Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 672366 - net-firewall/iptables-1.8.2-r1 init script no longer loads a policy if ip_tables module is not loaded
Summary: net-firewall/iptables-1.8.2-r1 init script no longer loads a policy if ip_tab...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Default Configs (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-12-02 05:33 UTC by Hank Leininger
Modified: 2018-12-02 15:50 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2018-12-02 05:33:14 UTC 
A recent commit for bug #501710 that updated the iptables init script introduced a pretty serious POLA violation with security ramifications.

If iptables features are all built as modules, and are not loaded yet when /etc/init.d/iptables starts, the old init script would call /sbin/iptables which triggered module auto-loading.

But the new init script will just error out, and not load any firewall policy.

The new init script includes a start_pre call to checkkernel, which checks for the existence of /proc/net/ip_tables_names (and ip6_tables_names).  But that proc file does not exist if the ip_tables module is not loaded yet.

This check does mean better warning messages if the system doesn't have the expected support... but it also causes the box to load no firewall at all if the modules are present but not loaded, unlike its old behavior.

The workaround is simple: make sure ip_tables is listed in /etc/conf.d/modules. That will ensure /proc/net/ip_tables_names exists when the iptables init script runs, and then any other required modules can auto-load.

I would prefer if this behavior was reverted.  But if not, please at least issue a news item about this, warning and giving the workaround.
Comment 1 Larry the Git Cow gentoo-dev 2018-12-02 15:50:04 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8addacfd7c0364953240840246f7256bebc87e0a

commit 8addacfd7c0364953240840246f7256bebc87e0a
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-12-02 15:46:25 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-12-02 15:49:19 +0000

    net-firewall/iptables: allow for iptables' module autoload functionality
    
    In commit cdc003118830087bbb409761fe4e0e2c19ea103a, a non working check
    were fixed. In addition, error handling was added.
    However, this introduced a behavior change for users who didn't load
    iptables on their own and relied on iptables' own capability to autoload
    required modules.
    
    This new revision restores previous behavior and allows for relying on
    iptables' module autoload capability again.
    
    Closes: https://bugs.gentoo.org/672366
    Package-Manager: Portage-2.3.52, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 .../iptables/files/{iptables-r1.init => iptables-r2.init}      | 10 ++++++++--
 .../{iptables-1.8.2-r1.ebuild => iptables-1.8.2-r2.ebuild}     |  2 +-
 2 files changed, 9 insertions(+), 3 deletions(-)