Blame SOURCES/firewalld-0.4.4.7-Fix-and-improve-firewalld-sysctls.conf.patch

843f86
From 8a8d61822d37639e1d952befc4528c32a3240dc5 Mon Sep 17 00:00:00 2001
843f86
From: Phil Sutter <psutter@redhat.com>
843f86
Date: Tue, 28 Nov 2017 20:56:38 +0100
843f86
Subject: [PATCH] Fix and improve firewalld-sysctls.conf
843f86
843f86
The output generated by the call to sysctl apparently messed up kernel
843f86
module auto-loading via iptables. To reproduce:
843f86
843f86
| # iptables -F INPUT
843f86
| # rmmod nf_conntrack_ipv4 xt_connbytes nf_conntrack
843f86
| # iptables -A INPUT -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes
843f86
| iptables: No chain/target/match by that name.
843f86
843f86
This is solved by silencing sysctl with '--quiet' parameter.
843f86
843f86
Another (potential) issue is that module parameters passed to modprobe
843f86
when manually loading nf_conntrack:
843f86
843f86
| # modprobe --ignore-install nf_conntrack nf_conntrack_helper=1
843f86
| # cat /sys/module/nf_conntrack/parameters/nf_conntrack_helper
843f86
| Y
843f86
| # rmmod nf_conntrack
843f86
| # modprobe nf_conntrack nf_conntrack_helper=1
843f86
| * Applying /usr/lib/sysctl.d/00-system.conf ...
843f86
| * Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ...
843f86
| * Applying /usr/lib/sysctl.d/50-default.conf ...
843f86
| * Applying /etc/sysctl.d/99-sysctl.conf ...
843f86
| * Applying /etc/sysctl.conf ...
843f86
| # cat /sys/module/nf_conntrack/parameters/nf_conntrack_helper
843f86
| N
843f86
843f86
This is fixed by adding $CMDLINE_OPTS as last parameter to the modprobe
843f86
call as described in modprobe.conf(5).
843f86
---
843f86
 config/firewalld-sysctls.conf.in | 2 +-
843f86
 1 file changed, 1 insertion(+), 1 deletion(-)
843f86
843f86
diff --git a/config/firewalld-sysctls.conf.in b/config/firewalld-sysctls.conf.in
843f86
index 976027743e8f..945193f13c75 100644
843f86
--- a/config/firewalld-sysctls.conf.in
843f86
+++ b/config/firewalld-sysctls.conf.in
843f86
@@ -1 +1 @@
843f86
-install nf_conntrack @MODPROBE@ --ignore-install nf_conntrack && @SYSCTL@ --pattern 'net[.]netfilter[.]nf_conntrack.*' --system
843f86
+install nf_conntrack @MODPROBE@ --ignore-install nf_conntrack $CMDLINE_OPTS && @SYSCTL@ --quiet --pattern 'net[.]netfilter[.]nf_conntrack.*' --system
843f86
-- 
843f86
2.12.0
843f86