From 948527f3fe9f22614f8ccae43b69d298c9dbc3d8 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 28 Feb 2018 08:18:43 +0100
Subject: [PATCH] Kill module unloading support

The whole concept is unfixably broken:

Some kernel modules are used by both IPv4 and IPv6 netfilter and the
algorithm has no way to identify this situation. Therefore if iptables
and ip6tables services are restarted in parallel, one's module unloading
tends to stomp onto the other's attempt at loading rules.

Another problem is with OVS: iptables service unloading conntrack
modules breaks a running OVS instance.
---
 iptables-config |  7 -------
 iptables.init   | 53 -------------------------------------------------
 2 files changed, 60 deletions(-)

diff --git a/iptables-config b/iptables-config
index d9f6c34..ec61d23 100644
--- a/iptables-config
+++ b/iptables-config
@@ -5,13 +5,6 @@
 # stored in /etc/modprobe.conf.
 IPTABLES_MODULES=""
 
-# Unload modules on restart and stop
-#   Value: yes|no,  default: yes
-# This option has to be 'yes' to get to a sane state for a firewall
-# restart or stop. Only set to 'no' if there are problems unloading netfilter
-# modules.
-IPTABLES_MODULES_UNLOAD="yes"
-
 # Save current firewall rules on stop.
 #   Value: yes|no,  default: no
 # Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
diff --git a/iptables.init b/iptables.init
index beeffa4..59239ba 100755
--- a/iptables.init
+++ b/iptables.init
@@ -48,7 +48,6 @@ fi
 
 # Default firewall configuration:
 IPTABLES_MODULES=""
-IPTABLES_MODULES_UNLOAD="yes"
 IPTABLES_SAVE_ON_STOP="no"
 IPTABLES_SAVE_ON_RESTART="no"
 IPTABLES_SAVE_COUNTER="no"
@@ -60,46 +59,10 @@ IPTABLES_SYSCTL_LOAD_LIST=""
 # Load firewall configuration.
 [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
 
-# Netfilter modules
-NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print \$1}") ${IPV}_tables)
-NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6
-
 # Get active tables
 NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
 
 
-rmmod_r() {
-    # Unload module with all referring modules.
-    # At first all referring modules will be unloaded, then the module itself.
-    local mod=$1
-    local ret=0
-    local ref=
-
-    # Get referring modules.
-    # New modutils have another output format.
-    [ $NEW_MODUTILS = 1 ] \
-	&& ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \
-	|| ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1)
-
-    # recursive call for all referring modules
-    for i in $ref; do
-	rmmod_r $i
-	let ret+=$?;
-    done
-
-    # Unload module.
-    # The extra test is for 2.6: The module might have autocleaned,
-    # after all referring modules are unloaded.
-    if grep -q "^${mod}" /proc/modules ; then
-	modprobe -r $mod > /dev/null 2>&1
-	res=$?
-	[ $res -eq 0 ] || echo -n " $mod"
-	let ret+=$res;
-    fi
-
-    return $ret
-}
-
 flush_n_delete() {
     # Flush firewall rules and delete chains.
     [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
@@ -264,22 +227,6 @@ stop() {
     # And then, flush the rules and delete chains
     flush_n_delete
     
-    if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
-	echo -n $"${IPTABLES}: Unloading modules: "
-	ret=0
-	for mod in ${NF_MODULES[*]}; do
-	    rmmod_r $mod
-	    let ret+=$?;
-	done
-	# try to unload remaining netfilter modules used by ipv4 and ipv6 
-	# netfilter
-	for mod in ${NF_MODULES_COMMON[*]}; do
-	    rmmod_r $mod >/dev/null
-	done
-	[ $ret -eq 0 ] && success || failure
-	echo
-    fi
-    
     rm -f $VAR_SUBSYS_IPTABLES
     return $ret
 }