rpms/iptables
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Kill module unloading support

Browse Source 
The whole concept is unfixably broken:

Some kernel modules are used by both IPv4 and IPv6 netfilter and the
algorithm has no way to identify this situation. Therefore if iptables
and ip6tables services are restarted in parallel, one's module unloading
tends to stomp onto the other's attempt at loading rules.

Another problem is with OVS: iptables service unloading conntrack
modules breaks a running OVS instance.
This commit is contained in:
Phil Sutter 2018-02-28 08:18:43 +01:00
parent 7ad3a27f69
commit 948527f3fe
2 changed files with 0 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
iptables-config
View File

@ -5,13 +5,6 @@
# stored in /etc/modprobe.conf. # stored in /etc/modprobe.conf.
IPTABLES_MODULES="" IPTABLES_MODULES=""
# Unload modules on restart and stop
# Value: yes|no, default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"
# Save current firewall rules on stop. # Save current firewall rules on stop.
# Value: yes|no, default: no # Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped # Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped

53
iptables.init
View File

@ -48,7 +48,6 @@ fi
# Default firewall configuration: # Default firewall configuration:
IPTABLES_MODULES="" IPTABLES_MODULES=""
IPTABLES_MODULES_UNLOAD="yes"
IPTABLES_SAVE_ON_STOP="no" IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no" IPTABLES_SAVE_ON_RESTART="no"
IPTABLES_SAVE_COUNTER="no" IPTABLES_SAVE_COUNTER="no"
@ -60,46 +59,10 @@ IPTABLES_SYSCTL_LOAD_LIST=""
# Load firewall configuration. # Load firewall configuration.
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
# Netfilter modules
NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print \$1}") ${IPV}_tables)
NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6
# Get active tables # Get active tables
NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
rmmod_r() {
# Unload module with all referring modules.
# At first all referring modules will be unloaded, then the module itself.
local mod=$1
local ret=0
local ref=
# Get referring modules.
# New modutils have another output format.
[ $NEW_MODUTILS = 1 ] \
&& ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \
|| ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1)
# recursive call for all referring modules
for i in $ref; do
rmmod_r $i
let ret+=$?;
done
# Unload module.
# The extra test is for 2.6: The module might have autocleaned,
# after all referring modules are unloaded.
if grep -q "^${mod}" /proc/modules ; then
modprobe -r $mod > /dev/null 2>&1
res=$?
[ $res -eq 0 ] || echo -n " $mod"
let ret+=$res;
fi
return $ret
}
flush_n_delete() { flush_n_delete() {
# Flush firewall rules and delete chains. # Flush firewall rules and delete chains.
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
@ -264,22 +227,6 @@ stop() {
# And then, flush the rules and delete chains # And then, flush the rules and delete chains
flush_n_delete flush_n_delete
if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
echo -n $"${IPTABLES}: Unloading modules: "
ret=0
for mod in ${NF_MODULES[*]}; do
rmmod_r $mod
let ret+=$?;
done
# try to unload remaining netfilter modules used by ipv4 and ipv6
# netfilter
for mod in ${NF_MODULES_COMMON[*]}; do
rmmod_r $mod >/dev/null
done
[ $ret -eq 0 ] && success || failure
echo
fi
rm -f $VAR_SUBSYS_IPTABLES rm -f $VAR_SUBSYS_IPTABLES
return $ret return $ret
} }