| Summary: | Firewall not starting when Mageia is installed using online repositories, pulling updated iptables | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Pana Sum <panasum> |
| Component: | RPM Packages | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, fri, guillaume.royer, kernel, mageia, mageia, marja11, ottoleipala1, sysadmin-bugs, yvesbrungard |
| Version: | 9 | Keywords: | IN_ERRATA9, advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK MGA9-32-OK | ||
| Source RPM: | iptables-1.8.9-2.2.mga9 | CVE: | |
| Status comment: | |||
| Attachments: | Requested file report.bug.xz | ||
|
Description
Pana Sum
2023-11-27 14:51:25 CET
Thank you for the report. CC:
(none) =>
lewyssmith continuing... Do not know whether this is down to the installer or the package, assigning for the former. The /var/log/shorewall-init.log extract shown in comment 0 is very definite. Source RPM:
shorewall-5.2.8-4.mga9.src.rpm =>
shorewall-5.2.8-4.mga9.src.rpm, netinstall I have run the following command as root: /usr/libexec/iptables.init start And afterwards I can start shorewall and it seems to be working properly. Even after restarting the computer, the firewall works, so the above command has to be run only once. This command might be missing from the post installation when using netinstall? Hello, I have installed MGA9 on ACER Aspire ONE with netinstall. I found the same problem with shorewall. I applied the command /usr/libexec/iptables.init start and it works again. CC:
(none) =>
guillaume.royer As both have netinstall, can you provide /root/drakx/report.bug.xz which should be related to your installation phase. CC:
(none) =>
kernel, yvesbrungard Created attachment 14194 [details]
Requested file report.bug.xz
As this is an installer we try to fix it at least until next Mageia release. That said, I see no reason netinstaller.iso could not be updated for mga9. CC:
(none) =>
fri Maybe this should be added to the Errata while it is fixed.
Morgan Leijström
2023-12-07 18:48:07 CET
Keywords:
(none) =>
FOR_ERRATA9 It seems not to be bug in installer as shorewall service fails to start on boot also evert boot.... Iptables seems to be main problem as it complains: ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system CC:
(none) =>
ottoleipala1 So the problem appear also when system is installed using classic installer? If so please adjust bug header accordingly, and errata to be adjusted too. The problem does not appear when using the classic installer on its own. It does appear if you enable additional online media at the start of installation. This indicates the problem stems from an updated package. Looking at the iptables package, the release version (iptables-1.8.9-2.mga9) contains a call to /usr/libexec/iptables.init check in its postinstall scriptlet. That has been removed in the updated version (iptables-1.8.9-2.2.mga9). This is almost certainly the cause of this bug. Reassigning appropriately and CC'ing Marc, who made that change. CC:
(none) =>
mageia, mageia
papoteur
2023-12-10 11:07:57 CET
Summary:
Firewall not starting when Mageia is installed using the netinstall iso =>
Firewall not starting when Mageia is installed using online repositories, pulling updated iptables These commands seems to fix it: /usr/libexec/iptables.init check /usr/libexec/iptables.init start then sudo systemctl start shorewall/shorewall6, no any issues starts fine... Here is systemctl status when commands up i did and then started shorewall...
sudo systemctl status shorewall
● shorewall.service - Shorewall IPv4 firewall
Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled; preset: enabled)
Active: active (exited) since Wed 2023-12-13 13:09:18 EET; 1h 8min ago
Process: 102524 ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS (code=exited, status=0/SUCCESS)
Main PID: 102524 (code=exited, status=0/SUCCESS)
CPU: 591ms
joulu 13 13:09:18 ozky-pc shorewall[102703]: Processing /etc/shorewall/tcclear ...
joulu 13 13:09:18 ozky-pc shorewall[102703]: Setting up Route Filtering...
joulu 13 13:09:18 ozky-pc shorewall[102703]: Setting up Martian Logging...
joulu 13 13:09:18 ozky-pc shorewall[102703]: Setting up Proxy ARP...
joulu 13 13:09:18 ozky-pc shorewall[102703]: Preparing iptables-restore input...
joulu 13 13:09:18 ozky-pc shorewall[102703]: Running /sbin/iptables-restore --wait 60...
joulu 13 13:09:18 ozky-pc shorewall[102703]: Processing /etc/shorewall/start ...
joulu 13 13:09:18 ozky-pc shorewall[102703]: Processing /etc/shorewall/started ...
joulu 13 13:09:18 ozky-pc shorewall[102703]: done.
joulu 13 13:09:18 ozky-pc systemd[1]: Finished shorewall.service.
I have to look into this. /usr/libexec/iptables.init really is an very old init script. This is and should be removed. It should be transformed to systemctl start iptables - this will do the things that needs to be done. we really should remove these old initscripts barely converted into new systemd units. this is a very odd behaviour. iptables check does some very wired stuff. And clearly stuff that should be done in postinstall: linking /lib64/iptables.d/xx to /lib64/iptables or setting nat rules. Yes you so right.... Systemd can do these very much more better... i'm not very pro with initscripts or very deep in systemd.... Only know how to write basic systemd service... Updated iptables packages to fix an error on new installations: A missing symlink prevented loading of modules for iptables. Due to this bug shorewall did not start anymore. Additonally the reload mechanism of iptables was fixed. Updated packages in core/updates_testing: ======================== lib64ip4tc2-1.8.9-2.3.mga9 lib64iptables-devel-1.8.9-2.3.mga9 lib64ip6tc2-1.8.9-2.3.mga9 lib64ipq0-debuginfo-1.8.9-2.3.mga9 lib64iptables12-1.8.9-2.3.mga9 lib64ip4tc2-debuginfo-1.8.9-2.3.mga9 lib64ip6tc2-debuginfo-1.8.9-2.3.mga9 lib64ip4tc-devel-1.8.9-2.3.mga9 lib64ip6tc-devel-1.8.9-2.3.mga9 iptables-nft-1.8.9-2.3.mga9 lib64ipq0-1.8.9-2.3.mga9 lib64ipq-devel-1.8.9-2.3.mga9 lib64iptables12-debuginfo-1.8.9-2.3.mga9 lib64iptc-devel-1.8.9-2.3.mga9 iptables-1.8.9-2.3.mga9 iptables-debugsource-1.8.9-2.3.mga9 iptables-debuginfo-1.8.9-2.3.mga9 SRPM: iptables-1.8.9-2.3.mga9.src.rpm Assignee:
pkg-bugs =>
qa-bugs Advisory from comment 19 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete" CC:
(none) =>
marja11 (In reply to Marc Krämer from comment #19) > Updated iptables packages to fix an error on new installations: > > A missing symlink prevented loading of modules for iptables. Due to this bug > shorewall did not start anymore. > Additonally the reload mechanism of iptables was fixed. > > > Updated packages in core/updates_testing: > ======================== > lib64ip4tc2-1.8.9-2.3.mga9 > lib64iptables-devel-1.8.9-2.3.mga9 > lib64ip6tc2-1.8.9-2.3.mga9 > lib64ipq0-debuginfo-1.8.9-2.3.mga9 > lib64iptables12-1.8.9-2.3.mga9 > lib64ip4tc2-debuginfo-1.8.9-2.3.mga9 > lib64ip6tc2-debuginfo-1.8.9-2.3.mga9 > lib64ip4tc-devel-1.8.9-2.3.mga9 > lib64ip6tc-devel-1.8.9-2.3.mga9 > iptables-nft-1.8.9-2.3.mga9 > lib64ipq0-1.8.9-2.3.mga9 > lib64ipq-devel-1.8.9-2.3.mga9 > lib64iptables12-debuginfo-1.8.9-2.3.mga9 > lib64iptc-devel-1.8.9-2.3.mga9 > iptables-1.8.9-2.3.mga9 > iptables-debugsource-1.8.9-2.3.mga9 > iptables-debuginfo-1.8.9-2.3.mga9 > > > SRPM: > iptables-1.8.9-2.3.mga9.src.rpm Thanks i did tested it in Virtualbox install of Mageia9 x86_64 and x86....both arch fine,,,, Btw should Cauldron make change some point to port to systemd fully from legacy initscript?
katnatek
2023-12-14 20:45:38 CET
Whiteboard:
(none) =>
MGA9-64-OK MGA9-32-OK Validating. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2023-0146.html Resolution:
(none) =>
FIXED |