| Summary: | ip_conntrack_max is set always default value | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 4 | Reporter: | masanari iida <masanari_iida> |
| Component: | iptables | Assignee: | Thomas Woerner <twoerner> |
| Status: | CLOSED WONTFIX | QA Contact: | qe-baseos-daemons |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.0 | CC: | bruno, kzak |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 13:23:18 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | ||
Assigning this to procps. I'd need an option in sysctl, where I can restrict to a subtree of /sys. Here: /net/ipv4/netfilter for IPv4 and /net/ipv6/netfilter for IPv6. Please ressign to iptables if this is fixed in procps. Well, the solution is extract from sysctl.conf relevant options and use it for
sysctl, for example:
gawk '/netfilter/ { gsub(" ", ""); print $0; }' /etc/sysctl.conf | xargs
sysctl -w
I'd like to expand on this problem as well. When doing a service restart iptables all of the conntrack values are reset to the defaults even if other values are specified in /etc/sysctl.conf. I noticed this because I needed to reduce some timeouts due to spammers filling up my connection table (5 day timeouts seem excessive), but when I restarted iptables, the default values were restored. So it would be nice as part of the start (or restart) process that applicable values from /etc/sysctl.conf get applied after the various conntrack modules have been loaded. Note I am seeing this using iptables-1.4.0-4.fc9.i386. Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life. Please See https://access.redhat.com/support/policy/updates/errata/ If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue. |
Description of problem: There is a value net.ipv4.netfilter.ip_conntrack_max. But when the system boot up, sysctl is issued from rc.sysinit. At the momemnt, system still has not been configured network. So even though net.ipv4.netfilter.ip_conntrack_max is set into /etc/sysctl.conf, system can not set it. So, iptables always use the default value to the ip_conntrack_max. Version-Release number of selected component (if applicable): iptables-1.2.11-3.1.RHEL4 How reproducible: Always Steps to Reproduce: 1. Configure ip_conntrak. 2. Set net.ipv4.netfilter.ip_conntrack_max = 65528 into /etc/sysctl.conf 3. Reboot the system. Actual results: ip_conntrack_max is ALWAYS set as default value. Expected results: iptable startup script should set custom value in /etc/sysctl.conf when ip_conntrak driver loaded. Additional info: Modify idea (ex.) Issue " sysctl -e -p /etc/sysctl.conf " from /etc/init.d/iptables script, after load ip_conntrack driver.