Bugzilla Bug 154269

I have a firewall (Sun Netra X1) which I am currently booting from the network.

The boot device is eth1 and as such does not need to be present in any
runlevel, the WAN device is eth0 and is thus in the default runlevel.

Whenever this machine is shut-down the iptables init script produces the
following error messages and the shutdown procedure fails.

 *     Shutting down eth0 ...                                             [ ok
]
 * Stopping lo
 *   Running predown function                                             [ ok
]
 *   Bringing down lo
 *     Shutting down lo ...                                               [ ok
]
 * Saving iptables state ...                                              [ ok
]
 * Stopping firewall .../etc/init.d/iptables: line 72: /sbin/iptables:
Operation not permitted
/etc/init.d/iptables: line 36: /sbin/iptables: Operation not permitted
/etc/init.d/iptables: line 36: /sbin/iptables: Operation not permitted
/etc/init.d/iptables: line 36: /sbin/iptables: Operation not permitted
/etc/init.d/iptables: line 71: /sbin/iptables: Operation not permitted
/etc/init.d/iptables: line 72: /sbin/iptables: Operation not permitted
/etc/init.d/iptables: line 36: /sbin/iptables: Operation not permitted
/etc/init.d/iptables: line 36: /sbin/iptables: Operation not permitted
/etc/init.d/iptables: line 36: /sbin/iptables: Operation not permitted
/sbin/functions.sh: line 343: cannot redirect standard input from /dev/null:
Operation not permitted
/sbin/functions.sh: line 343: rc_splash: command not found                    
[ !! ]
/lib/rcscripts/sh/rc-services.sh: line 572: /bin/rm: Operation not permitted
/sbin/runscript.sh: line 609: /bin/rm: Operation not permitted
/lib/rcscripts/sh/rc-services.sh: line 593: /bin/rm: Operation not permitted
/lib/rcscripts/sh/rc-services.sh: line 593: /bin/rm: Operation not permitted
/lib/rcscripts/sh/rc-services.sh: line 593: /bin/rm: Operation not permitted
/lib/rcscripts/sh/rc-services.sh: line 593: /bin/rm: Operation not permitted
/lib/rcscripts/sh/rc-services.sh: line 342: /var/lib/init.d/exitcodes/iptables:
Operation not permitted
/lib/rcscripts/sh/rc-services.sh: line 593: /bin/rm: Operation not permitted
/lib/rcscripts/sh/rc-services.sh: line 593: /bin/rm: Operation not permitted
/lib/rcscripts/sh/rc-services.sh: line 593: /bin/rm: Operation not permitted
/lib/rcscripts/sh/rc-services.sh: line 593: /bin/rm: Operation not permitted
/lib/rcscripts/sh/rc-services.sh: line 134: /dev/null: Operation not permitted
/lib/rcscripts/sh/rc-services.sh: line 135: /dev/stderr: Operation not
permitted
/lib/rcscripts/sh/rc-services.sh: line 136: /dev/stderr: Operation not
permitted
/lib/rcscripts/sh/rc-services.sh: line 137: /dev/stderr: Operation not
permitted
/lib/rcscripts/sh/rc-services.sh: line 138: /dev/stderr: Operation not
permitted
/lib/rcscripts/sh/rc-services.sh: line 134: /dev/null: Operation not permitted
/lib/rcscripts/sh/rc-services.sh: line 135: /dev/stderr: Operation not
permitted
/lib/rcscripts/sh/rc-services.sh: line 136: /dev/stderr: Operation not
permitted
/lib/rcscripts/sh/rc-services.sh: line 137: /dev/stderr: Operation not
permitted
/lib/rcscripts/sh/rc-services.sh: line 138: /dev/stderr: Operation not
permitted
/sbin/rc: line 817: /var/lib/init.d/softlevel: Operation not permitted
/sbin/rc: line 822: /dev/null: Operation not permitted
/sbin/rc: line 822: grep: command not found
/sbin/rc: line 822: /bin/rm: Operation not permitted
/sbin/rc: line 827: /etc/init.d/halt.sh: Operation not permitted
/sbin/rc: line 827: exec: /etc/init.d/halt.sh: cannot execute: Operation not
permitted

If I comment the following lines in the stop function of the iptables init
script then shutdown occurs normally.

stop() {
        if [[ ${SAVE_ON_STOP} == "yes" ]] ; then
                save || return 1
        fi
        checkkernel || return 1
        ebegin "Stopping firewall"
#       for a in $(<${iptables_proc}) ; do
#               ${iptables_bin} -F -t $a
#               ${iptables_bin} -X -t $a
#
#               set_table_policy $a ACCEPT
#       done
        eend $?
}

I am using iptables version 1.3.5-r4.

iptables has a new option to control this

(In reply to comment #1)
> iptables has a new option to control this

No. It doesn't.

Maybe it was my fault for not explaining the problem more clearly, I was tired.
If I had waited until this morning to post then things would have been
different. The problem is, in fact, very obvious and I'm amazed, and slightly
embarrassed, that I didn't spot it immediately.

The stop() function flushes and deletes all the chains *before* setting the
policy to accept.  If the system is net mounted and has a policy of drop then
this kills the system.

The fix is equally trivial...  Move the call to set_table_policy above the
flush and delete calls.

IE:

stop() {
        if [[ ${SAVE_ON_STOP} == "yes" ]] ; then
                save || return 1
        fi
        checkkernel || return 1
        ebegin "Stopping firewall"
        for a in $(<${iptables_proc}) ; do
                set_table_policy $a ACCEPT

                ${iptables_bin} -F -t $a
                ${iptables_bin} -X -t $a
        done
        eend $?
}

it does actually, you just didnt take the time to read the changes :P

added your proposed change to cvs, thanks

(In reply to comment #3)
> it does actually, you just didnt take the time to read the changes :P

I took the time to read them all right.  I'm now thinking that we are probably
reading different change logs though.  :-)  Where is the one you're referring
to?

> added your proposed change to cvs, thanks

Thank you for accepting them.  Glad I could be of assistance.

*** Bug 155485 has been marked as a duplicate of this bug. ***