Bug 619081 - iptables service is always reported as "running"
Summary: iptables service is always reported as "running"
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: system-config-services (Show other bugs)
(Show other bugs)
Version: 13
Hardware: All Linux
low
medium
Target Milestone: ---
Assignee: Nils Philippsen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-07-28 14:16 UTC by Denys Vlasenko
Modified: 2011-06-29 12:51 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-06-29 12:51:25 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Denys Vlasenko 2010-07-28 14:16:05 UTC
iptables service is always reported as "running":
"service iptables status" has exitcode 0:

# service iptables stop
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
# service iptables status; echo $?
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

0


Compare this with other services, say, ip6tables:

# service ip6tables stop
ip6tables: Flushing firewall rules:                        [  OK  ]
ip6tables: Setting chains to policy ACCEPT: filter         [  OK  ]
ip6tables: Unloading modules:                              [  OK  ]
[root@dhcp-25-227 fw]# service ip6tables status; echo $?
ip6tables: Firewall is not running.
3

Among other things, this makes iptables service "unstoppable" in GUI service config (System->Administration->services): you can press on "stop" butoom however many times you like, the service is still "running". One side effect of bogus "running" status is that it can not be *started* using GUI: GUI thinks it already is, and "start" button is greyed out!

Comment 1 Denys Vlasenko 2010-07-28 14:23:28 UTC
Also, the service description:

Start, stop and save iptables firewall

is not that informative. When do I want to have it running, for example? Maybe:

"You need to have this service running if you want Firewall configuration to be active on your machine. With this service off, no ports are blocked, no masquerading is performed and so on."

Comment 2 Thomas Woerner 2010-07-28 14:58:11 UTC
The iptables and ip6tables services do not start or stop daemons. The services only load, save or flush netfilter firewall rules. Therefore the existence of rules has to be used to decide if the services are active or not.

But: The base netfilter kernel modules are compiled into the kernel to reduce system startup time. Even if there is no firewall configuration loaded, the default firewall policy accept rules are there because of this. Also libvirt is adding firewall rules. Therefore there are always firewall rules and the services are reporting that they are running.

Comment 3 Denys Vlasenko 2010-07-29 13:51:51 UTC
(In reply to comment #2)
> The iptables and ip6tables services do not start or stop daemons. The services
> only load, save or flush netfilter firewall rules. Therefore the existence of
> rules has to be used to decide if the services are active or not.
> 
> But: The base netfilter kernel modules are compiled into the kernel to reduce
> system startup time. Even if there is no firewall configuration loaded, the
> default firewall policy accept rules are there because of this. Also libvirt is
> adding firewall rules. Therefore there are always firewall rules and the
> services are reporting that they are running.    

How user is supposed to start iptables service then, assuming they were stopped, and assuming he wants to use GUI tool at System->Administration->Services?

Comment 4 Denys Vlasenko 2010-07-29 14:29:43 UTC
Thomas says it's not iptables problem. Reassigning to system-config-services.

Comment 5 Bug Zapper 2011-06-01 12:38:32 UTC
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 6 Bug Zapper 2011-06-29 12:51:25 UTC
Fedora 13 changed to end-of-life (EOL) status on 2011-06-25. Fedora 13 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.