Description of problem: Stopping iptables when ip6tables is running results in a failure message Version-Release number of selected component (if applicable): iptables-1.3.5-5.3.el5_4.1 How reproducible: Always Steps to Reproduce: 1. Configure IPv6, iptables, and ipv6tables 2. /etc/init.d/ip6tables start 3. /etc/init.d/iptables stop Actual results: # /etc/init.d/iptables stop Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: raw filter nat [ OK ] Unloading iptables modules: [FAILED] Expected results: # /etc/init.d/iptables stop Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: raw filter nat [ OK ] Unloading iptables modules: [ OK ] Additional info: iptables should not (complain about failure to) unload ip_conntrack when it is still in use by ip6tables.
Please add the firewall configuration for iptables and ip6tables as a private comment. From files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables or the output of the commands iptables-save and ip6tables-save). Please also add the values of IPTABLES_MODULES and IP6TABLES_MODULES from /etc/sysconfig/iptables-config and /etc/sysconfig/ip6tables-config. Thanks
Created attachment 518743 [details] /etc/sysconfig/iptables
Created attachment 518744 [details] /etc/sysconfig/ip6tables
Does not reproduce in 6.0.
The problem is the use of state in the IPv6 firewall. Connection tracking in the 2.6.18 kernel in EL-5 does not support IPv6. Please have a look at #243739 and #212839 for more information. You need to replace the state line in the IPv6 firewall by this: -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 32768:61000 ! --syn -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT This is known limitation of the RHEL-5 kernel and can not be changed. The state rule in your IPv6 firewall is not working and all packets are marked INVALID. Here is an except of the RELEASE_NOTES of EL-5: o Added nf_conntrack subsystem (2.6.15) o The existing connection tracking subsystem in netfilter can only handle ipv4. There were two choices present to add connection tracking support for ipv6; either duplicate all of the ipv4 connection tracking code into an ipv6 counterpart, or (the choice taken by these patches) design a generic layer that could handle both ipv4 and ipv6 and thus requiring only one sub-protocol (TCP, UDP, etc.) connection tracking helper module to be written. In fact, nf_conntrack is capable of working with any layer 3 protocol. I will close this bug as NOT A BUG.