Bug Fix Advisory iptables bug fix and enhancement update

Advisory: RHBA-2013:1710-1
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2013-11-20
Last updated on: 2013-11-20
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Workstation (v. 6)

Details

Updated iptables packages that fix several bugs and add two enhancements are now
available for Red Hat Enterprise Linux 6.

The iptables utility controls the network packet filtering code in the Linux
kernel. The utility allows users to perform certain operations such as setting
up firewalls or IP masquerading.

This update fixes the following bugs:

* A previous version of iptables added the "alternatives" functionality support
for the /lib/xtables/ or /lib64/xtables/ directory. However, iptables failed to
replace the directory with the alternatives slave symbolic link when upgrading
iptables with the "yum upgrade" command and the directory contained custom
plug-in files. Consequently, some iptables modules became unavailable. This
problem has been fixed by modifying the iptables spec file so that the
/lib/xtables/ or /lib64/xtables/ directory is no longer managed by
"alternatives". (BZ#924362)

* The iptables-save command previously supported only the "--modprobe=" option
to specify the path to the modprobe executable. However, the iptables-save(8)
man page incorrectly stated that this action could have been performed using an
unsupported option, "-M", which could lead to confusion. The iptables-save
command has been modified to support the "-M" option for specifying the path to
modprobe, and corrects the iptables-save(8) man page, which now correctly
mentions both the "-M" and "--modprobe=" option. (BZ#983198)

* Due to a bug in the iptables init script, the system could become unresponsive
during shutdown when using the network-based root device and the default filter
for INPUT or OUTPUT policy was DROP. This problem has been fixed by setting the
default chain policy to ACCEPT before flushing the iptables rules and deleting
the iptables chains. (BZ#1007632)

In addition, this update adds the following enhancements:

* The iptables utility has been modified to support a new option,
"--queue-bypass", which allows bypassing an NFQUEUE rule if the specified queue
is not used. (BZ#845435)

* A new iptables service option,"reload", has been added to enable a refresh of
the firewall rules without unloading netfilter kernel modules and a possible
drop of connections. (BZ#928812)

Users of iptables are advised to upgrade to these updated packages, which fix
these bugs and add these enhancements.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
iptables-1.4.7-11.el6.src.rpm
File outdated by:  RHBA-2015:1404
    MD5: 8106d50ccb32bddf9946fbd683e1a056
SHA-256: e89476d4a70a4181b18a7fb7ca52bf605222504c6a3632169efcd4166bfb212f
 
IA-32:
iptables-1.4.7-11.el6.i686.rpm
File outdated by:  RHBA-2015:1404
    MD5: 4a1c370c1d2631da038f0ce9087ec9fa
SHA-256: d1f93d9cce0de8e7f07e5ac5e50b72c9d7d75ff399ac374adea46f1848ec9953
iptables-debuginfo-1.4.7-11.el6.i686.rpm
File outdated by:  RHBA-2015:1404
    MD5: fe3acf28ac3b99afa7e9c6ee604fb323
SHA-256: c1c424d6cd504d61383df1a189efa4cf1898df5d5c9337b1b111e0378a52f878
iptables-devel-1.4.7-11.el6.i686.rpm
File outdated by:  RHBA-2015:1404
    MD5: 540fbd15344cb8f5e1ee317ea09760c6
SHA-256: 0b854751a0b1bba8782aa1f31cca20c2977e452b86e775e98077c8d467309283
iptables-ipv6-1.4.7-11.el6.i686.rpm
File outdated by:  RHBA-2015:1404
    MD5: 065134d2a338c6208d6455bb1c2c9a02
SHA-256: 564a832b84ab4eef5868ac2668e97a886d1b1bf8aeaa9bb3ab2de1820ade4f56
 
x86_64:
iptables-1.4.7-11.el6.i686.rpm
File outdated by:  RHBA-2015:1404
    MD5: 4a1c370c1d2631da038f0ce9087ec9fa
SHA-256: d1f93d9cce0de8e7f07e5ac5e50b72c9d7d75ff399ac374adea46f1848ec9953
iptables-1.4.7-11.el6.x86_64.rpm
File outdated by:  RHBA-2015:1404
    MD5: 00a330a02129beae7fc0c9a9fb8cfe65
SHA-256: 2047b89021530b37a1b321ceb22e7b93ba0edffeb103100e630a5387bab98e6c
iptables-debuginfo-1.4.7-11.el6.i686.rpm
File outdated by:  RHBA-2015:1404
    MD5: fe3acf28ac3b99afa7e9c6ee604fb323
SHA-256: c1c424d6cd504d61383df1a189efa4cf1898df5d5c9337b1b111e0378a52f878
iptables-debuginfo-1.4.7-11.el6.x86_64.rpm
File outdated by:  RHBA-2015:1404
    MD5: 9c1ec041eb56407080e9782da48d99c3
SHA-256: 86ca32de2378fd32e7af9e0b1f30fc58785212835d97546cb1aee67afd029180
iptables-devel-1.4.7-11.el6.i686.rpm
File outdated by:  RHBA-2015:1404
    MD5: 540fbd15344cb8f5e1ee317ea09760c6
SHA-256: 0b854751a0b1bba8782aa1f31cca20c2977e452b86e775e98077c8d467309283
iptables-devel-1.4.7-11.el6.x86_64.rpm
File outdated by:  RHBA-2015:1404
    MD5: 5b133252338baefd59fb47dd50fe5e56
SHA-256: b0bcdd45eb9eb9ba7a14207b94c09d8df44945ce9c2387d65b5e1a7bb0cc82e4
iptables-ipv6-1.4.7-11.el6.x86_64.rpm
File outdated by:  RHBA-2015:1404
    MD5: d5e4cf35bc629f1d13e95e36d69da55f
SHA-256: 6c8a7ea8d2465ebf287fe1375b5dfa2b2d8299915f30b5099722e8ea8ec01588
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
iptables-1.4.7-11.el6.src.rpm
File outdated by:  RHBA-2015:1404
    MD5: 8106d50ccb32bddf9946fbd683e1a056
SHA-256: e89476d4a70a4181b18a7fb7ca52bf605222504c6a3632169efcd4166bfb212f
 
x86_64:
iptables-1.4.7-11.el6.i686.rpm
File outdated by:  RHBA-2015:1404
    MD5: 4a1c370c1d2631da038f0ce9087ec9fa
SHA-256: d1f93d9cce0de8e7f07e5ac5e50b72c9d7d75ff399ac374adea46f1848ec9953
iptables-1.4.7-11.el6.x86_64.rpm
File outdated by:  RHBA-2015:1404
    MD5: 00a330a02129beae7fc0c9a9fb8cfe65
SHA-256: 2047b89021530b37a1b321ceb22e7b93ba0edffeb103100e630a5387bab98e6c
iptables-debuginfo-1.4.7-11.el6.i686.rpm
File outdated by:  RHBA-2015:1404
    MD5: fe3acf28ac3b99afa7e9c6ee604fb323
SHA-256: c1c424d6cd504d61383df1a189efa4cf1898df5d5c9337b1b111e0378a52f878
iptables-debuginfo-1.4.7-11.el6.x86_64.rpm
File outdated by:  RHBA-2015:1404
    MD5: 9c1ec041eb56407080e9782da48d99c3
SHA-256: 86ca32de2378fd32e7af9e0b1f30fc58785212835d97546cb1aee67afd029180
iptables-devel-1.4.7-11.el6.i686.rpm
File outdated by:  RHBA-2015:1404
    MD5: 540fbd15344cb8f5e1ee317ea09760c6
SHA-256: 0b854751a0b1bba8782aa1f31cca20c2977e452b86e775e98077c8d467309283
iptables-devel-1.4.7-11.el6.x86_64.rpm
File outdated by:  RHBA-2015:1404
    MD5: 5b133252338baefd59fb47dd50fe5e56
SHA-256: b0bcdd45eb9eb9ba7a14207b94c09d8df44945ce9c2387d65b5e1a7bb0cc82e4
iptables-ipv6-1.4.7-11.el6.x86_64.rpm
File outdated by:  RHBA-2015:1404
    MD5: d5e4cf35bc629f1d13e95e36d69da55f
SHA-256: 6c8a7ea8d2465ebf287fe1375b5dfa2b2d8299915f30b5099722e8ea8ec01588
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
iptables-1.4.7-11.el6.src.rpm
File outdated by:  RHBA-2015:1404
    MD5: 8106d50ccb32bddf9946fbd683e1a056
SHA-256: e89476d4a70a4181b18a7fb7ca52bf605222504c6a3632169efcd4166bfb212f
 
IA-32:
iptables-1.4.7-11.el6.i686.rpm
File outdated by:  RHBA-2015:1404
    MD5: 4a1c370c1d2631da038f0ce9087ec9fa
SHA-256: d1f93d9cce0de8e7f07e5ac5e50b72c9d7d75ff399ac374adea46f1848ec9953
iptables-debuginfo-1.4.7-11.el6.i686.rpm
File outdated by:  RHBA-2015:1404
    MD5: fe3acf28ac3b99afa7e9c6ee604fb323
SHA-256: c1c424d6cd504d61383df1a189efa4cf1898df5d5c9337b1b111e0378a52f878
iptables-devel-1.4.7-11.el6.i686.rpm
File outdated by:  RHBA-2015:1404
    MD5: 540fbd15344cb8f5e1ee317ea09760c6
SHA-256: 0b854751a0b1bba8782aa1f31cca20c2977e452b86e775e98077c8d467309283
iptables-ipv6-1.4.7-11.el6.i686.rpm
File outdated by:  RHBA-2015:1404
    MD5: 065134d2a338c6208d6455bb1c2c9a02
SHA-256: 564a832b84ab4eef5868ac2668e97a886d1b1bf8aeaa9bb3ab2de1820ade4f56
 
PPC:
iptables-1.4.7-11.el6.ppc.rpm
File outdated by:  RHBA-2015:1404
    MD5: 32c5b3f0173aaa97573d34c8d92d1365
SHA-256: 0cd6ff5c3dbe5c3e51855606fe06e73d2f3d7a55eb7c757b943f9c9f74806197
iptables-1.4.7-11.el6.ppc64.rpm
File outdated by:  RHBA-2015:1404
    MD5: 52658f6251fe00f7424b50be4dd512f2
SHA-256: e9236190879d76ae651c14f130af6b5fdc84d60c4dc591551b4af427cee8baec
iptables-debuginfo-1.4.7-11.el6.ppc.rpm
File outdated by:  RHBA-2015:1404
    MD5: 9d67333d39721abad9db29e40222bafe
SHA-256: 2f4baafe56cdb2607d6a39181cff4d5ad5919b41283e6a10478d70d6bf6a515b
iptables-debuginfo-1.4.7-11.el6.ppc64.rpm
File outdated by:  RHBA-2015:1404
    MD5: d176c82e87e7d817217851e534746bef
SHA-256: e202392a6ca6b136fc122a890a6e65166fb8c1dc58a11d31eca54df28e43c699
iptables-devel-1.4.7-11.el6.ppc.rpm
File outdated by:  RHBA-2015:1404
    MD5: e01f1cd9ac887074fba4a556fd01d61f
SHA-256: 78bf994cd4dc8abbe8005bae9f569009654508474e52c4810d4ce610ccd0102a
iptables-devel-1.4.7-11.el6.ppc64.rpm
File outdated by:  RHBA-2015:1404
    MD5: 66ef0be71ef5d5684a69dd4c8e9d4a7b
SHA-256: 54dcb6a475411f20bdde08d200eac9ab6873e2d90b9af13aad1f8530834b4233
iptables-ipv6-1.4.7-11.el6.ppc64.rpm
File outdated by:  RHBA-2015:1404
    MD5: 99d7ff6557563d3d730e1f2407718a12
SHA-256: 45e7c98b4bb35058bd4366a580fe4254c58076b340110f80b9816f9f5662fb1f
 
s390x:
iptables-1.4.7-11.el6.s390.rpm
File outdated by:  RHBA-2015:1404
    MD5: bd807b897d16ef2eec31844c2ec21fe8
SHA-256: 28604be3b6072b361ee909c32ac3654e04acab570011deee5824879cf0e493ee
iptables-1.4.7-11.el6.s390x.rpm
File outdated by:  RHBA-2015:1404
    MD5: 5c42d4166c5b1d643dbf5a69698e40c2
SHA-256: decd641fc3f82d414e475a0565f7aaaeb9b2d96ab645cc700503af2ed526e9e1
iptables-debuginfo-1.4.7-11.el6.s390.rpm
File outdated by:  RHBA-2015:1404
    MD5: 1c8dfd4cfd87ea6c2e3a6c3fc3134f89
SHA-256: 205b08ca22ad523e6745e10fecd957b6c2d9fad9b373f45672d5340a9de2842c
iptables-debuginfo-1.4.7-11.el6.s390x.rpm
File outdated by:  RHBA-2015:1404
    MD5: 84ee4effc53381610fdb03a0c83f1c4d
SHA-256: e042479bafbd292139e60b36853150a423120df58695677a6ae2d25e6acd3c29
iptables-devel-1.4.7-11.el6.s390.rpm
File outdated by:  RHBA-2015:1404
    MD5: 7616fc8e9d75b874840cc113485f1f99
SHA-256: 8ca0bb4d2550f295fbd99f74f70b69e753bdf9d26f1bdd78af4bc6b4fbb0f398
iptables-devel-1.4.7-11.el6.s390x.rpm
File outdated by:  RHBA-2015:1404
    MD5: 4debff9b85051715ec4d3abcca42d48b
SHA-256: c7b92e99163a33af5b5e0d66ecbe08dadd0df263729424fff61fcccc41d3b388
iptables-ipv6-1.4.7-11.el6.s390x.rpm
File outdated by:  RHBA-2015:1404
    MD5: 34b5317d0a2edba4de81bf0f9fd73524
SHA-256: b2f9137f1ad30c948be67b9612c256405ddbd39a12bdcca8dfe7388e40bbddf1
 
x86_64:
iptables-1.4.7-11.el6.i686.rpm
File outdated by:  RHBA-2015:1404
    MD5: 4a1c370c1d2631da038f0ce9087ec9fa
SHA-256: d1f93d9cce0de8e7f07e5ac5e50b72c9d7d75ff399ac374adea46f1848ec9953
iptables-1.4.7-11.el6.x86_64.rpm
File outdated by:  RHBA-2015:1404
    MD5: 00a330a02129beae7fc0c9a9fb8cfe65
SHA-256: 2047b89021530b37a1b321ceb22e7b93ba0edffeb103100e630a5387bab98e6c
iptables-debuginfo-1.4.7-11.el6.i686.rpm
File outdated by:  RHBA-2015:1404
    MD5: fe3acf28ac3b99afa7e9c6ee604fb323
SHA-256: c1c424d6cd504d61383df1a189efa4cf1898df5d5c9337b1b111e0378a52f878
iptables-debuginfo-1.4.7-11.el6.x86_64.rpm
File outdated by:  RHBA-2015:1404
    MD5: 9c1ec041eb56407080e9782da48d99c3
SHA-256: 86ca32de2378fd32e7af9e0b1f30fc58785212835d97546cb1aee67afd029180
iptables-devel-1.4.7-11.el6.i686.rpm
File outdated by:  RHBA-2015:1404
    MD5: 540fbd15344cb8f5e1ee317ea09760c6
SHA-256: 0b854751a0b1bba8782aa1f31cca20c2977e452b86e775e98077c8d467309283
iptables-devel-1.4.7-11.el6.x86_64.rpm
File outdated by:  RHBA-2015:1404
    MD5: 5b133252338baefd59fb47dd50fe5e56
SHA-256: b0bcdd45eb9eb9ba7a14207b94c09d8df44945ce9c2387d65b5e1a7bb0cc82e4
iptables-ipv6-1.4.7-11.el6.x86_64.rpm
File outdated by:  RHBA-2015:1404
    MD5: d5e4cf35bc629f1d13e95e36d69da55f
SHA-256: 6c8a7ea8d2465ebf287fe1375b5dfa2b2d8299915f30b5099722e8ea8ec01588
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
iptables-1.4.7-11.el6.src.rpm
File outdated by:  RHBA-2015:1404
    MD5: 8106d50ccb32bddf9946fbd683e1a056
SHA-256: e89476d4a70a4181b18a7fb7ca52bf605222504c6a3632169efcd4166bfb212f
 
IA-32:
iptables-1.4.7-11.el6.i686.rpm
File outdated by:  RHBA-2015:1404
    MD5: 4a1c370c1d2631da038f0ce9087ec9fa
SHA-256: d1f93d9cce0de8e7f07e5ac5e50b72c9d7d75ff399ac374adea46f1848ec9953
iptables-debuginfo-1.4.7-11.el6.i686.rpm
File outdated by:  RHBA-2015:1404
    MD5: fe3acf28ac3b99afa7e9c6ee604fb323
SHA-256: c1c424d6cd504d61383df1a189efa4cf1898df5d5c9337b1b111e0378a52f878
iptables-devel-1.4.7-11.el6.i686.rpm
File outdated by:  RHBA-2015:1404
    MD5: 540fbd15344cb8f5e1ee317ea09760c6
SHA-256: 0b854751a0b1bba8782aa1f31cca20c2977e452b86e775e98077c8d467309283
iptables-ipv6-1.4.7-11.el6.i686.rpm
File outdated by:  RHBA-2015:1404
    MD5: 065134d2a338c6208d6455bb1c2c9a02
SHA-256: 564a832b84ab4eef5868ac2668e97a886d1b1bf8aeaa9bb3ab2de1820ade4f56
 
x86_64:
iptables-1.4.7-11.el6.i686.rpm
File outdated by:  RHBA-2015:1404
    MD5: 4a1c370c1d2631da038f0ce9087ec9fa
SHA-256: d1f93d9cce0de8e7f07e5ac5e50b72c9d7d75ff399ac374adea46f1848ec9953
iptables-1.4.7-11.el6.x86_64.rpm
File outdated by:  RHBA-2015:1404
    MD5: 00a330a02129beae7fc0c9a9fb8cfe65
SHA-256: 2047b89021530b37a1b321ceb22e7b93ba0edffeb103100e630a5387bab98e6c
iptables-debuginfo-1.4.7-11.el6.i686.rpm
File outdated by:  RHBA-2015:1404
    MD5: fe3acf28ac3b99afa7e9c6ee604fb323
SHA-256: c1c424d6cd504d61383df1a189efa4cf1898df5d5c9337b1b111e0378a52f878
iptables-debuginfo-1.4.7-11.el6.x86_64.rpm
File outdated by:  RHBA-2015:1404
    MD5: 9c1ec041eb56407080e9782da48d99c3
SHA-256: 86ca32de2378fd32e7af9e0b1f30fc58785212835d97546cb1aee67afd029180
iptables-devel-1.4.7-11.el6.i686.rpm
File outdated by:  RHBA-2015:1404
    MD5: 540fbd15344cb8f5e1ee317ea09760c6
SHA-256: 0b854751a0b1bba8782aa1f31cca20c2977e452b86e775e98077c8d467309283
iptables-devel-1.4.7-11.el6.x86_64.rpm
File outdated by:  RHBA-2015:1404
    MD5: 5b133252338baefd59fb47dd50fe5e56
SHA-256: b0bcdd45eb9eb9ba7a14207b94c09d8df44945ce9c2387d65b5e1a7bb0cc82e4
iptables-ipv6-1.4.7-11.el6.x86_64.rpm
File outdated by:  RHBA-2015:1404
    MD5: d5e4cf35bc629f1d13e95e36d69da55f
SHA-256: 6c8a7ea8d2465ebf287fe1375b5dfa2b2d8299915f30b5099722e8ea8ec01588
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

845435 - "--queue-bypass" backport
924362 - New alternatives doesn't verify if /lib*/xtables is symlinked correctly
983198 - iptables-save man page completely wrong - which conflicting arguments should work?



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/