Summary: | iptables init script breaks shutdown on multi-homed net-booted hosts | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Max Hacking <max.gentoo.bugzilla> |
Component: | [OLD] Unspecified | Assignee: | Gentoo's Team for Core System packages <base-system> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | gentoo-bugzilla |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Max Hacking
2006-11-06 10:17:18 UTC
iptables has a new option to control this (In reply to comment #1) > iptables has a new option to control this No. It doesn't. Maybe it was my fault for not explaining the problem more clearly, I was tired. If I had waited until this morning to post then things would have been different. The problem is, in fact, very obvious and I'm amazed, and slightly embarrassed, that I didn't spot it immediately. The stop() function flushes and deletes all the chains *before* setting the policy to accept. If the system is net mounted and has a policy of drop then this kills the system. The fix is equally trivial... Move the call to set_table_policy above the flush and delete calls. IE: stop() { if [[ ${SAVE_ON_STOP} == "yes" ]] ; then save || return 1 fi checkkernel || return 1 ebegin "Stopping firewall" for a in $(<${iptables_proc}) ; do set_table_policy $a ACCEPT ${iptables_bin} -F -t $a ${iptables_bin} -X -t $a done eend $? } it does actually, you just didnt take the time to read the changes :P added your proposed change to cvs, thanks (In reply to comment #3) > it does actually, you just didnt take the time to read the changes :P I took the time to read them all right. I'm now thinking that we are probably reading different change logs though. :-) Where is the one you're referring to? > added your proposed change to cvs, thanks Thank you for accepting them. Glad I could be of assistance. *** Bug 155485 has been marked as a duplicate of this bug. *** |