Bug 76367 - initscripts try to delete built-in chains
initscripts try to delete built-in chains
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: iptables (Show other bugs)
7.3
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: wdovlrrw
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-10-20 19:12 EDT by Michael Schwendt
Modified: 2007-04-18 12:47 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-01-13 16:51:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch against iptables-1.2.5-3 package (4.29 KB, patch)
2002-12-24 15:20 EST, Michael Schwendt
no flags Details | Diff
_complete_ patch against iptables-1.2.5-3 package (4.42 KB, patch)
2002-12-24 15:27 EST, Michael Schwendt
no flags Details | Diff
patch including fix for bug #75723 (5.04 KB, patch)
2002-12-24 15:58 EST, Michael Schwendt
no flags Details | Diff

  None (edit)
Description Michael Schwendt 2002-10-20 19:12:40 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Description of problem:
Both the iptables and ip6tables initscripts try to delete built-in chains in the
"panic" function:

        iftable filter -X INPUT && \
                iftable filter -X FORWARD && \
                iftable filter -X OUTPUT && \
                iftable nat -X PREROUTING && \
                iftable nat -X POSTROUTING && \
                iftable nat -X OUTPUT && \
                iftable mangle -X PREROUTING && \
                iftable mangle -X OUTPUT && \
                success $"Removing user defined chains:" || \
                failure $"Removing user defined chains:"

That is impossible and gives an error.  Built-in chains cannot be deleted.

All flushed user-defined chains in a table can be deleted at once with just
"iptables -X", e.g. "iptables -t filter -X"  or "iptables -t nat -X". So, most
likely that is what the script should do instead.


Version-Release number of selected component (if applicable):
1.2.5-3 (Valhalla) and 1.2.6-2 (Psyche)

How reproducible:
Always

Steps to Reproduce:
1. service iptables panic

The same result with service ip6tables.


Actual Results:  # service iptables panic
Changing target policies to DROP:                          [  OK  ]
iptables: Can't delete built-in chain                      [  OK  ]
[root@localhost root]#                                     [FAILED]


Expected Results:  # service iptables panic
Changing target policies to DROP:                          [  OK  ]
[root@localhost root]#                                     [  OK  ]


Additional info (!):

The second OK/FAILED status output is on the wrong line, because the
echo/success/failure description string is missing in the script.
Comment 1 Michael Schwendt 2002-12-24 15:20:54 EST
Created attachment 88897 [details]
patch against iptables-1.2.5-3 package
Comment 2 Michael Schwendt 2002-12-24 15:27:24 EST
Created attachment 88898 [details]
_complete_ patch against iptables-1.2.5-3 package
Comment 3 Michael Schwendt 2002-12-24 15:58:41 EST
Created attachment 88899 [details]
patch including fix for bug #75723

The patch includes fixes for bug #75723.
Comment 4 Bill Nottingham 2003-01-13 16:51:22 EST
should be fixed in 1.2.7a-1.

Note You need to log in before you can comment on or make changes to this bug.