OpenRC fails to shutdown iptables

Topic: OpenRC fails to shutdown iptables (Read 250 times) previous topic - next topic

0 Members and 1 Guest are viewing this topic.

OpenRC fails to shutdown iptables

09 February 2025, 13:34:33

I always get this message in my /var/log/rc.log :

iptables         | * Your kernel lacks iptables support, please load
iptables         | * appropriate modules and try again.

iptables         | * ERROR: iptables failed to stop

It seems Iptables itself works ok:

Code: [Select]

Chain INPUT (policy ACCEPT 1 packets, 345 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

On pre_stop, Iptables service looks for /proc/net/ip_tables_names file which does not exist hence the error. I actually have thousands of ip_tables_names files at /proc/"num"/net/ip_tables_names and /proc/"num"/task/"num"/net/ip_tables_names where "num" is a number from 1 to several thousands. I beleive all the ip_tables_names contain just a word "filter".

My /usr/bin/iptables points at /usr/bin/xtables-legacy-multi binary file

Is it ok to correct the service file to make it look for /proc/1/net/ip_tables_names instead ?

Re: OpenRC fails to shutdown iptables

Reply #1 – 09 February 2025, 14:31:57

Looks a bit janky (I don't even use iptables on my desktop so what do I know) in at least the fact that the script uses the checkkernel() function on stop_pre() and reload() but thankfully not on any of the start functions. If it did iptables would not be working at all.
And as it is it reloading iptables would not work.
The latest init.d script from Gentoo has some differences but not that location.Spoiler (click to show/hide)

Code: [Select]

--- a	2023-06-01 00:21:11.000000000 +0100
+++ b	2025-01-13 09:13:54.000000000 +0000
@@ -1,4 +1,4 @@
-#!/usr/bin/openrc-run
+#!/sbin/openrc-run
 # Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
@@ -14,7 +14,7 @@
 	*) iptables_name="iptables" ;;
 esac
 
-iptables_bin="/usr/bin/${iptables_name}"
+iptables_bin="/sbin/${iptables_name}"
 case ${iptables_name} in
 	iptables)  iptables_proc="/proc/net/ip_tables_names"
 	           iptables_save=${IPTABLES_SAVE};;
@@ -100,14 +100,16 @@
 reload() {
 	checkkernel || return 1
 	checkrules || return 1
-	ebegin "Flushing firewall"
-	local has_errors=0 a
+	local has_errors=0 a flushed=0
 	for a in $(cat ${iptables_proc}) ; do
-		${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a
-		[ $? -ne 0 ] && has_errors=1
-
-		${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a
-		[ $? -ne 0 ] && has_errors=1
+		if ! grep -q "^\*${a}$" "${iptables_save}" ; then
+			[ $flushed -eq 0 ] && ebegin "Flushing firewall" && flushed=1
+			${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a
+			[ $? -ne 0 ] && has_errors=1
+
+			${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a
+			[ $? -ne 0 ] && has_errors=1
+		fi
 	done
 	eend ${has_errors}

You could just ignore the error. Or what I would probably do is just change the checkkernel() function to simply return 0 and then add /etc/init.d/iptables (and the ipv6 version if needed) to NoExtract in /etc/pacman.conf

Maybe it will get fixed or possibly it doesn't need fixing and the /proc/net/ip_tables_names file should be there?
I have no clue about much of anything and definitely not that

Re: OpenRC fails to shutdown iptables

Reply #2 – 09 February 2025, 16:47:40

I'm wondering why /proc/net/ip_tables_names isn't present too, as I didn't encounter this issue just several months ago. For all I care, I just want to make sure that iptables is working correctly.

Re: OpenRC fails to shutdown iptables

Reply #3 – 09 February 2025, 17:21:08

Sometimes I can't see the wood for the trees.

You have no rules. Therefore iptables is doing nothing. I installed it and the script could not even be enabled without at least one rule saved. Then when starting the service /proc/net/ip_tables_names was created.

You may as well disable iptables unless you have some rules as it's doing exactly nothing without them.

And that explains the lack of a kernelcheck function in the start functions. Bound to fail by that method of checking.
I'm sticking with janky though.

Re: OpenRC fails to shutdown iptables

Reply #4 – 09 February 2025, 20:52:58

Upon adding up some rules, I noticed that /proc/net/ip_tables_names reappeared immediately. Thank you, @gripped !