|
 |
64e4ee |
From c41e34a5a8fbda2731aa724e65dcc93aa9ab7b64 Mon Sep 17 00:00:00 2001
|
|
|
64e4ee |
From: Eric Garver <e@erig.me>
|
|
|
64e4ee |
Date: Thu, 3 Aug 2017 15:06:57 -0400
|
|
|
64e4ee |
Subject: [PATCH] Reload nf_conntrack sysctls after the module is loaded
|
|
|
64e4ee |
|
|
|
64e4ee |
Add a modprobe config file that will cause specified sysctls to be
|
|
|
64e4ee |
reloaded after a given module is loaded. This is needed because sysctls
|
|
|
64e4ee |
will go away and reappear when modules are unloaded which happens on a
|
|
|
64e4ee |
firewalld restart. e.g. nf_conntrack_max.
|
|
|
64e4ee |
|
|
|
64e4ee |
Fixes: RHBZ#1462977
|
|
|
64e4ee |
(cherry picked from commit 65434db736fa68a25e1ab417f6c330c03c5eafde)
|
|
|
64e4ee |
---
|
|
|
64e4ee |
config/Makefile.am | 22 ++++++++++++++++++++--
|
|
|
64e4ee |
config/firewalld-sysctls.conf.in | 1 +
|
|
|
64e4ee |
configure.ac | 1 +
|
|
|
64e4ee |
firewalld.spec | 1 +
|
|
|
64e4ee |
4 files changed, 23 insertions(+), 2 deletions(-)
|
|
|
64e4ee |
create mode 100644 config/firewalld-sysctls.conf.in
|
|
|
64e4ee |
|
|
|
64e4ee |
diff --git a/config/Makefile.am b/config/Makefile.am
|
|
|
64e4ee |
index 1035c9f940a9..a66ae05d8122 100644
|
|
|
64e4ee |
--- a/config/Makefile.am
|
|
|
64e4ee |
+++ b/config/Makefile.am
|
|
|
64e4ee |
@@ -42,6 +42,7 @@ BUILT_SOURCES = \
|
|
|
64e4ee |
$(applet_desktop_DATA) \
|
|
|
64e4ee |
$(polkit1_action_DATA) \
|
|
|
64e4ee |
$(gsettings_SCHEMAS) \
|
|
|
64e4ee |
+ firewalld-sysctls.conf \
|
|
|
64e4ee |
firewalld.service
|
|
|
64e4ee |
|
|
|
64e4ee |
@INTLTOOL_DESKTOP_RULE@
|
|
|
64e4ee |
@@ -51,7 +52,7 @@ BUILT_SOURCES = \
|
|
|
64e4ee |
|
|
|
64e4ee |
all: $(desktop_DATA) $(appdata_DATA) $(applet_desktop_DATA) $(polkit1_action_DATA) $(gsettings_SCHEMAS)
|
|
|
64e4ee |
|
|
|
64e4ee |
-CLEANFILES = *~ *\# .\#* firewalld.service
|
|
|
64e4ee |
+CLEANFILES = *~ *\# .\#* firewalld.service firewalld-sysctls.conf
|
|
|
64e4ee |
|
|
|
64e4ee |
DISTCLEANFILES = \
|
|
|
64e4ee |
$(desktop_DATA) \
|
|
|
64e4ee |
@@ -246,6 +247,7 @@ EXTRA_DIST = \
|
|
|
64e4ee |
$(CONFIG_FILES) \
|
|
|
64e4ee |
$(dist_xmlschema_DATA) \
|
|
|
64e4ee |
firewalld.init \
|
|
|
64e4ee |
+ firewalld-sysctls.conf.in \
|
|
|
64e4ee |
firewalld.service.in \
|
|
|
64e4ee |
firewalld.sysconfig \
|
|
|
64e4ee |
macros.firewalld
|
|
|
64e4ee |
@@ -253,6 +255,9 @@ EXTRA_DIST = \
|
|
|
64e4ee |
INSTALL_TARGETS = install-config
|
|
|
64e4ee |
UNINSTALL_TARGETS = uninstall-config
|
|
|
64e4ee |
|
|
|
64e4ee |
+INSTALL_TARGETS += install-modprobe.d
|
|
|
64e4ee |
+UNINSTALL_TARGETS += uninstall-modprobe.d
|
|
|
64e4ee |
+
|
|
|
64e4ee |
if USE_SYSTEMD
|
|
|
64e4ee |
INSTALL_TARGETS += install-service
|
|
|
64e4ee |
UNINSTALL_TARGETS += uninstall-service
|
|
|
64e4ee |
@@ -275,11 +280,16 @@ edit = sed \
|
|
|
64e4ee |
-e 's|@bindir[@]|$(bindir)|g' \
|
|
|
64e4ee |
-e 's|@sbindir[@]|$(sbindir)|g' \
|
|
|
64e4ee |
-e 's|@sysconfdir[@]|$(sysconfdir)|g' \
|
|
|
64e4ee |
- -e 's|@localstatedir[@]|$(localstatedir)|g'
|
|
|
64e4ee |
+ -e 's|@localstatedir[@]|$(localstatedir)|g' \
|
|
|
64e4ee |
+ -e 's|@MODPROBE[@]|$(MODPROBE)|g' \
|
|
|
64e4ee |
+ -e 's|@SYSCTL[@]|$(SYSCTL)|g'
|
|
|
64e4ee |
|
|
|
64e4ee |
firewalld.service: firewalld.service.in
|
|
|
64e4ee |
$(edit) $< >$@
|
|
|
64e4ee |
|
|
|
64e4ee |
+firewalld-sysctls.conf: firewalld-sysctls.conf.in
|
|
|
64e4ee |
+ $(edit) $< >$@
|
|
|
64e4ee |
+
|
|
|
64e4ee |
install-sysconfig:
|
|
|
64e4ee |
$(MKDIR_P) $(DESTDIR)$(sysconfdir)/sysconfig
|
|
|
64e4ee |
$(INSTALL_DATA) $(srcdir)/firewalld.sysconfig $(DESTDIR)$(sysconfdir)/sysconfig/firewalld
|
|
|
64e4ee |
@@ -312,6 +322,14 @@ uninstall-service: uninstall-sysconfig
|
|
|
64e4ee |
rm -f $(DESTDIR)$(SYSTEMD_UNITDIR)/firewalld.service
|
|
|
64e4ee |
rmdir $(DESTDIR)$(SYSTEMD_UNITDIR) || :
|
|
|
64e4ee |
|
|
|
64e4ee |
+install-modprobe.d:
|
|
|
64e4ee |
+ $(MKDIR_P) $(DESTDIR)$(sysconfdir)/modprobe.d
|
|
|
64e4ee |
+ $(INSTALL_DATA) firewalld-sysctls.conf $(DESTDIR)$(sysconfdir)/modprobe.d/firewalld-sysctls.conf
|
|
|
64e4ee |
+
|
|
|
64e4ee |
+uninstall-modprobe.d:
|
|
|
64e4ee |
+ rm -f $(DESTDIR)$(sysconfdir)/modprobe.d/firewalld-sysctls.conf
|
|
|
64e4ee |
+ rmdir $(DESTDIR)$(sysconfdir)/modprobe.d || :
|
|
|
64e4ee |
+
|
|
|
64e4ee |
install-config:
|
|
|
64e4ee |
$(MKDIR_P) $(DESTDIR)$(sconfdir)
|
|
|
64e4ee |
$(MKDIR_P) $(DESTDIR)$(sconfdir)/icmptypes
|
|
|
64e4ee |
diff --git a/config/firewalld-sysctls.conf.in b/config/firewalld-sysctls.conf.in
|
|
|
64e4ee |
new file mode 100644
|
|
|
64e4ee |
index 000000000000..976027743e8f
|
|
|
64e4ee |
--- /dev/null
|
|
|
64e4ee |
+++ b/config/firewalld-sysctls.conf.in
|
|
|
64e4ee |
@@ -0,0 +1 @@
|
|
|
64e4ee |
+install nf_conntrack @MODPROBE@ --ignore-install nf_conntrack && @SYSCTL@ --pattern 'net[.]netfilter[.]nf_conntrack.*' --system
|
|
|
64e4ee |
diff --git a/configure.ac b/configure.ac
|
|
|
64e4ee |
index e3525703819d..776e627b0fa0 100644
|
|
|
64e4ee |
--- a/configure.ac
|
|
|
64e4ee |
+++ b/configure.ac
|
|
|
64e4ee |
@@ -33,6 +33,7 @@ AC_PATH_PROG([KILL], [kill], [/usr/bin/kill])
|
|
|
64e4ee |
AC_PATH_PROG([MODINFO], [modinfo], [/sbin/modinfo])
|
|
|
64e4ee |
AC_PATH_PROG([MODPROBE], [modprobe], [/sbin/modprobe])
|
|
|
64e4ee |
AC_PATH_PROG([RMMOD], [rmmod], [/sbin/rmmod])
|
|
|
64e4ee |
+AC_PATH_PROG([SYSCTL], [sysctl], [/sbin/sysctl])
|
|
|
64e4ee |
|
|
|
64e4ee |
GLIB_GSETTINGS
|
|
|
64e4ee |
|
|
|
64e4ee |
diff --git a/firewalld.spec b/firewalld.spec
|
|
|
64e4ee |
index 7f16f38d2932..476f9668d44f 100644
|
|
|
64e4ee |
--- a/firewalld.spec
|
|
|
64e4ee |
+++ b/firewalld.spec
|
|
|
64e4ee |
@@ -240,6 +240,7 @@ fi
|
|
|
64e4ee |
%{_mandir}/man1/firewallctl*.1*
|
|
|
64e4ee |
%{_mandir}/man1/firewalld*.1*
|
|
|
64e4ee |
%{_mandir}/man5/firewall*.5*
|
|
|
64e4ee |
+%{_sysconfdir}/modprobe.d/firewalld-sysctls.conf
|
|
|
64e4ee |
|
|
|
64e4ee |
%files -n python-firewall
|
|
|
64e4ee |
%attr(0755,root,root) %dir %{python2_sitelib}/firewall
|
|
|
64e4ee |
--
|
|
|
64e4ee |
2.12.0
|
|
|
64e4ee |
|