From c41e34a5a8fbda2731aa724e65dcc93aa9ab7b64 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Thu, 3 Aug 2017 15:06:57 -0400
Subject: [PATCH] Reload nf_conntrack sysctls after the module is loaded
Add a modprobe config file that will cause specified sysctls to be
reloaded after a given module is loaded. This is needed because sysctls
will go away and reappear when modules are unloaded which happens on a
firewalld restart. e.g. nf_conntrack_max.
Fixes: RHBZ#1462977
(cherry picked from commit 65434db736fa68a25e1ab417f6c330c03c5eafde)
---
config/Makefile.am | 22 ++++++++++++++++++++--
config/firewalld-sysctls.conf.in | 1 +
configure.ac | 1 +
firewalld.spec | 1 +
4 files changed, 23 insertions(+), 2 deletions(-)
create mode 100644 config/firewalld-sysctls.conf.in
diff --git a/config/Makefile.am b/config/Makefile.am
index 1035c9f940a9..a66ae05d8122 100644
--- a/config/Makefile.am
+++ b/config/Makefile.am
@@ -42,6 +42,7 @@ BUILT_SOURCES = \
$(applet_desktop_DATA) \
$(polkit1_action_DATA) \
$(gsettings_SCHEMAS) \
+ firewalld-sysctls.conf \
firewalld.service
@INTLTOOL_DESKTOP_RULE@
@@ -51,7 +52,7 @@ BUILT_SOURCES = \
all: $(desktop_DATA) $(appdata_DATA) $(applet_desktop_DATA) $(polkit1_action_DATA) $(gsettings_SCHEMAS)
-CLEANFILES = *~ *\# .\#* firewalld.service
+CLEANFILES = *~ *\# .\#* firewalld.service firewalld-sysctls.conf
DISTCLEANFILES = \
$(desktop_DATA) \
@@ -246,6 +247,7 @@ EXTRA_DIST = \
$(CONFIG_FILES) \
$(dist_xmlschema_DATA) \
firewalld.init \
+ firewalld-sysctls.conf.in \
firewalld.service.in \
firewalld.sysconfig \
macros.firewalld
@@ -253,6 +255,9 @@ EXTRA_DIST = \
INSTALL_TARGETS = install-config
UNINSTALL_TARGETS = uninstall-config
+INSTALL_TARGETS += install-modprobe.d
+UNINSTALL_TARGETS += uninstall-modprobe.d
+
if USE_SYSTEMD
INSTALL_TARGETS += install-service
UNINSTALL_TARGETS += uninstall-service
@@ -275,11 +280,16 @@ edit = sed \
-e 's|@bindir[@]|$(bindir)|g' \
-e 's|@sbindir[@]|$(sbindir)|g' \
-e 's|@sysconfdir[@]|$(sysconfdir)|g' \
- -e 's|@localstatedir[@]|$(localstatedir)|g'
+ -e 's|@localstatedir[@]|$(localstatedir)|g' \
+ -e 's|@MODPROBE[@]|$(MODPROBE)|g' \
+ -e 's|@SYSCTL[@]|$(SYSCTL)|g'
firewalld.service: firewalld.service.in
$(edit) $< >$@
+firewalld-sysctls.conf: firewalld-sysctls.conf.in
+ $(edit) $< >$@
+
install-sysconfig:
$(MKDIR_P) $(DESTDIR)$(sysconfdir)/sysconfig
$(INSTALL_DATA) $(srcdir)/firewalld.sysconfig $(DESTDIR)$(sysconfdir)/sysconfig/firewalld
@@ -312,6 +322,14 @@ uninstall-service: uninstall-sysconfig
rm -f $(DESTDIR)$(SYSTEMD_UNITDIR)/firewalld.service
rmdir $(DESTDIR)$(SYSTEMD_UNITDIR) || :
+install-modprobe.d:
+ $(MKDIR_P) $(DESTDIR)$(sysconfdir)/modprobe.d
+ $(INSTALL_DATA) firewalld-sysctls.conf $(DESTDIR)$(sysconfdir)/modprobe.d/firewalld-sysctls.conf
+
+uninstall-modprobe.d:
+ rm -f $(DESTDIR)$(sysconfdir)/modprobe.d/firewalld-sysctls.conf
+ rmdir $(DESTDIR)$(sysconfdir)/modprobe.d || :
+
install-config:
$(MKDIR_P) $(DESTDIR)$(sconfdir)
$(MKDIR_P) $(DESTDIR)$(sconfdir)/icmptypes
diff --git a/config/firewalld-sysctls.conf.in b/config/firewalld-sysctls.conf.in
new file mode 100644
index 000000000000..976027743e8f
--- /dev/null
+++ b/config/firewalld-sysctls.conf.in
@@ -0,0 +1 @@
+install nf_conntrack @MODPROBE@ --ignore-install nf_conntrack && @SYSCTL@ --pattern 'net[.]netfilter[.]nf_conntrack.*' --system
diff --git a/configure.ac b/configure.ac
index e3525703819d..776e627b0fa0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -33,6 +33,7 @@ AC_PATH_PROG([KILL], [kill], [/usr/bin/kill])
AC_PATH_PROG([MODINFO], [modinfo], [/sbin/modinfo])
AC_PATH_PROG([MODPROBE], [modprobe], [/sbin/modprobe])
AC_PATH_PROG([RMMOD], [rmmod], [/sbin/rmmod])
+AC_PATH_PROG([SYSCTL], [sysctl], [/sbin/sysctl])
GLIB_GSETTINGS
diff --git a/firewalld.spec b/firewalld.spec
index 7f16f38d2932..476f9668d44f 100644
--- a/firewalld.spec
+++ b/firewalld.spec
@@ -240,6 +240,7 @@ fi
%{_mandir}/man1/firewallctl*.1*
%{_mandir}/man1/firewalld*.1*
%{_mandir}/man5/firewall*.5*
+%{_sysconfdir}/modprobe.d/firewalld-sysctls.conf
%files -n python-firewall
%attr(0755,root,root) %dir %{python2_sitelib}/firewall
--
2.12.0