Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 76367

Summary: initscripts try to delete built-in chains
Product: [Retired] Red Hat Linux Reporter: Michael Schwendt <bugs.michael>
Component: iptablesAssignee: wdovlrrw <brosenkr>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-01-13 21:51:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch against iptables-1.2.5-3 package
none
_complete_ patch against iptables-1.2.5-3 package
none
patch including fix for bug #75723 none

Description Michael Schwendt 2002-10-20 23:12:40 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Description of problem:
Both the iptables and ip6tables initscripts try to delete built-in chains in the
"panic" function:

        iftable filter -X INPUT && \
                iftable filter -X FORWARD && \
                iftable filter -X OUTPUT && \
                iftable nat -X PREROUTING && \
                iftable nat -X POSTROUTING && \
                iftable nat -X OUTPUT && \
                iftable mangle -X PREROUTING && \
                iftable mangle -X OUTPUT && \
                success $"Removing user defined chains:" || \
                failure $"Removing user defined chains:"

That is impossible and gives an error.  Built-in chains cannot be deleted.

All flushed user-defined chains in a table can be deleted at once with just
"iptables -X", e.g. "iptables -t filter -X"  or "iptables -t nat -X". So, most
likely that is what the script should do instead.


Version-Release number of selected component (if applicable):
1.2.5-3 (Valhalla) and 1.2.6-2 (Psyche)

How reproducible:
Always

Steps to Reproduce:
1. service iptables panic

The same result with service ip6tables.


Actual Results:  # service iptables panic
Changing target policies to DROP:                          [  OK  ]
iptables: Can't delete built-in chain                      [  OK  ]
[root@localhost root]#                                     [FAILED]


Expected Results:  # service iptables panic
Changing target policies to DROP:                          [  OK  ]
[root@localhost root]#                                     [  OK  ]


Additional info (!):

The second OK/FAILED status output is on the wrong line, because the
echo/success/failure description string is missing in the script.
Comment 1 Michael Schwendt 2002-12-24 20:20:54 UTC 
Created attachment 88897 [details]
patch against iptables-1.2.5-3 package
Comment 2 Michael Schwendt 2002-12-24 20:27:24 UTC 
Created attachment 88898 [details]
_complete_ patch against iptables-1.2.5-3 package
Comment 3 Michael Schwendt 2002-12-24 20:58:41 UTC 
Created attachment 88899 [details]
patch including fix for bug #75723

The patch includes fixes for bug #75723.
Comment 4 Bill Nottingham 2003-01-13 21:51:22 UTC 
should be fixed in 1.2.7a-1.