FEDORA-2018-1c31f1eccd

bugfix update in Fedora 27 for iptables

Status: obsolete

Comments 35

This update has been submitted for testing by mooninite.

This update has been pushed to testing.

iptables command and service scripts work

karma: +1

I have a system with iptables/ip6tables configured as services. There seems to be a race to get the xtables lock file with this version. I have either iptables or ip6tables failing on boot. I can start either the service later on. A typical message:

ip6tables.init[714]: ip6tables: Applying firewall rules: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

karma: -1 critpath: -1

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

Just as an FYI, downgrading to 1.6.1-4 makes both services work on boot again.

karma: -1 critpath: -1
SELinux is preventing iptables-restor from read access on the file xtables.lock

And adding semodule for iptables results in:

ip6tables.init[627]: ip6tables: Applying firewall rules: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
ip6tables.init[627]: [FAILED]
karma: -1

works for me but no ipv6 here

works for me

karma: +1

I'm going to unpush. The issue with ip6tables will be addressed before this is pushed.

This update has been unpushed.

mooninite edited this update.

New build(s):

  • iptables-1.6.2-2.fc27

Removed build(s):

  • iptables-1.6.2-1.fc27

Karma has been reset.

This update has been submitted for testing by mooninite.

The startup race with iptables/ip6tables has been fixed. Please re-test this latest update.

This update has been pushed to testing.

Works fine in build 1.6.2-2

karma: +1 critpath: +1

...except for SELinux keeps preventing iptables from start

It works here (-2), but I do have these extra SELinux policy rules in a local module:

allow iptables_t plymouthd_t:unix_stream_socket connectto; allow iptables_t var_run_t:file { read lock open };

So, that should also be fixed, I guess. The above is based on denials I've seen in my audit.log over some time.

karma: +1 critpath: +1

no regressions noted

karma: +1

selinux-policy-3.13.1-283.27.fc27.noarch kernel-4.15.9-300.fc27.x86_64 iptables-1.6.2-2.fc27.x86_64

my workoraund: cat /etc/systemd/system/iptables.service.d/override.conf [Service] ExecStartPre=-/usr/libexec/iptables/iptables.init start ExecStartPre=-/usr/sbin/restorecon /run/xtables.lock

systemctl status iptables Process: 1741 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS) Process: 1740 ExecStartPre=/usr/sbin/restorecon -F /run/xtables.lock (code=exited, status=0/SUCCESS) (!!!) Process: 1714 ExecStartPre=/usr/libexec/iptables/iptables.init start (code=exited, status=1/FAILURE)

This update has reached the stable karma threshold and can be pushed to stable now if the maintainer wishes.

Works fine for me!

karma: +1 critpath: +1

Works for me

karma: +1

worked

karma: +1

We need more noise on bug 1551463 in order to send this to stable. I'm unpushing this for now.

This update has been unpushed.

Can we split out the nftables/libnfntl updates on their own? There's a request to update them in https://bugzilla.redhat.com/show_bug.cgi?id=1565632

mooninite edited this update.

Removed build(s):

  • libnftnl-1.0.9-2.fc27
  • nftables-0.8.2-2.fc27

Karma has been reset.

This update has been submitted for testing by mooninite.

This update has been pushed to testing.

FYI: the latest selinux-policy should have fixed this. I'm pushing this out again.

This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes

This update has been obsoleted by iptables-1.6.2-3.fc27.

Add Comment & Feedback

Please login to add feedback.

Content Type
RPM
Status
obsolete
Test Gating
Submitted by
Update Type
bugfix
Update Severity
unspecified
Karma
0
stable threshold: 3
unstable threshold: -3
Autopush (karma)
Disabled
Autopush (time)
Disabled
Dates
submitted 2 years ago
in testing a year ago
modified a year ago

Related Bugs 1

00 #1417323 iptables-1.6.2 is available

Automated Test Results