First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 155485
Alias:
Product:
Component:
Status: RESOLVED
Resolution: DUPLICATE of bug 154269
Assigned To: Gentoo's Team for Core System packages <base-system@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Jan <gentoo-bugzilla@lists.diesedomainwarnochfrei.de>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 155485 depends on: Show dependency tree
Bug 155485 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-11-17 07:04 0000 
The init script of net-firewall/iptables-1.3.5-r4 (and maybe other versions)
contains the following lines in the stop-function:
##        ebegin "Stopping firewall"
##        for a in $(<${iptables_proc}) ; do
##                ${iptables_bin} -F -t $a
##                ${iptables_bin} -X -t $a
##
##                set_table_policy $a ACCEPT
##        done

A simple iptables setup for a diskless setup will allow traffic from localhost,
from the server and for connections opened by the user:
##  iptables -A INPUT -i lo -j ACCEPT
##  iptables -A INPUT -s <server-ip> -j ACCEPT
##  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

and then use the policy to prevent any further incoming connections:
##  iptables -P INPUT DROP

When calling "/etc/init.d/iptables stop", this setup will result in the machine
locking up after the first flushing call "${iptables_bin} -F", because any
NFS-traffic is blocked by the default policy, which cannot be reset to "ACCEPT"
as the binary is no longer available. 

As a workaround, I changed the order of commands in /etc/init.d/iptables to set
the table policy before flushing the table. This works fine for my simple
diskless client, but I am not sure if other imaginable configurations would
have trouble with it, like a complex ruleset for a firewall/NAT machine with
custom tables that contain rewriting rules which should be deleted before
changing the policy. I never had the reason to set up something like that and
just don't know if it might have undesired effects.
While experimenting, I also tried disabling the problematic commands entirely,
because my clients do not save the rules and work fine without stopping the
firewall on shutdown. But other setups (like logging) would fail on syslog
shutdown.

My suggestion would be to add an option like "STOP_ON_SHUTDOWN" to
/etc/conf.d/iptables to allow customization as desired. The init script should
also check if "/" is network mounted and act accordingly ("nfsmount" already
does this on shutdown). 
Until then, one of the workarounds should do fine.

------- Comment #1 From Jan 2006-11-17 07:25:44 0000 ------- 
Just checked and found that I misremembered the problems with init scripts:
"nfsmount" reports errors on unmounting the busy filesystems, it is "net.lo"
(symlink net.eth0) that checks if the root filesystem is network mounted, using
"is_net_fs". Dito for "checkroot" which uses the same function.
Sorry for any confusion.

------- Comment #2 From SpanKY 2006-11-17 10:26:23 0000 ------- 

*** This bug has been marked as a duplicate of 154269 ***

------- Comment #3 From Jan 2006-11-17 10:54:21 0000 ------- 
Sorry about the duplicate, I failed to search for fixed bugs as the problem
persists (I did not get the update because it does not show up on "emerge -uD
world").
First Last Prev Next    No search results available      Search page      Enter new bug