Bug 76367 - initscripts try to delete built-in chains
Summary: initscripts try to delete built-in chains
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: iptables
Version: 7.3
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: wdovlrrw
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-10-20 23:12 UTC by Michael Schwendt
Modified: 2007-04-18 16:47 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2003-01-13 21:51:22 UTC
Embargoed:


Attachments (Terms of Use)
patch against iptables-1.2.5-3 package (4.29 KB, patch)
2002-12-24 20:20 UTC, Michael Schwendt
no flags Details | Diff
_complete_ patch against iptables-1.2.5-3 package (4.42 KB, patch)
2002-12-24 20:27 UTC, Michael Schwendt
no flags Details | Diff
patch including fix for bug #75723 (5.04 KB, patch)
2002-12-24 20:58 UTC, Michael Schwendt
no flags Details | Diff

Description Michael Schwendt 2002-10-20 23:12:40 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Description of problem:
Both the iptables and ip6tables initscripts try to delete built-in chains in the
"panic" function:

        iftable filter -X INPUT && \
                iftable filter -X FORWARD && \
                iftable filter -X OUTPUT && \
                iftable nat -X PREROUTING && \
                iftable nat -X POSTROUTING && \
                iftable nat -X OUTPUT && \
                iftable mangle -X PREROUTING && \
                iftable mangle -X OUTPUT && \
                success $"Removing user defined chains:" || \
                failure $"Removing user defined chains:"

That is impossible and gives an error.  Built-in chains cannot be deleted.

All flushed user-defined chains in a table can be deleted at once with just
"iptables -X", e.g. "iptables -t filter -X"  or "iptables -t nat -X". So, most
likely that is what the script should do instead.


Version-Release number of selected component (if applicable):
1.2.5-3 (Valhalla) and 1.2.6-2 (Psyche)

How reproducible:
Always

Steps to Reproduce:
1. service iptables panic

The same result with service ip6tables.


Actual Results:  # service iptables panic
Changing target policies to DROP:                          [  OK  ]
iptables: Can't delete built-in chain                      [  OK  ]
[root@localhost root]#                                     [FAILED]


Expected Results:  # service iptables panic
Changing target policies to DROP:                          [  OK  ]
[root@localhost root]#                                     [  OK  ]


Additional info (!):

The second OK/FAILED status output is on the wrong line, because the
echo/success/failure description string is missing in the script.

Comment 1 Michael Schwendt 2002-12-24 20:20:54 UTC
Created attachment 88897 [details]
patch against iptables-1.2.5-3 package

Comment 2 Michael Schwendt 2002-12-24 20:27:24 UTC
Created attachment 88898 [details]
_complete_ patch against iptables-1.2.5-3 package

Comment 3 Michael Schwendt 2002-12-24 20:58:41 UTC
Created attachment 88899 [details]
patch including fix for bug #75723

The patch includes fixes for bug #75723.

Comment 4 Bill Nottingham 2003-01-13 21:51:22 UTC
should be fixed in 1.2.7a-1.


Note You need to log in before you can comment on or make changes to this bug.