illumio-ven software can cause or interrupt iptables to not load from /etc/rc.d/rc/local script during boot?
Environment
- Red Hat Enterprise Linux 8
Issue
- iptables flushing automatically
- Unable to load iptables rules from /etc/rc.local file during boot.
Resolution
- Illumio agent can have the ability to stop loading the iptables rules. As a workaround, we can stop the
service and engage the Illumio vendor for further investigation of this behavior.
Workaround:
- How to stop Illumio agents:
# systemctl stop illumio-ven.service
# systemctl disable illumio-ven.service
Root Cause
- Illumio software is adding its ruleset to the netfilter configuration. This ruleset is configured under family "inet" using
nft
. - When this 3rd party ruleset is added via nft, the old tables "ip" and "ip6" are flushed. Engage the Illumio vendor for further investigation of this behaviour.
Diagnostic Steps
- The below audit logs confirm that the Illumio agent is using nftables and iptables to manipulate the Netfilter
ruleset according to their needs.
ilo-ven:x:566:205:Illumio VEN User:/home/ilo-ven:/sbin/nologin
% grep -i sbin/nft var/log/audit/audit.log | tail -5
type=SYSCALL msg=audit(1705962993.338:182): arch=c000003e syscall=46 success=yes exit=12321672 a0=8
a1=7ffe4c8f1e70 a2=0 a3=7ffe4c8f07dc items=0 ppid=10703 pid=10749 auid=4294967295 uid=0 gid=205 euid=0 suid=0
fsuid=0 egid=205 sgid=205 fsgid=205 tty=(none) ses=4294967295 comm="nft" exe="/usr/sbin/nft" key=
(null)ARCH=x86_64 SYSCALL=sendmsg AUID="unset" UID="root" GID="ilo-ven" EUID="root" SUID="root" FSUID="root"
EGID="ilo-ven" SGID="ilo-ven" FSGID="ilo-ven"
type=SYSCALL msg=audit(1705963286.931:207): arch=c000003e syscall=46 success=yes exit=12321672 a0=8
a1=7ffca9d55a00 a2=0 a3=7ffca9d5436c items=0 ppid=11611 pid=11657 auid=4294967295 uid=0 gid=205 euid=0 suid=0
fsuid=0 egid=205 sgid=205 fsgid=205 tty=(none) ses=4294967295 comm="nft" exe="/usr/sbin/nft" key= (null)ARCH=x86_64 SYSCALL=sendmsg AUID="unset" UID="root" GID="ilo-ven" EUID="root" SUID="root" FSUID="root"
EGID="ilo-ven" SGID="ilo-ven" FSGID="ilo-ven"
type=SYSCALL msg=audit(1705963654.823:241): arch=c000003e syscall=46 success=yes exit=12321924 a0=8
a1=7fffa7e4a7b0 a2=0 a3=7fffa7e4911c items=0 ppid=17518 pid=17564 auid=4294967295 uid=0 gid=205 euid=0 suid=0
fsuid=0 egid=205 sgid=205 fsgid=205 tty=(none) ses=4294967295 comm="nft" exe="/usr/sbin/nft" key=
(null)ARCH=x86_64 SYSCALL=sendmsg AUID="unset" UID="root" GID="ilo-ven" EUID="root" SUID="root" FSUID="root"
EGID="ilo-ven" SGID="ilo-ven" FSGID="ilo-ven" <----------------
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments