98241 – (presumably buggy) depmod causes iptables firewall not to work

Bug 98241 - (presumably buggy) depmod causes iptables firewall not to work

Summary: (presumably buggy) depmod causes iptables firewall not to work

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Red Hat Linux Beta
Classification:	Retired
Component:	kernel
Sub Component:
Version:	alpha 3
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Arjan van de Ven
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Duplicates (3):	90647 100428 100763 (view as bug list)
Depends On:
Blocks:	CambridgeTarget
TreeView+	depends on / blocked

Reported:	2003-06-28 21:50 UTC by Nils Philippsen
Modified:	2007-04-18 16:55 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2003-09-08 09:14:07 UTC
Embargoed:

Attachments	(Terms of Use)

Description Nils Philippsen 2003-06-28 21:50:16 UTC

Description of problem:

depmod messes up modules.dep, e.g. it build this entry:

/lib/modules/2.4.20-20.1.2013.nptl/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o:
/lib/modules/2.4.20-20.1.2013.nptl/kernel/net/ipv4/netfilter/ip_tables.o \
       
/lib/modules/2.4.20-20.1.2013.nptl/kernel/net/ipv4/netfilter/ip_conntrack.o \
        /lib/modules/2.4.20-20.1.2013.nptl/kernel/net/ipv4/netfilter/ipchains.o

Obviously, the ipchains dependancy is wrong (it should depend on iptable_nat
instead). This causes iptables-restore to fail (on MASQUERADE targets), which in
turn leaves the machine without a packet filter.

Version-Release number of selected component (if applicable):

modutils-2.4.25-6
kernel-2.4.20-20.1.2013.nptl
glibc-2.3.2-57

How reproducible:

reproducible

Steps to Reproduce:
1. depmod -a
2. modprobe ipt_MASQUERADE
3. or: service iptables start
    
Actual results:

iptables firewall doesn't get loaded

Expected results:

iptables firewall gets loaded

Comment 1 Nils Philippsen 2003-06-28 22:00:12 UTC

The error shows also with modutils as old as 2.4.18-2, but only with newer
kernels, e.g. not with 2.4.20-18.9, but with all of these:

kernel-2.4.20-20.1.2013.nptl
kernel-2.4.20-20.1.2007.nptl
kernel-2.4.20-20.1.2005.nptl

Comment 2 Nils Philippsen 2003-06-28 22:09:32 UTC

Forgot to mention that when insmodding the modules by hand (in the correct
order), everything works fine (substituting ipchains with iptables_nat of course).

Comment 3 Bill Nottingham 2003-06-30 16:12:40 UTC

ipchains is exporting symbols, it probably shouldn't be.

Comment 4 Nils Philippsen 2003-07-08 23:51:07 UTC

Still the case with 2.4.21-1.2023:

/lib/modules/2.4.21-1.2023/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o: 
/lib/modules/2.4.21-1.2023/kernel/net/ipv4/netfilter/ip_tables.o \
        /lib/modules/2.4.21-1.2023/kernel/net/ipv4/netfilter/ipchains.o \
        /lib/modules/2.4.21-1.2023/kernel/net/ipv4/netfilter/ip_conntrack.o

Comment 6 Pekka Pietikäinen 2003-07-22 12:29:03 UTC

*** Bug 90647 has been marked as a duplicate of this bug. ***

Comment 7 Pekka Pietikäinen 2003-07-22 12:32:49 UTC

As I mentioned in #90647, nuking ipchains.o and ipfwadm.o and rerunning depmod -a 
is a workaround for this bug.

Comment 8 Nils Philippsen 2003-07-25 06:06:08 UTC

Why isn't this considered a blocker bug for Cambridge (#100643)? After all this
_is_ a security issue.

Comment 9 Gerald Teschl 2003-07-26 12:47:09 UTC

*** Bug 100428 has been marked as a duplicate of this bug. ***

Comment 10 Gerald Teschl 2003-07-26 12:48:30 UTC

*** Bug 100763 has been marked as a duplicate of this bug. ***

Comment 11 Nils Philippsen 2003-09-08 09:14:07 UTC

Fixed in kernel-2.4.22-1.2030.nptl

Comment 12 Alexandre Oliva 2003-09-08 12:05:00 UTC

Err....  -1.2030?  That's a lower version number than -20.1.2024.2.36, that
still has the problem.  Isn't the `20.' missing in this versioning scheme?

Comment 13 Dave Jones 2003-09-08 13:56:17 UTC

It's deliberate. The -20 was bogus.

Note You need to log in before you can comment on or make changes to this bug.