From 8a8d61822d37639e1d952befc4528c32a3240dc5 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 28 Nov 2017 20:56:38 +0100
Subject: [PATCH] Fix and improve firewalld-sysctls.conf

The output generated by the call to sysctl apparently messed up kernel
module auto-loading via iptables. To reproduce:

| # iptables -F INPUT
| # rmmod nf_conntrack_ipv4 xt_connbytes nf_conntrack
| # iptables -A INPUT -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes
| iptables: No chain/target/match by that name.

This is solved by silencing sysctl with '--quiet' parameter.

Another (potential) issue is that module parameters passed to modprobe
when manually loading nf_conntrack:

| # modprobe --ignore-install nf_conntrack nf_conntrack_helper=1
| # cat /sys/module/nf_conntrack/parameters/nf_conntrack_helper
| Y
| # rmmod nf_conntrack
| # modprobe nf_conntrack nf_conntrack_helper=1
| * Applying /usr/lib/sysctl.d/00-system.conf ...
| * Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ...
| * Applying /usr/lib/sysctl.d/50-default.conf ...
| * Applying /etc/sysctl.d/99-sysctl.conf ...
| * Applying /etc/sysctl.conf ...
| # cat /sys/module/nf_conntrack/parameters/nf_conntrack_helper
| N

This is fixed by adding $CMDLINE_OPTS as last parameter to the modprobe
call as described in modprobe.conf(5).
---
 config/firewalld-sysctls.conf.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/firewalld-sysctls.conf.in b/config/firewalld-sysctls.conf.in
index 976027743e8f..945193f13c75 100644
--- a/config/firewalld-sysctls.conf.in
+++ b/config/firewalld-sysctls.conf.in
@@ -1 +1 @@
-install nf_conntrack @MODPROBE@ --ignore-install nf_conntrack && @SYSCTL@ --pattern 'net[.]netfilter[.]nf_conntrack.*' --system
+install nf_conntrack @MODPROBE@ --ignore-install nf_conntrack $CMDLINE_OPTS && @SYSCTL@ --quiet --pattern 'net[.]netfilter[.]nf_conntrack.*' --system
-- 
2.12.0