Bug 1460258 - iptables init script doesn't support /etc/sysctl.d/
iptables init script doesn't support /etc/sysctl.d/
Status: CLOSED DUPLICATE of bug 1402021
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: iptables (Show other bugs)
x86_64 Linux
unspecified Severity high
: rc
: ---
Assigned To: Thomas Woerner
: Reopened
Depends On:
Blocks: 1472751
  Show dependency treegraph
Reported: 2017-06-09 09:52 EDT by Davide F Bragalone
Modified: 2017-07-25 12:45 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-07-25 12:45:51 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Davide F Bragalone 2017-06-09 09:52:20 EDT
Description of problem:

The init script for iptables /usr/libexec/iptables/iptables.init doesn't support /etc/sysctl.d .

load_sysctl() {
    # load matched sysctl values
    if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then
        echo -n $"Loading sysctl settings: "
        for item in $IPTABLES_SYSCTL_LOAD_LIST; do
            fgrep $item /etc/sysctl.conf | sysctl -p - >/dev/null   <=============
            let ret+=$?;
        [ $ret -eq 0 ] && success || failure
    return $ret

That means that if you edit a kernel parameter related to iptables via /etc/sysctl.d/foo.conf , this won't be applied on iptables restart.

Version-Release number of selected component (if applicable):
kernel 3.10.0-514.16.1.el7.x86_64

How reproducible:

Steps to Reproduce:
1. edit parameter net.nf_conntrack_max via /etc/sysctl.d/iptables.conf 
2. restart iptables
3. verify if /proc/sys/net/nf_conntrack_max has been modified

Actual results:
never updated

Expected results:
always updated
Comment 6 Eric Garver 2017-07-25 12:45:51 EDT

*** This bug has been marked as a duplicate of bug 1402021 ***

Note You need to log in before you can comment on or make changes to this bug.