Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 128368

Summary: Changes in linux-2.6.16 make iptables deactivated without warning
Product: Gentoo Linux Reporter: email_deleted_GqKU
Component: New packagesAssignee: Gentoo Kernel Bug Wranglers and Kernel Maintainers <kernel>
Status: RESOLVED WONTFIX    
Severity: minor CC: radfoj
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description email_deleted_GqKU 2006-04-01 04:20:12 UTC 
linux-2.6.16 features changes making iptables deactivated, if we don't manually activate the new options for it...

An `ewarn` in the gentoo-sources ebuild is absolutely *REQUIRED*... Even when iptables is not loaded, the network connections are established, so if someone does not check the boot log, he will be connected without a firewall and obviously without firewall logs...


There's a Gentoo forum thread about it: http://forums.gentoo.org/viewtopic-t-446271.html
Comment 1 Daniel Drake (RETIRED) gentoo-dev 2006-04-01 04:26:02 UTC 
I don't understand this bug report. You are reporting that netfilter is now disabled by default, whereas it was enabled by default in 2.6.15?
Comment 2 Jakub Moc (RETIRED) gentoo-dev 2006-04-01 04:29:43 UTC 
(In reply to comment #1)
> I don't understand this bug report. You are reporting that netfilter is now
> disabled by default, whereas it was enabled by default in 2.6.15?

Nah, I believe he's referring to the Xtables thing.
Comment 3 Daniel Drake (RETIRED) gentoo-dev 2006-04-01 04:44:08 UTC 
I still don't follow. He's saying that iptables is enabled by default on 2.6.15, but the 2.6.16 equivalent (xtables) is not?
Comment 4 email_deleted_GqKU 2006-04-01 04:47:20 UTC 
(In reply to comment #3)
> I still don't follow. He's saying that iptables is enabled by default on
> 2.6.15, but the 2.6.16 equivalent (xtables) is not?
> 


I report that the options to activate iptables have been changed, so when we update (and use a previous kernel configuration), iptables is not activated without activating the new options...

I don't think most people check the linux changelog, so a warning is required, because, as said, if the user don't check the boot log, he will be connected without a firewall...
Comment 5 Daniel Drake (RETIRED) gentoo-dev 2006-04-01 05:00:09 UTC 
Ok, thanks for the explanation.

We discourage reusing kernel configs between real kernel upgrades (e.g. 2.6.15 to 2.6.16) because too much changes to make this a practical option. Reusing config is only safe over revision updates (e.g. 2.6.16 to 2.6.16-r1). There is a note in the kernel upgrade guide about this.
Comment 6 email_deleted_GqKU 2006-04-01 05:31:38 UTC 
(In reply to comment #5)
> Ok, thanks for the explanation.
> 
> We discourage reusing kernel configs between real kernel upgrades (e.g. 2.6.15
> to 2.6.16) because too much changes to make this a practical option. Reusing
> config is only safe over revision updates (e.g. 2.6.16 to 2.6.16-r1). There is
> a note in the kernel upgrade guide about this.
> 


Well, I guess I'll be more careful next time (as anyone who ran into the problem), but you can't except most people to check the whole kernel configuration, even once every few months... (it takes hours to do it, when you seldom do it...).

A warning really is required, for major changes like this, moreover when security is involved...
Comment 7 Daniel Drake (RETIRED) gentoo-dev 2006-04-01 06:10:29 UTC 
This will become easier when emerge news is available, but I'm still not sure this would be a suitable candidate. Also, we do provide genkernel for those who can not afford to spend some time every 2 months configuring a kernel. Thanks for the feedback.