Bug 71201 - ifup eth0 I gives an iptables error
ifup eth0 I gives an iptables error
Status: CLOSED RAWHIDE
Product: Red Hat Public Beta
Classification: Retired
Component: initscripts (Show other bugs)
limbo
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
Ben Levenson
:
Depends On:
Blocks: 67217
  Show dependency treegraph
 
Reported: 2002-08-09 17:26 EDT by Pam Huntley
Modified: 2014-03-16 22:29 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-08-21 14:11:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pam Huntley 2002-08-09 17:26:02 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020724

Description of problem:
When I do ifup eth0 (a dhcp ethernet card that doesn't activate at boot), I get
this error:

[root@t30 root]# ifup eth0

Determining IP information for eth0...iptables v1.2.5: Unknown arg `--sport'
Try `iptables -h' or 'iptables --help' for more information.
 done.
iptables v1.2.5: Unknown arg `--sport'
Try `iptables -h' or 'iptables --help' for more information.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.I installed Limbo2 with the medium security firewall option (default options),
and I checked allow incoming ssh
2. finish installing, boot machine, go to X
3. ifup eth0, and you get that error
	

Actual Results:  eth0 does come up ok:
[root@t30 root]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:06:1B:10:0C:9C
          inet addr:9.44.107.135  Bcast:9.44.107.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6367 errors:0 dropped:0 overruns:0 frame:0
          TX packets:768 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1543333 (1.4 Mb)  TX bytes:107703 (105.1 Kb)
          Interrupt:11 Base address:0xe000

However, I get that error.

Expected Results:  No error.

Additional info:

Here is my iptables script:

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
#       firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68
-i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68
-i eth1 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
COMMIT
Comment 1 Tom "spot" Callaway 2002-08-09 17:32:55 EDT
--sport is not valid syntax for iptables, even though the man pages say it is.

We should be using --source-port instead.
Comment 2 Jeremy Katz 2002-08-10 16:45:45 EDT
If we don't fix iptables, then we need to fix everything that writes out
iptables configs and initscripts.  Fixing iptables is probably the better option
Comment 3 Harald Hoyer 2002-08-12 09:42:32 EDT
nothing wrong with iptables or lokkit... this is ifup
wrong line:
        [ -n "$FWHACK" ] && iptables -D RH-Lokkit-0-50-INPUT -s 0/0 --sport 53
-d 0/0 --dport 1025:65535 -p udp -m udp -j ACCEPT

    [ -n "$FWHACK" ] && iptables -D RH-Lokkit-0-50-INPUT -s 0/0 --sport 53 -d
0/0 --dport 1025:65535 -p udp -m udp -j ACCEPT

should be:
        [ -n "$FWHACK" ] && iptables -D RH-Lokkit-0-50-INPUT -m udp -s 0/0
--sport 53 -d 0/0 --dport 1025:65535 -p udp -j ACCEPT

    [ -n "$FWHACK" ] && iptables -D RH-Lokkit-0-50-INPUT -m udp -s 0/0 --sport
53 -d 0/0 --dport 1025:65535 -p udp -j ACCEPT


see, the -m udp module argument must be first, cause --sport is a argument for
that module...
Comment 4 Harald Hoyer 2002-08-12 09:45:12 EDT
this seems to be wrong throughout all initscripts... has it _ever_ been tested????
Comment 5 Bill Nottingham 2002-08-12 16:37:12 EDT
Not extensively, no. Fixed in CVS, will be in 6.89-1.
Comment 6 Harald Hoyer 2002-08-15 08:27:25 EDT
you should also use -I instead of -A, otherwise the rule would be behind the
REJECTs..
Comment 7 Bill Nottingham 2002-08-15 14:20:36 EDT
fixed in cvs. will test when I get a chance to get to a spare box.
Comment 8 Jay Turner 2002-08-21 22:58:15 EDT
initscripts are confirmed fixed with initscripts-6.90-1.  We still have the
problem with gnome-lokkit writting out '-A' instead of '-I'
Comment 9 Bill Nottingham 2002-08-21 23:03:16 EDT
gnome-lokkit is right, AFAIK; it uses -A, but still adds the DNS before the
reject rules.
Comment 10 Harald Hoyer 2002-08-22 06:39:08 EDT
what is wrong with adding the DNS before the reject rules????
Comment 11 Bill Nottingham 2002-08-22 21:29:26 EDT
It does. I think we're in agreement here.

Note You need to log in before you can comment on or make changes to this bug.