A recent commit for bug #501710 that updated the iptables init script introduced a pretty serious POLA violation with security ramifications. If iptables features are all built as modules, and are not loaded yet when /etc/init.d/iptables starts, the old init script would call /sbin/iptables which triggered module auto-loading. But the new init script will just error out, and not load any firewall policy. The new init script includes a start_pre call to checkkernel, which checks for the existence of /proc/net/ip_tables_names (and ip6_tables_names). But that proc file does not exist if the ip_tables module is not loaded yet. This check does mean better warning messages if the system doesn't have the expected support... but it also causes the box to load no firewall at all if the modules are present but not loaded, unlike its old behavior. The workaround is simple: make sure ip_tables is listed in /etc/conf.d/modules. That will ensure /proc/net/ip_tables_names exists when the iptables init script runs, and then any other required modules can auto-load. I would prefer if this behavior was reverted. But if not, please at least issue a news item about this, warning and giving the workaround.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8addacfd7c0364953240840246f7256bebc87e0a commit 8addacfd7c0364953240840246f7256bebc87e0a Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-12-02 15:46:25 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-12-02 15:49:19 +0000 net-firewall/iptables: allow for iptables' module autoload functionality In commit cdc003118830087bbb409761fe4e0e2c19ea103a, a non working check were fixed. In addition, error handling was added. However, this introduced a behavior change for users who didn't load iptables on their own and relied on iptables' own capability to autoload required modules. This new revision restores previous behavior and allows for relying on iptables' module autoload capability again. Closes: https://bugs.gentoo.org/672366 Package-Manager: Portage-2.3.52, Repoman-2.3.12 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> .../iptables/files/{iptables-r1.init => iptables-r2.init} | 10 ++++++++-- .../{iptables-1.8.2-r1.ebuild => iptables-1.8.2-r2.ebuild} | 2 +- 2 files changed, 9 insertions(+), 3 deletions(-)