Bug 730061 - iptables shutdown error when ip6tables running
Summary: iptables shutdown error when ip6tables running
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: iptables
Version: 5.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: iptables-maint-list
QA Contact: qe-baseos-daemons
Depends On:
TreeView+ depends on / blocked
Reported: 2011-08-11 16:31 UTC by John G. Myers
Modified: 2011-08-18 08:20 UTC (History)
1 user (show)

Fixed In Version: 6.0
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-08-18 08:20:11 UTC

Attachments (Terms of Use)
/etc/sysconfig/iptables (2.73 KB, text/plain)
2011-08-17 19:42 UTC, John G. Myers
no flags Details
/etc/sysconfig/ip6tables (583 bytes, text/plain)
2011-08-17 19:43 UTC, John G. Myers
no flags Details

Description John G. Myers 2011-08-11 16:31:44 UTC
Description of problem:

Stopping iptables when ip6tables is running results in a failure message

Version-Release number of selected component (if applicable):


How reproducible: Always

Steps to Reproduce:
1. Configure IPv6, iptables, and ipv6tables
2. /etc/init.d/ip6tables start
3. /etc/init.d/iptables stop
Actual results:

# /etc/init.d/iptables stop
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: raw filter nat            [  OK  ]
Unloading iptables modules:                                [FAILED]

Expected results:

# /etc/init.d/iptables stop
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: raw filter nat            [  OK  ]
Unloading iptables modules:                                [  OK  ]

Additional info:

iptables should not (complain about failure to) unload ip_conntrack when it is still in use by ip6tables.

Comment 1 Thomas Woerner 2011-08-12 07:20:49 UTC
Please add the firewall configuration for iptables and ip6tables as a private comment. From files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables or the output of the commands iptables-save and ip6tables-save).
Please also add the values of IPTABLES_MODULES and IP6TABLES_MODULES from /etc/sysconfig/iptables-config and /etc/sysconfig/ip6tables-config.

Comment 2 John G. Myers 2011-08-17 19:42:44 UTC
Created attachment 518743 [details]

Comment 3 John G. Myers 2011-08-17 19:43:10 UTC
Created attachment 518744 [details]

Comment 4 John G. Myers 2011-08-17 19:45:04 UTC
Does not reproduce in 6.0.

Comment 5 Thomas Woerner 2011-08-18 08:20:11 UTC
The problem is the use of state in the IPv6 firewall. Connection tracking in the 2.6.18 kernel in EL-5 does not support IPv6. Please have a look at #243739 and #212839 for more information.

You need to replace the state line in the IPv6 firewall by this:
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 32768:61000 ! --syn -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT

This is known limitation of the RHEL-5 kernel and can not be changed. The state rule in your IPv6 firewall is not working and all packets are marked INVALID.

Here is an except of the RELEASE_NOTES of EL-5:

              o Added nf_conntrack subsystem (2.6.15)

                   o The existing connection tracking subsystem in netfilter
                     can only handle ipv4. There were two choices present to
                     add connection tracking support for ipv6; either
                     duplicate all of the ipv4 connection tracking code into
                     an ipv6 counterpart, or (the choice taken by these
                     patches) design a generic layer that could handle both
                     ipv4 and ipv6 and thus requiring only one sub-protocol
                     (TCP, UDP, etc.) connection tracking helper module to be
                     written. In fact, nf_conntrack is capable of working
                     with any layer 3 protocol.

I will close this bug as NOT A BUG.

Note You need to log in before you can comment on or make changes to this bug.