| Summary: | iptables init script breaks shutdown on multi-homed net-booted hosts | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Max Hacking <max.gentoo.bugzilla> |
| Component: | [OLD] Unspecified | Assignee: | Gentoo's Team for Core System packages <base-system> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | gentoo-bugzilla |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
iptables has a new option to control this (In reply to comment #1) > iptables has a new option to control this No. It doesn't. Maybe it was my fault for not explaining the problem more clearly, I was tired. If I had waited until this morning to post then things would have been different. The problem is, in fact, very obvious and I'm amazed, and slightly embarrassed, that I didn't spot it immediately. The stop() function flushes and deletes all the chains *before* setting the policy to accept. If the system is net mounted and has a policy of drop then this kills the system. The fix is equally trivial... Move the call to set_table_policy above the flush and delete calls. IE: stop() { if [[ ${SAVE_ON_STOP} == "yes" ]] ; then save || return 1 fi checkkernel || return 1 ebegin "Stopping firewall" for a in $(<${iptables_proc}) ; do set_table_policy $a ACCEPT ${iptables_bin} -F -t $a ${iptables_bin} -X -t $a done eend $? } it does actually, you just didnt take the time to read the changes :P added your proposed change to cvs, thanks (In reply to comment #3) > it does actually, you just didnt take the time to read the changes :P I took the time to read them all right. I'm now thinking that we are probably reading different change logs though. :-) Where is the one you're referring to? > added your proposed change to cvs, thanks Thank you for accepting them. Glad I could be of assistance. *** Bug 155485 has been marked as a duplicate of this bug. *** |
I have a firewall (Sun Netra X1) which I am currently booting from the network. The boot device is eth1 and as such does not need to be present in any runlevel, the WAN device is eth0 and is thus in the default runlevel. Whenever this machine is shut-down the iptables init script produces the following error messages and the shutdown procedure fails. * Shutting down eth0 ... [ ok ] * Stopping lo * Running predown function [ ok ] * Bringing down lo * Shutting down lo ... [ ok ] * Saving iptables state ... [ ok ] * Stopping firewall .../etc/init.d/iptables: line 72: /sbin/iptables: Operation not permitted /etc/init.d/iptables: line 36: /sbin/iptables: Operation not permitted /etc/init.d/iptables: line 36: /sbin/iptables: Operation not permitted /etc/init.d/iptables: line 36: /sbin/iptables: Operation not permitted /etc/init.d/iptables: line 71: /sbin/iptables: Operation not permitted /etc/init.d/iptables: line 72: /sbin/iptables: Operation not permitted /etc/init.d/iptables: line 36: /sbin/iptables: Operation not permitted /etc/init.d/iptables: line 36: /sbin/iptables: Operation not permitted /etc/init.d/iptables: line 36: /sbin/iptables: Operation not permitted /sbin/functions.sh: line 343: cannot redirect standard input from /dev/null: Operation not permitted /sbin/functions.sh: line 343: rc_splash: command not found [ !! ] /lib/rcscripts/sh/rc-services.sh: line 572: /bin/rm: Operation not permitted /sbin/runscript.sh: line 609: /bin/rm: Operation not permitted /lib/rcscripts/sh/rc-services.sh: line 593: /bin/rm: Operation not permitted /lib/rcscripts/sh/rc-services.sh: line 593: /bin/rm: Operation not permitted /lib/rcscripts/sh/rc-services.sh: line 593: /bin/rm: Operation not permitted /lib/rcscripts/sh/rc-services.sh: line 593: /bin/rm: Operation not permitted /lib/rcscripts/sh/rc-services.sh: line 342: /var/lib/init.d/exitcodes/iptables: Operation not permitted /lib/rcscripts/sh/rc-services.sh: line 593: /bin/rm: Operation not permitted /lib/rcscripts/sh/rc-services.sh: line 593: /bin/rm: Operation not permitted /lib/rcscripts/sh/rc-services.sh: line 593: /bin/rm: Operation not permitted /lib/rcscripts/sh/rc-services.sh: line 593: /bin/rm: Operation not permitted /lib/rcscripts/sh/rc-services.sh: line 134: /dev/null: Operation not permitted /lib/rcscripts/sh/rc-services.sh: line 135: /dev/stderr: Operation not permitted /lib/rcscripts/sh/rc-services.sh: line 136: /dev/stderr: Operation not permitted /lib/rcscripts/sh/rc-services.sh: line 137: /dev/stderr: Operation not permitted /lib/rcscripts/sh/rc-services.sh: line 138: /dev/stderr: Operation not permitted /lib/rcscripts/sh/rc-services.sh: line 134: /dev/null: Operation not permitted /lib/rcscripts/sh/rc-services.sh: line 135: /dev/stderr: Operation not permitted /lib/rcscripts/sh/rc-services.sh: line 136: /dev/stderr: Operation not permitted /lib/rcscripts/sh/rc-services.sh: line 137: /dev/stderr: Operation not permitted /lib/rcscripts/sh/rc-services.sh: line 138: /dev/stderr: Operation not permitted /sbin/rc: line 817: /var/lib/init.d/softlevel: Operation not permitted /sbin/rc: line 822: /dev/null: Operation not permitted /sbin/rc: line 822: grep: command not found /sbin/rc: line 822: /bin/rm: Operation not permitted /sbin/rc: line 827: /etc/init.d/halt.sh: Operation not permitted /sbin/rc: line 827: exec: /etc/init.d/halt.sh: cannot execute: Operation not permitted If I comment the following lines in the stop function of the iptables init script then shutdown occurs normally. stop() { if [[ ${SAVE_ON_STOP} == "yes" ]] ; then save || return 1 fi checkkernel || return 1 ebegin "Stopping firewall" # for a in $(<${iptables_proc}) ; do # ${iptables_bin} -F -t $a # ${iptables_bin} -X -t $a # # set_table_policy $a ACCEPT # done eend $? } I am using iptables version 1.3.5-r4.