Bug 867960 - upgraded systems loses their iptables firewall
upgraded systems loses their iptables firewall
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: iptables (Show other bugs)
18
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
:
Depends On:
Blocks: F18Blocker/F18FinalBlocker
  Show dependency treegraph
 
Reported: 2012-10-18 13:01 EDT by Mads Kiilerich
Modified: 2012-12-13 17:01 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-13 17:01:50 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Mads Kiilerich 2012-10-18 13:01:29 EDT
iptables.service has been split out to iptables-services-1.4.16.2-3.fc18 (with some reference to Bug 862922 - RFE: rework service packaging). That is probably ok now when we have firewalld. (It is however misleading that /etc/sysconfig/iptables-config is in iptables - it seems like it belongs in -services.)

But AFAICS it is a critical problem that upgraded systems will get iptables-1.4.16.2-3.fc18.x86_64 without iptables.services and thus no longer get their firewall rules applied. That could compromise system security or availability.

I would expect that some rpm magic was applied so systems upgraded from iptables < 18 also got iptables-services.

I don't know if anaconda will handle this somehow, but it seems to me like it would be NTH.
Comment 1 Fedora Update System 2012-11-02 09:33:57 EDT
iptables-1.4.16.2-4.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/iptables-1.4.16.2-4.fc18
Comment 2 Mads Kiilerich 2012-11-02 09:44:37 EDT
http://pkgs.fedoraproject.org/cgit/iptables.git/commit/?id=dd96cc55858e1fbd66f07a9e383c49bd4e79c701

* Fri Nov 02 2012 Thomas Woerner <twoerner@redhat.com> 1.4.16.2-4 
- fixed missing services for update of pre F-18 installations (rhbz#867960) 
- provide and obsolete old main package in services sub package 
- provide and obsolete old ipv6 sub package (pre F-17) in services sub package
Comment 3 Fedora Update System 2012-11-02 14:44:04 EDT
Package iptables-1.4.16.2-4.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing iptables-1.4.16.2-4.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-17528/iptables-1.4.16.2-4.fc18
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2012-11-08 22:17:54 EST
Package iptables-1.4.16.2-5.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing iptables-1.4.16.2-5.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-17528/iptables-1.4.16.2-5.fc18
then log in and leave karma (feedback).
Comment 5 Tim Flink 2012-11-30 14:19:34 EST
This has been ON_QA for almost a month now, has anyone tested the fix to see if this has been fixed?
Comment 6 Adam Williamson 2012-12-13 17:01:50 EST
Looks fixed to me. I just tested a yum upgrade of a minimal F17 install to F18. iptables-services is installed after upgrade, 'systemctl status iptables.service' shows it successfully loaded during boot, and 'iptables -L' shows what looks like a working firewall config. Setting closed, as the update went stable long ago.

Note You need to log in before you can comment on or make changes to this bug.