Bug 199908

Summary: ip_conntrack_max is set always default value
Product: Red Hat Enterprise Linux 4 Reporter: masanari iida <masanari_iida>
Component: iptablesAssignee: Thomas Woerner <twoerner>
Status: CLOSED WONTFIX QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: bruno, kzak
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 13:23:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description masanari iida 2006-07-24 09:07:43 UTC
Description of problem:
There is a value net.ipv4.netfilter.ip_conntrack_max.
But when the system boot up, sysctl is issued from rc.sysinit.
At the momemnt, system still has not been configured network.
So even though net.ipv4.netfilter.ip_conntrack_max is set into
/etc/sysctl.conf, system can not set it.
So, iptables always use the default value to the ip_conntrack_max.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure ip_conntrak.
2. Set net.ipv4.netfilter.ip_conntrack_max = 65528 into /etc/sysctl.conf
3. Reboot the system.
Actual results:
ip_conntrack_max is ALWAYS set as default value. 

Expected results:
iptable startup script should set custom value in /etc/sysctl.conf
when ip_conntrak driver loaded.

Additional info:
Modify idea
(ex.) Issue " sysctl -e -p /etc/sysctl.conf " from /etc/init.d/iptables script,
      after load ip_conntrack driver.

Comment 1 Thomas Woerner 2006-08-01 15:46:57 UTC
Assigning this to procps. I'd need an option in sysctl, where I can restrict to
a subtree of /sys. Here: /net/ipv4/netfilter for IPv4 and /net/ipv6/netfilter
for IPv6.

Please ressign to iptables if this is fixed in procps.

Comment 2 Karel Zak 2006-08-02 11:16:41 UTC
Well, the solution is extract from sysctl.conf relevant options and use it for
sysctl, for example:

     gawk '/netfilter/ { gsub(" ", ""); print $0; }' /etc/sysctl.conf | xargs
sysctl -w

Comment 3 Bruno Wolff III 2008-05-10 17:04:21 UTC
I'd like to expand on this problem as well. When doing a service restart
iptables all of the conntrack values are reset to the defaults even if other
values are specified in /etc/sysctl.conf. I noticed this because I needed to
reduce some timeouts due to spammers filling up my connection table (5 day
timeouts seem excessive), but when I restarted iptables, the default values were
So it would be nice as part of the start (or restart) process that applicable
values from /etc/sysctl.conf get applied after the various conntrack modules
have been loaded.
Note I am seeing this using iptables-1.4.0-4.fc9.i386.

Comment 4 Jiri Pallich 2012-06-20 13:23:18 UTC
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life. 
Please See https://access.redhat.com/support/policy/updates/errata/

If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.