Bug 98241 - (presumably buggy) depmod causes iptables firewall not to work
(presumably buggy) depmod causes iptables firewall not to work
Status: CLOSED RAWHIDE
Product: Red Hat Linux Beta
Classification: Retired
Component: kernel (Show other bugs)
alpha 3
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Arjan van de Ven
Brian Brock
: Security
: 90647 100428 100763 (view as bug list)
Depends On:
Blocks: CambridgeTarget
  Show dependency treegraph
 
Reported: 2003-06-28 17:50 EDT by Nils Philippsen
Modified: 2007-04-18 12:55 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-09-08 05:14:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nils Philippsen 2003-06-28 17:50:16 EDT
Description of problem:

depmod messes up modules.dep, e.g. it build this entry:

/lib/modules/2.4.20-20.1.2013.nptl/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o:
/lib/modules/2.4.20-20.1.2013.nptl/kernel/net/ipv4/netfilter/ip_tables.o \
       
/lib/modules/2.4.20-20.1.2013.nptl/kernel/net/ipv4/netfilter/ip_conntrack.o \
        /lib/modules/2.4.20-20.1.2013.nptl/kernel/net/ipv4/netfilter/ipchains.o

Obviously, the ipchains dependancy is wrong (it should depend on iptable_nat
instead). This causes iptables-restore to fail (on MASQUERADE targets), which in
turn leaves the machine without a packet filter.

Version-Release number of selected component (if applicable):

modutils-2.4.25-6
kernel-2.4.20-20.1.2013.nptl
glibc-2.3.2-57

How reproducible:

reproducible

Steps to Reproduce:
1. depmod -a
2. modprobe ipt_MASQUERADE
3. or: service iptables start
    
Actual results:

iptables firewall doesn't get loaded

Expected results:

iptables firewall gets loaded
Comment 1 Nils Philippsen 2003-06-28 18:00:12 EDT
The error shows also with modutils as old as 2.4.18-2, but only with newer
kernels, e.g. not with 2.4.20-18.9, but with all of these:

kernel-2.4.20-20.1.2013.nptl
kernel-2.4.20-20.1.2007.nptl
kernel-2.4.20-20.1.2005.nptl
Comment 2 Nils Philippsen 2003-06-28 18:09:32 EDT
Forgot to mention that when insmodding the modules by hand (in the correct
order), everything works fine (substituting ipchains with iptables_nat of course).
Comment 3 Bill Nottingham 2003-06-30 12:12:40 EDT
ipchains is exporting symbols, it probably shouldn't be.
Comment 4 Nils Philippsen 2003-07-08 19:51:07 EDT
Still the case with 2.4.21-1.2023:

/lib/modules/2.4.21-1.2023/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o: 
/lib/modules/2.4.21-1.2023/kernel/net/ipv4/netfilter/ip_tables.o \
        /lib/modules/2.4.21-1.2023/kernel/net/ipv4/netfilter/ipchains.o \
        /lib/modules/2.4.21-1.2023/kernel/net/ipv4/netfilter/ip_conntrack.o
Comment 6 Pekka Pietikäinen 2003-07-22 08:29:03 EDT
*** Bug 90647 has been marked as a duplicate of this bug. ***
Comment 7 Pekka Pietikäinen 2003-07-22 08:32:49 EDT
As I mentioned in #90647, nuking ipchains.o and ipfwadm.o and rerunning depmod -a 
is a workaround for this bug.
Comment 8 Nils Philippsen 2003-07-25 02:06:08 EDT
Why isn't this considered a blocker bug for Cambridge (#100643)? After all this
_is_ a security issue.
Comment 9 Gerald Teschl 2003-07-26 08:47:09 EDT
*** Bug 100428 has been marked as a duplicate of this bug. ***
Comment 10 Gerald Teschl 2003-07-26 08:48:30 EDT
*** Bug 100763 has been marked as a duplicate of this bug. ***
Comment 11 Nils Philippsen 2003-09-08 05:14:07 EDT
Fixed in kernel-2.4.22-1.2030.nptl
Comment 12 Alexandre Oliva 2003-09-08 08:05:00 EDT
Err....  -1.2030?  That's a lower version number than -20.1.2024.2.36, that
still has the problem.  Isn't the `20.' missing in this versioning scheme?
Comment 13 Dave Jones 2003-09-08 09:56:17 EDT
It's deliberate. The -20 was bogus.

Note You need to log in before you can comment on or make changes to this bug.