Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 155608 - libipt_recent.so not built due to spec file problem
Summary: libipt_recent.so not built due to spec file problem
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: glibc-kernheaders
Version: 3.0
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: David Woodhouse
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks: 156320
TreeView+ depends on / blocked
 
Reported: 2005-04-21 19:19 UTC by Mike Kimmick
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version: RHBA-2005-597
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-09-28 17:31:38 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2005:597 qe-ready SHIPPED_LIVE glibc-kernheaders bug fix update 2005-09-28 04:00:00 UTC

Description Mike Kimmick 2005-04-21 19:19:40 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050415 Firefox/1.0.2 Red Hat/1.0.2-1.4.1.TL1

Description of problem:
All packages fully updated as of 04-21-05.

Missing /lib/iptables/libipt_recent.so, and so cannot match on recent.


Version-Release number of selected component (if applicable):
iptables-1.2.8-12.3

How reproducible:
Always

Steps to Reproduce:
1. Try adding the following rule:
iptables -A INPUT -m recent --name badguy --rcheck --seconds 60 -j DROP

Actual Results:  The following error is printed:
iptables v1.2.8: Couldn't load match `recent':/lib/iptables/libipt_recent.so: cannot open shared object file: No such file or directory

Expected Results:  No error should occur and the recent extension should be available.

Additional info:

This is the exact same bug as found in the closed bug report 106002.

Essentially, the spec file for this version of iptables has an error where KERNEL_DIR is defined as /usr but should be defined as /usr/src/linux-2.4

Workaround:
1.Get iptables-1.2.8-12.3.src.rpm
2.Fix spec file by changing KERNEL_DIR defs
from /usr to /usr/src/linux-2.4 (5 lines)
3.Rebuild rpm.

Comment 1 Mike Kimmick 2005-04-21 21:02:15 UTC
Okay, now I have another issue.  After rebuilding the rpm and installing it, I
can add a line to match recent, and this works fine.
iptables -I INPUT -m recent --name badguy --rcheck --seconds 60 -j DROP

Saving the config and restarting iptables fails.  During iptables restart, I'm
getting the following error:

Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: mangle nat filter         [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules: Bad argument `recent:'
Error occured at line: 25
Try `iptables-restore -h' or 'iptables-restore --help' for more information.


This can be quite damaging as the firewall never gets loaded, and the machine is
wide-open for attack.

Comment 2 Mike Kimmick 2005-04-21 21:21:19 UTC
iptables-save is not saving the config correctly.

RHEL 4 works fine, and here is the saved data
-A INPUT -m recent --rcheck --seconds 60 --name badguy --rsource -j DROP

And here is what is saved under RHEL 3
-A INPUT -m recent recent: --seconds 1701970164 --hitcount 1953391971 --name 
--rsource -j DROP

Comment 3 Mike Kimmick 2005-04-22 15:16:10 UTC
From RHEL 4, iptables-1.2.11-3.1.RHEL4.src.rpm has the same spec file problem. 
Fixing and rebuilding iptables-1.2.11-3.1.RHEL4.src.rpm on RHEL 3 seems to work.
Can now add firewall rule to match on recent, and the rules are saved and
restored successfully.

Comment 4 Eric Wood 2005-05-10 03:11:35 UTC
This approach has worked on my RHEL3 system also.  Thanks. The 'recent' module
is very important in order to throttle ssh brute force attacks:
http://blog.andrew.net.au/2005/02/17/

RHEL3 and RHEL4 really needs an iptables update asap.

Comment 5 Thomas Woerner 2005-05-11 11:28:47 UTC
iptables may not use the kernel headers directly. It has to use the
glibc-kernheaders instead. Assigning to glibc-kernheaders.

If is it fixed in the glibc-kernheaders package, please reassign to get the save
problem in the iptables recent module fixed.


Comment 6 David Woodhouse 2005-07-14 12:17:00 UTC
Adding ipt_recent.h to glibc-kernheaders.

Actually, since iptables is probably the only user of these headers, it should
probably carry its own copy instead of putting them in /usr/include/linux.

Comment 8 Red Hat Bugzilla 2005-09-28 17:31:38 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-597.html



Note You need to log in before you can comment on or make changes to this bug.