[Bug 617033] New: SuSEfirewall: bad detection of modules
http://bugzilla.novell.com/show_bug.cgi?id=617033 http://bugzilla.novell.com/show_bug.cgi?id=617033#c0 Summary: SuSEfirewall: bad detection of modules Classification: openSUSE Product: openSUSE 11.3 Version: Factory Platform: All OS/Version: Linux Status: NEW Severity: Normal Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: jengelh@medozas.de QAContact: qa@suse.de Found By: Beta-Customer Blocker: --- When one runs a kernel with modules being compiled-in, such as all the conntracking extensions (nf_conntrack, nf_conntrack_ipv4, etc.), SuSEfirewall2 misjudges the situation and claims that there is no state matching. Do not rely on modinfo. Check for /sys/module/nf_conntrack instead perhaps. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617033 http://bugzilla.novell.com/show_bug.cgi?id=617033#c Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.pr |lnussel@novell.com |ovo.novell.com | -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617033 http://bugzilla.novell.com/show_bug.cgi?id=617033#c1 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Severity|Normal |Enhancement --- Comment #1 from Ludwig Nussel <lnussel@novell.com> 2010-06-25 10:06:35 CEST --- compiled in modules also appear in /sys/module? In that case I could use it in addition to modinfo. modinfo is still needed though as the /sys/module entry isn't there if the module is not loaded yet I suppose. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617033 http://bugzilla.novell.com/show_bug.cgi?id=617033#c2 --- Comment #2 from Jan Engelhardt <jengelh@medozas.de> 2010-06-25 09:25:56 UTC --- Yes when they have module parameters; cf. /sys/module/printk. You can unconditionally modprobe -q nf_conntrack, then check for the /sys entry. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617033 http://bugzilla.novell.com/show_bug.cgi?id=617033#c3 --- Comment #3 from Ludwig Nussel <lnussel@novell.com> 2010-06-28 16:06:24 CEST --- presence of nf_conntrack doesn't tell anything about the ipv6 state matching ability though, does it? I guess I'd have to check for nf_conntrack_ipv6 and xt_state? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617033 http://bugzilla.novell.com/show_bug.cgi?id=617033#c4 --- Comment #4 from Jan Engelhardt <jengelh@medozas.de> 2010-06-28 14:46:43 UTC --- nf_conntrack_ipv6 and xt_conntrack do not have any parameters, so they will not show up in /sys/module. Blech. I don't see a way to check for its available without actually trying a dummy insertion à la unref=unref-$(mktemp XXXXXX) ip6tables -N "$unref" ip6tables -A "$unref" -m conntrack --ctstate NEW ip6tables -F "$unref" ip6tables -X "$unref" -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617033 http://bugzilla.novell.com/show_bug.cgi?id=617033#c5 --- Comment #5 from Ludwig Nussel <lnussel@novell.com> 2010-06-28 16:55:56 CEST --- Well, I could also just yank that auto detection code. Nowadays I'd expect any kernel to just support ipv6 state matching. Developers with self compiled kernels can still set FW_IPv6 manually if needed. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617033 http://bugzilla.novell.com/show_bug.cgi?id=617033#c6 --- Comment #6 from Jan Engelhardt <jengelh@medozas.de> 2010-06-28 15:02:22 UTC --- Simple enough :-) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617033 http://bugzilla.novell.com/show_bug.cgi?id=617033#c7 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #7 from Ludwig Nussel <lnussel@novell.com> 2010-06-28 17:06:34 CEST --- fixed in git HEAD, post 11.3 though. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617033 http://bugzilla.novell.com/show_bug.cgi?id=617033#c Jan Engelhardt <jengelh@medozas.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617033 http://bugzilla.novell.com/show_bug.cgi?id=617033#c8 --- Comment #8 from Bernhard Wiedemann <bwiedemann@suse.com> --- This is an autogenerated message for OBS integration: This bug (617033) was mentioned in https://build.opensuse.org/request/show/44504 Factory / SuSEfirewall2 -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com