Description of problem: Restarting iptables doesn't restore certain sysctl values, e.g. net.ipv4.ip_conntrack_max Version-Release number of selected component (if applicable): iptables-1.3.5-5.3.el5_4.1 How reproducible: Set a custom value in /etc/sysctl.conf and reload iptables - the custom value is not reloaded. Steps to Reproduce: 1. Add this line to /etc/sysctl.conf net.ipv4.ip_conntrack_max = 1000000 2. Ensure it's loaded: # sysctl -p # sysctl net.ipv4.ip_conntrack_max net.ipv4.ip_conntrack_max = 1000000 3. Reload iptables: # service iptables restart 4. Check the active net.ipv4.ip_conntrack_max value: # sysctl net.ipv4.ip_conntrack_max net.ipv4.ip_conntrack_max = 65536 Actual results: net.ipv4.ip_conntrack_max is reset to its default value Expected results: net.ipv4.ip_conntrack_max should retain the modified value defined in /etc/sysctl.conf
Created attachment 427630 [details] patch to load sysctl settings on iptables start, if required by user adds setting IPTABLES_SYSCTL_LOAD_ON_START to /etc/sysconfig/iptables-config when set to yes (default is no), sysctl settings will be loaded at the end of the iptables start sequence.
I second the need for this function, and have provided a patch. Particularly useful in the original requestor's ip_conntrack_max use case. Believe the patch is better than the alternative of not unloading the iptables modules and just hoping that nothing changes. This approach could suffice for system boot only, as sysctl is set after iptables has started, however it leads to unexpected behaviour when daemons (eg: xend in RHEL5) or users start/restart iptables. With the patch, sysctl load behaviour is explicit and selectable by configuration file whenever iptables is started.
Thanks for the patch. It looks good to me. One comment - you say: "adds setting IPTABLES_SYSCTL_LOAD_ON_START to /etc/sysconfig/iptables-config when set to yes (default is no)..." but your patch sets the default to "yes". Now, I personally think the default *should* be "yes"; I'm just pointing out the discrepancy between the patch and what you've typed! R.
You are correct, I made the patch while "yes" was still set in iptables-config, and I defaulted it to yes in /etc/rc.d/init.d/iptables The updated patch sets both to no. This done, I also agree that the default should be yes, but enabling this would introduce a new behaviour to the RHEL5 series. I would fully encourage RedHat to add this function, defaulting to yes in RHEL6.
Created attachment 427647 [details] patch to load sysctl settings on iptables start, if required by user, v2 sets default behaviour of patch to disabled/"no", as the documentation says it should.
Another way to fix this is to not reload the ip_conntrack module. In later kernels (well, Fedora13) nf_conntrack is no longer a module and so this problem doesn't arise.
I would suggest a variation or two on this patch to avoid perhaps unintentionally changing some sysctl parameters. One possibility is to have (say) fgrep .ip_conntrack /etc/sysctl.conf | sysctl -p - instead of the plain sysctl -p to load only conntrack settings. The other would be to have something like restart () { [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save sysctl=$(sysctl -a) stop start echo "$sysctl" | sysctl -e -q -p - } (And why do people think it's necessary to have both "" around a variable and the "x" thing to make it non-empty? Sorry, pet peeve.) Both approaches have problems: the former throws away existing settings in favour of ones saved in /etc/sysctl.conf; the latter only works when you do service iptables restart.
I agree that reloading all sysctls could result in unexpected behaviour. The scope should be limited only to netfilter sysctls, and documented as such so that the only settings reloaded from sysctl.conf are net.ipv4.netfilter.* instead of net.ipv4.ip_conntrack, and only if the netfilter module is unloaded (IPTABLES_MODULES_UNLOAD="yes"). I believe John's suggested first approach is correct, and should be taken on start(). This in case the operator has done an iptables stop, done stuff, then a start. I think it's ok to lose the existing sysctls in favour of sysctl.conf values because for this to happen the operator would have had to explicitly set IPTABLES_SYSCTL_LOAD_ON_START to yes. Finally, agree that the "x" & "" is redundant, but I followed the script's pre-existing convention.
Created attachment 439938 [details] patch to load sysctl settings on iptables start, if required by user, v3 Updated form of this patch. + by default, no change in behaviour over what the scripts do today + incorporates fgrep suggestion + uses a list of items to fgrep for in /etc/sysctl.conf allowing the user to explicitly define items to reload instead of us see IPTABLES_SYSCTL_LOAD_LIST in /etc/sysconfig/iptables-config + commended out /etc/sysconfig/iptables-config entry suggests usage: IPTABLES_SYSCTL_LOAD_LIST=".ip_conntrack .bridge-nf" believe this also addresses the needs of bugID 493226
That patch looks good to me. Any chance of shipping a fix incorporating it?
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux.
This is marked NEEDINFO but without saying what's needed. Is that in a private comment?
*** Bug 493226 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0255.html
Instead of load_sysctl() in iptables initscript it should call the apply_sysctl function and the sysctl.d configurations would be included instead of only sysctl.conf