Bug 867960 - upgraded systems loses their iptables firewall
Summary: upgraded systems loses their iptables firewall
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: iptables
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: F18Blocker, F18FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2012-10-18 17:01 UTC by Mads Kiilerich
Modified: 2012-12-13 22:01 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-13 22:01:50 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Mads Kiilerich 2012-10-18 17:01:29 UTC 
iptables.service has been split out to iptables-services-1.4.16.2-3.fc18 (with some reference to Bug 862922 - RFE: rework service packaging). That is probably ok now when we have firewalld. (It is however misleading that /etc/sysconfig/iptables-config is in iptables - it seems like it belongs in -services.)

But AFAICS it is a critical problem that upgraded systems will get iptables-1.4.16.2-3.fc18.x86_64 without iptables.services and thus no longer get their firewall rules applied. That could compromise system security or availability.

I would expect that some rpm magic was applied so systems upgraded from iptables < 18 also got iptables-services.

I don't know if anaconda will handle this somehow, but it seems to me like it would be NTH.
Comment 1 Fedora Update System 2012-11-02 13:33:57 UTC 
iptables-1.4.16.2-4.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/iptables-1.4.16.2-4.fc18
Comment 2 Mads Kiilerich 2012-11-02 13:44:37 UTC 
http://pkgs.fedoraproject.org/cgit/iptables.git/commit/?id=dd96cc55858e1fbd66f07a9e383c49bd4e79c701

* Fri Nov 02 2012 Thomas Woerner <twoerner> 1.4.16.2-4 
- fixed missing services for update of pre F-18 installations (rhbz#867960) 
- provide and obsolete old main package in services sub package 
- provide and obsolete old ipv6 sub package (pre F-17) in services sub package
Comment 3 Fedora Update System 2012-11-02 18:44:04 UTC 
Package iptables-1.4.16.2-4.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing iptables-1.4.16.2-4.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-17528/iptables-1.4.16.2-4.fc18
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2012-11-09 03:17:54 UTC 
Package iptables-1.4.16.2-5.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing iptables-1.4.16.2-5.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-17528/iptables-1.4.16.2-5.fc18
then log in and leave karma (feedback).
Comment 5 Tim Flink 2012-11-30 19:19:34 UTC 
This has been ON_QA for almost a month now, has anyone tested the fix to see if this has been fixed?
Comment 6 Adam Williamson 2012-12-13 22:01:50 UTC 
Looks fixed to me. I just tested a yum upgrade of a minimal F17 install to F18. iptables-services is installed after upgrade, 'systemctl status iptables.service' shows it successfully loaded during boot, and 'iptables -L' shows what looks like a working firewall config. Setting closed, as the update went stable long ago.
Note You need to log in before you can comment on or make changes to this bug.