Bug 663359 - systemd complains about nonexisting files in /proc/sys/net/bridge/
Summary: systemd complains about nonexisting files in /proc/sys/net/bridge/
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: systemd
Version: rawhide
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
Assignee: Lennart Poettering
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-15 14:45 UTC by Petr Lautrbach
Modified: 2011-01-04 23:15 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2011-01-04 23:15:19 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Petr Lautrbach 2010-12-15 14:45:58 UTC 
Description of problem:
[    8.221107] systemd-sysctl[345]: Failed to write '0' to '/proc/sys/net/bridge/bridge-nf-call-ip6tables': No such file or directory
[    8.223041] systemd-sysctl[345]: Failed to write '0' to '/proc/sys/net/bridge/bridge-nf-call-iptables': No such file or directory
[    8.224921] systemd-sysctl[345]: Failed to write '0' to '/proc/sys/net/bridge/bridge-nf-call-arptables': No such file or directory

systemd uses his own implementation of sysctl (why?) which can't ignore non-existing keys as /sbin/sysctl -e does which was used in legacy rc.sysinit. 

you can read about net.bridge.bridge-nf-call-*tables here #512206


Version-Release number of selected component (if applicable):
systemd-15-1.fc15.x86_64
Comment 1 Martin-Gomez Pablo 2011-01-02 14:05:05 UTC 
The problem here is somewhere else :

$ ls -la /proc/sys/net/
total 0
dr-xr-xr-x  0 root root 0  2 janv. 12:47 .
dr-xr-xr-x. 1 root root 0  2 janv. 12:41 ..
dr-xr-xr-x  0 root root 0  2 janv. 12:57 core
dr-xr-xr-x  0 root root 0  2 janv. 12:47 ipv4
dr-xr-xr-x  0 root root 0  2 janv. 12:47 ipv6
dr-xr-xr-x  0 root root 0  2 janv. 12:57 netfilter
-rw-r--r--  1 root root 0  2 janv. 12:57 nf_conntrack_max
dr-xr-xr-x  0 root root 0  2 janv. 12:57 unix

/proc/sys/net/bridge doesn't exist anymore (since when? I don't know), but initscript still provides the net.bridge.bridge-nf-call-*tables custom hints.
Comment 2 Petr Lautrbach 2011-01-03 13:28:07 UTC 
If you setup bridge network device according to [1] you will see:

$ ls -l /proc/sys/net/bridge
-rw-r--r-- 1 root root 0 Jan  3 13:46 bridge-nf-call-arptables
-rw-r--r-- 1 root root 0 Jan  3 13:46 bridge-nf-call-ip6tables
-rw-r--r-- 1 root root 0 Jan  3 13:46 bridge-nf-call-iptables
-rw-r--r-- 1 root root 0 Jan  3 13:47 bridge-nf-filter-pppoe-tagged
-rw-r--r-- 1 root root 0 Jan  3 13:47 bridge-nf-filter-vlan-tagged

Conclusion from #512206 is to prevent bridged traffic getting pushed through the host's iptables rules by default which is done by setting mentioned variables to 0. Since these variables don't exist without bridge it should be ignored by utility which sets it like it was in rc.sysinit - sysctl -e -p /etc/sysctl.conf


[1] http://docs.fedoraproject.org/en-US/Fedora/13/html/Virtualization_Guide/sect-Virtualization-Network_Configuration-Bridged_networking_with_libvirt.html
Comment 3 Lennart Poettering 2011-01-04 23:15:19 UTC 
systemd git will no longer warn about sysctl settings that do not exist.

The reason for the native implementation is mostly that other distributions (notably Debian/ubuntu) support /etc/sysctl.d, which is not supported in procps upstream. Since this is a useful feature we wanted to bring to all distros, we were considering three things: a) add this feature to procps upstream or b) add a tool to systemd which invokes procps' sysctl for each file found or c) simply reimplement this in systemd. We ended up choosing c) since the sysctl binary is actually one of the most trivial tools around and can be implemented in a handful of lines only and this was the only reason for the dep of systemd on procps. You can now prep a minimal embedded system with little more than glibc, systemd, util-linux, udev, dbus, which is kinda nice.
Note You need to log in before you can comment on or make changes to this bug.