilla from IssueTracker
Comment 1 Issue Tracker 2008-06-02 07:14:05 EDT
Description of problem:

It appears that some of our ORACLE RAC clusters occasionally exhaust the iptable connection tracking space, due to traffic on supposedly-trusted interfaces. [I am aware of workarounds such as increasing the maximum number of connections (64k already) or hash table size.]

We would like to completely ignore this traffic. The (undocumented-in-RHEL4-but-working) NOTRACK target in the "raw" table appears to do this, with the exception that the init script /etc/init.d/iptables does not know about the  "raw" table, and hence complains (e.g. on restart):
Setting chains to policy ACCEPT: filter raw                [FAILED]


How reproducible:

 always

Steps to Reproduce:

  add the following to /etc/sysconfig/iptables
*raw
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
-A OUTPUT -o lo -j NOTRACK
COMMIT

and run "/sbin/service iptables restart"

Actual results:

 Failure from init script

Expected results:

 Success ("OK")

Additional info:

* rpm -q iptables: iptables-1.2.11-3.1.RHEL4

* already tracked/fixed 
https://bugzilla.redhat.com/show_bug.cgi?id=179094 
  (some unspecified Fedora; RHEL5 is OK)

* minimal patch to init script is e.g. at 
http://bugs.centos.org/print_bug_page.php?bug_id=1676


Background/discussion (RHEL6? - please pass on to maintainer):

Ideally, Red Hat would mark all traffic over any "trusted" interface such as "lo" with NOTRACK - I do not see any value for stateful tracking here, both from a "performance" and a "memory" point of view.

Given that /etc/sysconfig/iptables on Red Hat is set up by tools (lokkit/anaconda) that trust "lo" by default and allow to add other "trusted" interfaces, it ought ot be rather trivial to write the corresponding "raw" table entries instead of the ones for "filter".. 
This event sent from IssueTracker by mpoole  [Support Engineering Group]
 issue 180647
Comment 2 Issue Tracker 2008-06-02 07:14:06 EDT
1. Provide time and date of the problem
Problem can be reproduced easily on RHEL 4 systems.

2. Provide clear and concise problem description as it is understood at
the time of escalation
Customer uses rules in the raw table to mark packets coming in through
through trusted interfaces with NOTRACK so that it does these are not
tracked in netfilter. 

The iptables init script does not know how to setup the raw table default
policy on restart.

* Observed behavior
service iptables restart shows failed message
* Desired behavior 
service iptables restart does not show failed message

3. State specific action requested of SEG
Investigate problem and escalate to bugzilla.

4. State whether or not a defect in the product is suspected
BZ 179094 reported for Fedora Rawhide.
Centos bug reported at
http://bugs.centos.org/print_bug_page.php?bug_id=1676 
This contains a patch.

5. If there is a proposed patch, make sure it is in unified diff format
(diff -pruN)
Patch provided in centos bugzilla at
http://bugs.centos.org/print_bug_page.php?bug_id=1676

1. State other actions already taken in working the problem:
reported bugzillas provided.

2. Attach sosreport
Sos report from local test system attached.

3. Attach other supporting data
-

4. Provide issue repro information:
1) Add rule to iptables
# iptables -t raw -A OUTPUT -o lo -j NOTRACK
2) Save rules using
service iptables save
3) Check /etc/sysconfig/iptables for the following lines
*raw
:PREROUTING ACCEPT [5635:345504]
:OUTPUT ACCEPT [336:53990]
-A OUTPUT -o lo -j NOTRACK 
COMMIT
4) Try restarting the iptables service.
you see the failed message.

5. List any known hot-fix packages on the system
6. List any customer applied changes from the last 30 days 



Issue escalated to Support Engineering Group by: sprabhu.
Internal Status set to 'Waiting on SEG'

This event sent from IssueTracker by mpoole  [Support Engineering Group]
 issue 180647
Comment 3 Martin Poole 2008-06-02 07:18:59 EDT
Created attachment 307347 [details]
patch to enable raw
Comment 6 RHEL Product and Program Management 2008-10-31 12:51:02 EDT
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 9 RHEL Product and Program Management 2010-10-22 15:06:18 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Note You need to log in before you can comment on or make changes to this bug.