Bug 552522

Created attachment 427630 [details]
patch to load sysctl settings on iptables start, if required by user

adds setting IPTABLES_SYSCTL_LOAD_ON_START to /etc/sysconfig/iptables-config

when set to yes (default is no), sysctl settings will be loaded at the end of the iptables start sequence.

I second the need for this function, and have provided a patch.  Particularly useful in the original requestor's ip_conntrack_max use case.

Believe the patch is better than the alternative of not unloading the iptables modules and just hoping that nothing changes.  This approach could suffice for system boot only, as sysctl is set after iptables has started, however it leads to unexpected behaviour when daemons (eg: xend in RHEL5) or users start/restart iptables. 

With the patch, sysctl load behaviour is explicit and selectable by configuration file whenever iptables is started.

Thanks for the patch. It looks good to me.

One comment - you say:

"adds setting IPTABLES_SYSCTL_LOAD_ON_START to /etc/sysconfig/iptables-config

when set to yes (default is no)..."

but your patch sets the default to "yes".

Now, I personally think the default *should* be "yes"; I'm just pointing out the discrepancy between the patch and what you've typed!

R.

You are correct, I made the patch while "yes" was still set in iptables-config, and I defaulted it to yes in /etc/rc.d/init.d/iptables

The updated patch sets both to no. 

This done, I also agree that the default should be yes, but enabling this would introduce a new behaviour to the RHEL5 series. 

I would fully encourage RedHat to add this function, defaulting to yes in RHEL6.

Created attachment 427647 [details]
patch to load sysctl settings on iptables start, if required by user, v2

sets default behaviour of patch to disabled/"no", as the documentation says it should.

Another way to fix this is to not reload the ip_conntrack module.  In later kernels (well, Fedora13) nf_conntrack is no longer a module and so this problem doesn't arise.

I would suggest a variation or two on this patch to avoid perhaps unintentionally changing some sysctl parameters.

One possibility is to have (say)

   fgrep .ip_conntrack /etc/sysctl.conf | sysctl -p -

instead of the plain sysctl -p to load only conntrack settings.  The other would be to have something like

   restart () {
      [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
      sysctl=$(sysctl -a)
      stop
      start
      echo "$sysctl" | sysctl -e -q -p -
   }

(And why do people think it's necessary to have both "" around a variable and the "x" thing to make it non-empty?  Sorry, pet peeve.)

Both approaches have problems: the former throws away existing settings in favour of ones saved in /etc/sysctl.conf; the latter only works when you do service iptables restart.

I agree that reloading all sysctls could result in unexpected behaviour. 

The scope should be limited only to netfilter sysctls, and documented as such so that the only settings reloaded from sysctl.conf are net.ipv4.netfilter.* instead of net.ipv4.ip_conntrack, and only if the netfilter module is unloaded (IPTABLES_MODULES_UNLOAD="yes").

I believe John's suggested first approach is correct, and should be taken on start().  This in case the operator has done an iptables stop, done stuff, then a start.  I think it's ok to lose the existing sysctls in favour of sysctl.conf values because for this to happen the operator would have had to explicitly set IPTABLES_SYSCTL_LOAD_ON_START to yes. 

Finally, agree that the "x" & "" is redundant, but I followed the script's pre-existing convention.

Created attachment 439938 [details]
patch to load sysctl settings on iptables start, if required by user, v3

Updated form of this patch.

+ by default, no change in behaviour over what the scripts do today

+ incorporates fgrep suggestion

+ uses a list of items to fgrep for in /etc/sysctl.conf
  allowing the user to explicitly define items to reload instead of us
  see IPTABLES_SYSCTL_LOAD_LIST in /etc/sysconfig/iptables-config

+ commended out /etc/sysconfig/iptables-config entry suggests usage:
  IPTABLES_SYSCTL_LOAD_LIST=".ip_conntrack .bridge-nf"

believe this also addresses the needs of bugID 493226

That patch looks good to me.  Any chance of shipping a fix incorporating it?

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

This is marked NEEDINFO but without saying what's needed.   Is that in a private comment?

*** Bug 493226 has been marked as a duplicate of this bug. ***

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0255.html

Instead of load_sysctl() in iptables initscript it should call the apply_sysctl function and the sysctl.d configurations would be included instead of only sysctl.conf