Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 387751 - net-firewall/iptables- initscript uses the logger
Summary: net-firewall/iptables- initscript uses the logger
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Peter Volkov (RETIRED)
: 408753 (view as bug list)
Depends on:
Reported: 2011-10-19 22:35 UTC by Thomas Albers
Modified: 2012-05-21 21:25 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Albers 2011-10-19 22:35:24 UTC
The initscript for iptables has a line
   USE logger

When the syslog initscript has a line
   NEED net

this causes problems in the order of initscript execution because openrc tries to start the syslog service before all network services are up and then will not start syslog.

Removing that dependence causes the scripts to be executed in the proper order

Reproducible: Always

michelin ~ # cat /var/log/rc.log

* Bringing up interface eth1
 * ...
 [ ok ]
 *   Adding routes
 *     default via ...
 [ ok ]
 * ERROR: cannot start syslog-ng as net.eth0 would not start
 * Loading iptables state and starting firewall ...
 [ ok ]
 * Bringing up interface eth0
 * ...
 [ ok ]
 *   Adding routes
 * via ...
 [ ok ]
 * Starting dnsmasq ...
 [ ok ]

michelin ~ # /etc/init.d/syslog-ng depend
need net
use stunnel
config /etc/syslog-ng/syslog-ng.conf
use clock
need hostname localmount
provide logger

michelin ~ # /etc/init.d/iptables depend
before net
use logger
Comment 1 Ian Stakenvicius (RETIRED) gentoo-dev 2011-10-19 22:49:02 UTC
Could you add your emerge --info output please?  as well as whether or not you're using parallel startup?
Comment 2 Thomas Albers 2011-10-19 23:57:31 UTC
michelin ~ # emerge --info
portage (default/linux/amd64/10.0, gcc-4.5.3, glibc-2.12.2-r0, 2.6.39-                                             gentoo-r3 x86_64)
System uname: Linux-2.6.39-gentoo-r3-x86_64-AMD_Phenom-tm-_II_X6_1090T_Processor                                             -with-gentoo-2.0.3
Timestamp of tree: Sat, 15 Oct 2011 19:30:01 +0000
app-shells/bash:          4.1_p9
dev-lang/python:          2.7.1-r1, 3.1.3-r1
dev-util/pkgconfig:       0.26
sys-apps/baselayout:      2.0.3
sys-apps/openrc:          0.8.3-r1
sys-apps/sandbox:         2.4
sys-devel/autoconf:       2.68
sys-devel/automake:       1.11.1
sys-devel/binutils:       2.21.1-r1
sys-devel/gcc:            4.5.3-r1
sys-devel/gcc-config:     1.4.1-r1
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r1
sys-kernel/linux-headers: 2.6.39 (virtual/os-headers)
sys-libs/glibc:           2.12.2
Repositories: gentoo
CFLAGS="-O2 -march=barcelona -pipe"
CONFIG_PROTECT="/etc /var/yp/Makefile"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo                                             -release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -march=barcelona -pipe"
FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles fixpackag                                             es news parallel-fetch protect-owned sandbox sfperms strict unknown-features-war                                             n unmerge-logs unmerge-orphans userfetch"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress                                              --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclu                                             de=/local --exclude=/packages"
USE="acl amd64 berkdb bzip2 cli cracklib crypt cups cxx dri fortran gdbm gpm iconv mmx modules mudflap multilib ncurses nfsv3 nis nls nptl nptlonly openmp pam pcre pppd readline session sse sse2 ssl sysfs unicode xorg zlib"                                             RSYNC_EXTRA_OPTS
Comment 3 Thomas Albers 2011-10-19 23:59:11 UTC
(In reply to comment #1)
> Could you add your emerge --info output please?  as well as whether or not
> you're using parallel startup?

michelin ~ # cat /etc/rc.conf
Comment 4 Peter Volkov (RETIRED) gentoo-dev 2011-10-28 13:21:32 UTC
Thomas, please show output of:
rc-config show --all
Comment 5 Thomas Albers 2011-10-29 01:22:09 UTC
The system has gone into production use, so I cannot now take it down or make modifications easily.

Line 23 in /etc/init.d/iptables has been modified to read
# use logger

ta@michelin ~ $ rc-config show --all
Status of init scripts in runlevel "boot"
  bootmisc                  [started]
  fsck                      [started]
  hostname                  [started]
  hwclock                   [started]
  keymaps                   [started]
  localmount                [started]
  modules                   [started]
  mtab                      [started]
  net.lo                    [started]
  procfs                    [started]
  root                      [started]
  swap                      [started]
  sysctl                    [started]
  termencoding              [started]
  urandom                   [started]
Status of init scripts in runlevel "default"
  dnsmasq                   [started]
  iptables                  [started]
  local                     [started]
  net.eth0                  [started]
  net.eth1                  [started]
  nfs                       [started]
  ntpd                      [started]
  opensm                    [started]
  sshd                      [started]
  syslog-ng                 [started]
  udev-postmount            [started]
  vixie-cron                [started]
  vsftpd                    [started]
  webfs                     [started]
  ypserv                    [started]
Status of init scripts in runlevel "shutdown"
  killprocs                 [stopped]
  mount-ro                  [stopped]
  savecache                 [stopped]
Status of init scripts in runlevel "sysinit"
  devfs                     [started]
  dmesg                     [started]
  udev                      [started]
Comment 6 Thomas Albers 2011-10-29 18:05:45 UTC
To make it clearer, the syslog-ng initscript adds the dependence NEED net when the daemon is configured to read or write from a tcp or udp socket (lines 10-12 in /etc/init.d/syslog-ng).
Comment 7 Travis Hansen 2012-01-09 23:45:42 UTC
I just got nailed by this.  Trying to setup a load balancer with haproxy/stunnel and haproxy also requires udp syslog functionality.

The machine is not quite in production yet so if you need some info/testing I'd be happy to help if it's soon.
Comment 8 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2012-01-09 23:56:22 UTC
I propose we drop the 'use logger' from the init.d/iptables
and instead convert it to a commented block in conf.d/iptables as follows:
# If you need to log iptables messages as soon as iptables starts,
# AND your logger does NOT depend on the network, then you may wish
# to uncomment the next line.
# If your logger depends on the network, and you uncomment this line
# you will create an unresolvable circular dependency during startup.
# After commenting or uncommenting this line, you must run 'rc-update -u'.
Comment 9 William Hubbs gentoo-dev 2012-05-21 19:38:13 UTC
We would neet to also apply the same changes to /etc/init.d/ip6tables
and /etc/conf.d/ip6tables.
Comment 10 William Hubbs gentoo-dev 2012-05-21 19:40:17 UTC
*** Bug 408753 has been marked as a duplicate of this bug. ***
Comment 11 William Hubbs gentoo-dev 2012-05-21 21:25:57 UTC
This has been fixed in iptables-1.4.13-r1.