Bug 552522
Summary: | Restarting iptables doesn't restore certain sysctl values, e.g. net.ipv4.ip_conntrack_max | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Robin Bowes <robin.bowes> | |
Component: | iptables | Assignee: | iptables-maint-list <iptables-maint-list> | |
Status: | CLOSED ERRATA | QA Contact: | qe-baseos-daemons | |
Severity: | medium | Docs Contact: | ||
Priority: | low | |||
Version: | 5.9 | CC: | antti.hongell, azelinka, chakkerz, dougsland, john.haxby, martin_foster, pknirsch, psklenar, tao, twoerner | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 800208 (view as bug list) | Environment: | ||
Last Closed: | 2012-02-21 06:21:16 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 800208 | |||
Attachments: |
Description
Robin Bowes
2010-01-05 11:54:42 UTC
Created attachment 427630 [details]
patch to load sysctl settings on iptables start, if required by user
adds setting IPTABLES_SYSCTL_LOAD_ON_START to /etc/sysconfig/iptables-config
when set to yes (default is no), sysctl settings will be loaded at the end of the iptables start sequence.
I second the need for this function, and have provided a patch. Particularly useful in the original requestor's ip_conntrack_max use case. Believe the patch is better than the alternative of not unloading the iptables modules and just hoping that nothing changes. This approach could suffice for system boot only, as sysctl is set after iptables has started, however it leads to unexpected behaviour when daemons (eg: xend in RHEL5) or users start/restart iptables. With the patch, sysctl load behaviour is explicit and selectable by configuration file whenever iptables is started. Thanks for the patch. It looks good to me. One comment - you say: "adds setting IPTABLES_SYSCTL_LOAD_ON_START to /etc/sysconfig/iptables-config when set to yes (default is no)..." but your patch sets the default to "yes". Now, I personally think the default *should* be "yes"; I'm just pointing out the discrepancy between the patch and what you've typed! R. You are correct, I made the patch while "yes" was still set in iptables-config, and I defaulted it to yes in /etc/rc.d/init.d/iptables The updated patch sets both to no. This done, I also agree that the default should be yes, but enabling this would introduce a new behaviour to the RHEL5 series. I would fully encourage RedHat to add this function, defaulting to yes in RHEL6. Created attachment 427647 [details]
patch to load sysctl settings on iptables start, if required by user, v2
sets default behaviour of patch to disabled/"no", as the documentation says it should.
Another way to fix this is to not reload the ip_conntrack module. In later kernels (well, Fedora13) nf_conntrack is no longer a module and so this problem doesn't arise. I would suggest a variation or two on this patch to avoid perhaps unintentionally changing some sysctl parameters. One possibility is to have (say) fgrep .ip_conntrack /etc/sysctl.conf | sysctl -p - instead of the plain sysctl -p to load only conntrack settings. The other would be to have something like restart () { [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save sysctl=$(sysctl -a) stop start echo "$sysctl" | sysctl -e -q -p - } (And why do people think it's necessary to have both "" around a variable and the "x" thing to make it non-empty? Sorry, pet peeve.) Both approaches have problems: the former throws away existing settings in favour of ones saved in /etc/sysctl.conf; the latter only works when you do service iptables restart. I agree that reloading all sysctls could result in unexpected behaviour. The scope should be limited only to netfilter sysctls, and documented as such so that the only settings reloaded from sysctl.conf are net.ipv4.netfilter.* instead of net.ipv4.ip_conntrack, and only if the netfilter module is unloaded (IPTABLES_MODULES_UNLOAD="yes"). I believe John's suggested first approach is correct, and should be taken on start(). This in case the operator has done an iptables stop, done stuff, then a start. I think it's ok to lose the existing sysctls in favour of sysctl.conf values because for this to happen the operator would have had to explicitly set IPTABLES_SYSCTL_LOAD_ON_START to yes. Finally, agree that the "x" & "" is redundant, but I followed the script's pre-existing convention. Created attachment 439938 [details]
patch to load sysctl settings on iptables start, if required by user, v3
Updated form of this patch.
+ by default, no change in behaviour over what the scripts do today
+ incorporates fgrep suggestion
+ uses a list of items to fgrep for in /etc/sysctl.conf
allowing the user to explicitly define items to reload instead of us
see IPTABLES_SYSCTL_LOAD_LIST in /etc/sysconfig/iptables-config
+ commended out /etc/sysconfig/iptables-config entry suggests usage:
IPTABLES_SYSCTL_LOAD_LIST=".ip_conntrack .bridge-nf"
believe this also addresses the needs of bugID 493226
That patch looks good to me. Any chance of shipping a fix incorporating it? This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. This is marked NEEDINFO but without saying what's needed. Is that in a private comment? *** Bug 493226 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0255.html Instead of load_sysctl() in iptables initscript it should call the apply_sysctl function and the sysctl.d configurations would be included instead of only sysctl.conf |