Bug 98241 - (presumably buggy) depmod causes iptables firewall not to work
Summary: (presumably buggy) depmod causes iptables firewall not to work
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux Beta
Classification: Retired
Component: kernel   
(Show other bugs)
Version: alpha 3
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Arjan van de Ven
QA Contact: Brian Brock
URL:
Whiteboard:
Keywords: Security
: 90647 100428 100763 (view as bug list)
Depends On:
Blocks: CambridgeTarget
TreeView+ depends on / blocked
 
Reported: 2003-06-28 21:50 UTC by Nils Philippsen
Modified: 2007-04-18 16:55 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-09-08 09:14:07 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Nils Philippsen 2003-06-28 21:50:16 UTC
Description of problem:

depmod messes up modules.dep, e.g. it build this entry:

/lib/modules/2.4.20-20.1.2013.nptl/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o:
/lib/modules/2.4.20-20.1.2013.nptl/kernel/net/ipv4/netfilter/ip_tables.o \
       
/lib/modules/2.4.20-20.1.2013.nptl/kernel/net/ipv4/netfilter/ip_conntrack.o \
        /lib/modules/2.4.20-20.1.2013.nptl/kernel/net/ipv4/netfilter/ipchains.o

Obviously, the ipchains dependancy is wrong (it should depend on iptable_nat
instead). This causes iptables-restore to fail (on MASQUERADE targets), which in
turn leaves the machine without a packet filter.

Version-Release number of selected component (if applicable):

modutils-2.4.25-6
kernel-2.4.20-20.1.2013.nptl
glibc-2.3.2-57

How reproducible:

reproducible

Steps to Reproduce:
1. depmod -a
2. modprobe ipt_MASQUERADE
3. or: service iptables start
    
Actual results:

iptables firewall doesn't get loaded

Expected results:

iptables firewall gets loaded

Comment 1 Nils Philippsen 2003-06-28 22:00:12 UTC
The error shows also with modutils as old as 2.4.18-2, but only with newer
kernels, e.g. not with 2.4.20-18.9, but with all of these:

kernel-2.4.20-20.1.2013.nptl
kernel-2.4.20-20.1.2007.nptl
kernel-2.4.20-20.1.2005.nptl

Comment 2 Nils Philippsen 2003-06-28 22:09:32 UTC
Forgot to mention that when insmodding the modules by hand (in the correct
order), everything works fine (substituting ipchains with iptables_nat of course).

Comment 3 Bill Nottingham 2003-06-30 16:12:40 UTC
ipchains is exporting symbols, it probably shouldn't be.

Comment 4 Nils Philippsen 2003-07-08 23:51:07 UTC
Still the case with 2.4.21-1.2023:

/lib/modules/2.4.21-1.2023/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o: 
/lib/modules/2.4.21-1.2023/kernel/net/ipv4/netfilter/ip_tables.o \
        /lib/modules/2.4.21-1.2023/kernel/net/ipv4/netfilter/ipchains.o \
        /lib/modules/2.4.21-1.2023/kernel/net/ipv4/netfilter/ip_conntrack.o


Comment 6 Pekka Pietikäinen 2003-07-22 12:29:03 UTC
*** Bug 90647 has been marked as a duplicate of this bug. ***

Comment 7 Pekka Pietikäinen 2003-07-22 12:32:49 UTC
As I mentioned in #90647, nuking ipchains.o and ipfwadm.o and rerunning depmod -a 
is a workaround for this bug.

Comment 8 Nils Philippsen 2003-07-25 06:06:08 UTC
Why isn't this considered a blocker bug for Cambridge (#100643)? After all this
_is_ a security issue.

Comment 9 Gerald Teschl 2003-07-26 12:47:09 UTC
*** Bug 100428 has been marked as a duplicate of this bug. ***

Comment 10 Gerald Teschl 2003-07-26 12:48:30 UTC
*** Bug 100763 has been marked as a duplicate of this bug. ***

Comment 11 Nils Philippsen 2003-09-08 09:14:07 UTC
Fixed in kernel-2.4.22-1.2030.nptl

Comment 12 Alexandre Oliva 2003-09-08 12:05:00 UTC
Err....  -1.2030?  That's a lower version number than -20.1.2024.2.36, that
still has the problem.  Isn't the `20.' missing in this versioning scheme?

Comment 13 Dave Jones 2003-09-08 13:56:17 UTC
It's deliberate. The -20 was bogus.



Note You need to log in before you can comment on or make changes to this bug.