Bug 552522

Summary: Restarting iptables doesn't restore certain sysctl values, e.g. net.ipv4.ip_conntrack_max
Product: Red Hat Enterprise Linux 5 Reporter: Robin Bowes <robin.bowes>
Component: iptablesAssignee: iptables-maint-list <iptables-maint-list>
Status: CLOSED ERRATA QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: low    
Version: 5.9CC: antti.hongell, azelinka, chakkerz, dougsland, john.haxby, martin_foster, pknirsch, psklenar, tao, twoerner
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 800208 (view as bug list) Environment:
Last Closed: 2012-02-21 06:21:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 800208    
Description Flags
patch to load sysctl settings on iptables start, if required by user
patch to load sysctl settings on iptables start, if required by user, v2
patch to load sysctl settings on iptables start, if required by user, v3 none

Description Robin Bowes 2010-01-05 11:54:42 UTC
Description of problem:

Restarting iptables doesn't restore certain sysctl values, e.g. net.ipv4.ip_conntrack_max

Version-Release number of selected component (if applicable):


How reproducible:

Set a custom value in /etc/sysctl.conf and reload iptables - the custom value is not reloaded.

Steps to Reproduce:
1. Add this line to /etc/sysctl.conf

 net.ipv4.ip_conntrack_max = 1000000

2. Ensure it's loaded:

# sysctl -p
# sysctl net.ipv4.ip_conntrack_max
net.ipv4.ip_conntrack_max = 1000000

3. Reload iptables:

# service iptables restart

4. Check the active net.ipv4.ip_conntrack_max value:

# sysctl net.ipv4.ip_conntrack_max
net.ipv4.ip_conntrack_max = 65536

Actual results:

net.ipv4.ip_conntrack_max is reset to its default value

Expected results:

net.ipv4.ip_conntrack_max should retain the modified value defined in /etc/sysctl.conf

Comment 1 Martin Foster 2010-06-29 10:07:30 UTC
Created attachment 427630 [details]
patch to load sysctl settings on iptables start, if required by user

adds setting IPTABLES_SYSCTL_LOAD_ON_START to /etc/sysconfig/iptables-config

when set to yes (default is no), sysctl settings will be loaded at the end of the iptables start sequence.

Comment 2 Martin Foster 2010-06-29 10:12:32 UTC
I second the need for this function, and have provided a patch.  Particularly useful in the original requestor's ip_conntrack_max use case.

Believe the patch is better than the alternative of not unloading the iptables modules and just hoping that nothing changes.  This approach could suffice for system boot only, as sysctl is set after iptables has started, however it leads to unexpected behaviour when daemons (eg: xend in RHEL5) or users start/restart iptables. 

With the patch, sysctl load behaviour is explicit and selectable by configuration file whenever iptables is started.

Comment 3 Robin Bowes 2010-06-29 10:46:02 UTC
Thanks for the patch. It looks good to me.

One comment - you say:

"adds setting IPTABLES_SYSCTL_LOAD_ON_START to /etc/sysconfig/iptables-config

when set to yes (default is no)..."

but your patch sets the default to "yes".

Now, I personally think the default *should* be "yes"; I'm just pointing out the discrepancy between the patch and what you've typed!


Comment 4 Martin Foster 2010-06-29 11:10:33 UTC
You are correct, I made the patch while "yes" was still set in iptables-config, and I defaulted it to yes in /etc/rc.d/init.d/iptables

The updated patch sets both to no. 

This done, I also agree that the default should be yes, but enabling this would introduce a new behaviour to the RHEL5 series. 

I would fully encourage RedHat to add this function, defaulting to yes in RHEL6.

Comment 5 Martin Foster 2010-06-29 11:12:16 UTC
Created attachment 427647 [details]
patch to load sysctl settings on iptables start, if required by user, v2

sets default behaviour of patch to disabled/"no", as the documentation says it should.

Comment 6 john.haxby@oracle.com 2010-06-30 12:36:42 UTC
Another way to fix this is to not reload the ip_conntrack module.  In later kernels (well, Fedora13) nf_conntrack is no longer a module and so this problem doesn't arise.

Comment 7 john.haxby@oracle.com 2010-06-30 13:00:10 UTC
I would suggest a variation or two on this patch to avoid perhaps unintentionally changing some sysctl parameters.

One possibility is to have (say)

   fgrep .ip_conntrack /etc/sysctl.conf | sysctl -p -

instead of the plain sysctl -p to load only conntrack settings.  The other would be to have something like

   restart () {
      [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
      sysctl=$(sysctl -a)
      echo "$sysctl" | sysctl -e -q -p -

(And why do people think it's necessary to have both "" around a variable and the "x" thing to make it non-empty?  Sorry, pet peeve.)

Both approaches have problems: the former throws away existing settings in favour of ones saved in /etc/sysctl.conf; the latter only works when you do service iptables restart.

Comment 8 Martin Foster 2010-07-01 01:16:34 UTC
I agree that reloading all sysctls could result in unexpected behaviour. 

The scope should be limited only to netfilter sysctls, and documented as such so that the only settings reloaded from sysctl.conf are net.ipv4.netfilter.* instead of net.ipv4.ip_conntrack, and only if the netfilter module is unloaded (IPTABLES_MODULES_UNLOAD="yes").

I believe John's suggested first approach is correct, and should be taken on start().  This in case the operator has done an iptables stop, done stuff, then a start.  I think it's ok to lose the existing sysctls in favour of sysctl.conf values because for this to happen the operator would have had to explicitly set IPTABLES_SYSCTL_LOAD_ON_START to yes. 

Finally, agree that the "x" & "" is redundant, but I followed the script's pre-existing convention.

Comment 9 Martin Foster 2010-08-20 13:07:54 UTC
Created attachment 439938 [details]
patch to load sysctl settings on iptables start, if required by user, v3

Updated form of this patch.

+ by default, no change in behaviour over what the scripts do today

+ incorporates fgrep suggestion

+ uses a list of items to fgrep for in /etc/sysctl.conf
  allowing the user to explicitly define items to reload instead of us
  see IPTABLES_SYSCTL_LOAD_LIST in /etc/sysconfig/iptables-config

+ commended out /etc/sysconfig/iptables-config entry suggests usage:
  IPTABLES_SYSCTL_LOAD_LIST=".ip_conntrack .bridge-nf"

believe this also addresses the needs of bugID 493226

Comment 10 john.haxby@oracle.com 2010-08-20 13:36:21 UTC
That patch looks good to me.  Any chance of shipping a fix incorporating it?

Comment 11 RHEL Program Management 2011-05-31 14:32:57 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Comment 15 john.haxby@oracle.com 2011-11-14 14:09:42 UTC
This is marked NEEDINFO but without saying what's needed.   Is that in a private comment?

Comment 17 Thomas Woerner 2011-11-14 16:14:59 UTC
*** Bug 493226 has been marked as a duplicate of this bug. ***

Comment 19 errata-xmlrpc 2012-02-21 06:21:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Comment 20 Antti Hongell 2013-06-18 12:32:20 UTC
Instead of load_sysctl() in iptables initscript it should call the apply_sysctl function and the sysctl.d configurations would be included instead of only sysctl.conf