Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 155485 - stopping net-firewall/iptables kills diskless machines
Summary: stopping net-firewall/iptables kills diskless machines
Status: RESOLVED DUPLICATE of bug 154269
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-11-17 07:04 UTC by Jan
Modified: 2006-11-17 10:54 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jan 2006-11-17 07:04:32 UTC 
The init script of net-firewall/iptables-1.3.5-r4 (and maybe other versions) contains the following lines in the stop-function:
##        ebegin "Stopping firewall"
##        for a in $(<${iptables_proc}) ; do
##                ${iptables_bin} -F -t $a
##                ${iptables_bin} -X -t $a
##
##                set_table_policy $a ACCEPT
##        done

A simple iptables setup for a diskless setup will allow traffic from localhost, from the server and for connections opened by the user:
##  iptables -A INPUT -i lo -j ACCEPT
##  iptables -A INPUT -s <server-ip> -j ACCEPT
##  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

and then use the policy to prevent any further incoming connections:
##  iptables -P INPUT DROP

When calling "/etc/init.d/iptables stop", this setup will result in the machine locking up after the first flushing call "${iptables_bin} -F", because any NFS-traffic is blocked by the default policy, which cannot be reset to "ACCEPT" as the binary is no longer available. 

As a workaround, I changed the order of commands in /etc/init.d/iptables to set the table policy before flushing the table. This works fine for my simple diskless client, but I am not sure if other imaginable configurations would have trouble with it, like a complex ruleset for a firewall/NAT machine with custom tables that contain rewriting rules which should be deleted before changing the policy. I never had the reason to set up something like that and just don't know if it might have undesired effects.
While experimenting, I also tried disabling the problematic commands entirely, because my clients do not save the rules and work fine without stopping the firewall on shutdown. But other setups (like logging) would fail on syslog shutdown.

My suggestion would be to add an option like "STOP_ON_SHUTDOWN" to /etc/conf.d/iptables to allow customization as desired. The init script should also check if "/" is network mounted and act accordingly ("nfsmount" already does this on shutdown). 
Until then, one of the workarounds should do fine.
Comment 1 Jan 2006-11-17 07:25:44 UTC 
Just checked and found that I misremembered the problems with init scripts:
"nfsmount" reports errors on unmounting the busy filesystems, it is "net.lo" (symlink net.eth0) that checks if the root filesystem is network mounted, using "is_net_fs". Dito for "checkroot" which uses the same function.
Sorry for any confusion.
Comment 2 SpanKY gentoo-dev 2006-11-17 10:26:23 UTC 

*** This bug has been marked as a duplicate of 154269 ***
Comment 3 Jan 2006-11-17 10:54:21 UTC 
Sorry about the duplicate, I failed to search for fixed bugs as the problem persists (I did not get the update because it does not show up on "emerge -uD world").