Bug 75723 - Resetting built-in chains to the default ACCEPT policy do not include all the chains from 'mangle' table
Summary: Resetting built-in chains to the default ACCEPT policy do not include all the...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: iptables
Version: 7.3
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: wdovlrrw
QA Contact: Ben Levenson
URL: http://prawo.uni.wroc.pl/~konrad/ipta...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-10-11 15:31 UTC by Konrad Zak
Modified: 2007-04-18 16:47 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-01-13 21:48:57 UTC
Embargoed:


Attachments (Terms of Use)
fixed iptables starting script (5.54 KB, text/plain)
2002-10-11 15:44 UTC, Konrad Zak
no flags Details

Description Konrad Zak 2002-10-11 15:31:05 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.1) Gecko/20020826

Description of problem:
Resetting built-in chains to the default ACCEPT policy with 'service iptables
stop' causes 3 of 5 chains from 'mangle' table to stay in previous set default
policy, like i.e. DROP.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.iptables -t mangle -P INPUT DROP
2.iptables -t mangle -P FORWARD DROP
3.iptables -t mangle -P POSTROUTING DROP
4.service iptables stop
5.iptables -t mangle -L
	

Actual Results:  3 of 5 built-in chains in 'mangle' table do not get back to
default ACCEPT policy when stopping iptables service. 

Expected Results:  'mangle' table built-in chains default policy should be set
to ACCEPT in /etc/init.d/iptables. I modified /etc/init.d/iptables script to
resolve problem. I put link to fixed script in url field of bug form.

Additional info:

the same applies to ip6tables (iptables-ipv6 rpm package).
under file name ip6tables instead of iptables in url I provided you'll find
fixed /etc/init.d/ip6tables script.

Comment 1 Konrad Zak 2002-10-11 15:44:20 UTC
Created attachment 80004 [details]
fixed iptables starting script

Comment 2 Michael Schwendt 2002-10-20 17:02:47 UTC
Red Hat Linux 8.0 is affected, too.

--- iptables.orig       Wed Aug  7 16:34:38 2002
+++ iptables    Sun Oct 20 18:59:52 2002
@@ -117,7 +117,10 @@
           iftable nat -P POSTROUTING ACCEPT && \
           iftable nat -P OUTPUT ACCEPT && \
            iftable mangle -P PREROUTING ACCEPT && \
+           iftable mangle -P POSTROUTING ACCEPT && \
+           iftable mangle -P INPUT ACCEPT && \
            iftable mangle -P OUTPUT ACCEPT && \
+           iftable mangle -P FORWARD ACCEPT && \
           success || \
           failure 
        echo

Comment 3 Michael Schwendt 2002-12-24 21:02:57 UTC
While updating my iptables packages for Psyche and Valhalla, I added patched
iptables initscripts to bug #76367.

Comment 4 Bill Nottingham 2003-01-13 21:48:57 UTC
fixed in iptables-1.2.7a-1.


Note You need to log in before you can comment on or make changes to this bug.