From c41e34a5a8fbda2731aa724e65dcc93aa9ab7b64 Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Thu, 3 Aug 2017 15:06:57 -0400 Subject: [PATCH] Reload nf_conntrack sysctls after the module is loaded Add a modprobe config file that will cause specified sysctls to be reloaded after a given module is loaded. This is needed because sysctls will go away and reappear when modules are unloaded which happens on a firewalld restart. e.g. nf_conntrack_max. Fixes: RHBZ#1462977 (cherry picked from commit 65434db736fa68a25e1ab417f6c330c03c5eafde) --- config/Makefile.am | 22 ++++++++++++++++++++-- config/firewalld-sysctls.conf.in | 1 + configure.ac | 1 + firewalld.spec | 1 + 4 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 config/firewalld-sysctls.conf.in diff --git a/config/Makefile.am b/config/Makefile.am index 1035c9f940a9..a66ae05d8122 100644 --- a/config/Makefile.am +++ b/config/Makefile.am @@ -42,6 +42,7 @@ BUILT_SOURCES = \ $(applet_desktop_DATA) \ $(polkit1_action_DATA) \ $(gsettings_SCHEMAS) \ + firewalld-sysctls.conf \ firewalld.service @INTLTOOL_DESKTOP_RULE@ @@ -51,7 +52,7 @@ BUILT_SOURCES = \ all: $(desktop_DATA) $(appdata_DATA) $(applet_desktop_DATA) $(polkit1_action_DATA) $(gsettings_SCHEMAS) -CLEANFILES = *~ *\# .\#* firewalld.service +CLEANFILES = *~ *\# .\#* firewalld.service firewalld-sysctls.conf DISTCLEANFILES = \ $(desktop_DATA) \ @@ -246,6 +247,7 @@ EXTRA_DIST = \ $(CONFIG_FILES) \ $(dist_xmlschema_DATA) \ firewalld.init \ + firewalld-sysctls.conf.in \ firewalld.service.in \ firewalld.sysconfig \ macros.firewalld @@ -253,6 +255,9 @@ EXTRA_DIST = \ INSTALL_TARGETS = install-config UNINSTALL_TARGETS = uninstall-config +INSTALL_TARGETS += install-modprobe.d +UNINSTALL_TARGETS += uninstall-modprobe.d + if USE_SYSTEMD INSTALL_TARGETS += install-service UNINSTALL_TARGETS += uninstall-service @@ -275,11 +280,16 @@ edit = sed \ -e 's|@bindir[@]|$(bindir)|g' \ -e 's|@sbindir[@]|$(sbindir)|g' \ -e 's|@sysconfdir[@]|$(sysconfdir)|g' \ - -e 's|@localstatedir[@]|$(localstatedir)|g' + -e 's|@localstatedir[@]|$(localstatedir)|g' \ + -e 's|@MODPROBE[@]|$(MODPROBE)|g' \ + -e 's|@SYSCTL[@]|$(SYSCTL)|g' firewalld.service: firewalld.service.in $(edit) $< >$@ +firewalld-sysctls.conf: firewalld-sysctls.conf.in + $(edit) $< >$@ + install-sysconfig: $(MKDIR_P) $(DESTDIR)$(sysconfdir)/sysconfig $(INSTALL_DATA) $(srcdir)/firewalld.sysconfig $(DESTDIR)$(sysconfdir)/sysconfig/firewalld @@ -312,6 +322,14 @@ uninstall-service: uninstall-sysconfig rm -f $(DESTDIR)$(SYSTEMD_UNITDIR)/firewalld.service rmdir $(DESTDIR)$(SYSTEMD_UNITDIR) || : +install-modprobe.d: + $(MKDIR_P) $(DESTDIR)$(sysconfdir)/modprobe.d + $(INSTALL_DATA) firewalld-sysctls.conf $(DESTDIR)$(sysconfdir)/modprobe.d/firewalld-sysctls.conf + +uninstall-modprobe.d: + rm -f $(DESTDIR)$(sysconfdir)/modprobe.d/firewalld-sysctls.conf + rmdir $(DESTDIR)$(sysconfdir)/modprobe.d || : + install-config: $(MKDIR_P) $(DESTDIR)$(sconfdir) $(MKDIR_P) $(DESTDIR)$(sconfdir)/icmptypes diff --git a/config/firewalld-sysctls.conf.in b/config/firewalld-sysctls.conf.in new file mode 100644 index 000000000000..976027743e8f --- /dev/null +++ b/config/firewalld-sysctls.conf.in @@ -0,0 +1 @@ +install nf_conntrack @MODPROBE@ --ignore-install nf_conntrack && @SYSCTL@ --pattern 'net[.]netfilter[.]nf_conntrack.*' --system diff --git a/configure.ac b/configure.ac index e3525703819d..776e627b0fa0 100644 --- a/configure.ac +++ b/configure.ac @@ -33,6 +33,7 @@ AC_PATH_PROG([KILL], [kill], [/usr/bin/kill]) AC_PATH_PROG([MODINFO], [modinfo], [/sbin/modinfo]) AC_PATH_PROG([MODPROBE], [modprobe], [/sbin/modprobe]) AC_PATH_PROG([RMMOD], [rmmod], [/sbin/rmmod]) +AC_PATH_PROG([SYSCTL], [sysctl], [/sbin/sysctl]) GLIB_GSETTINGS diff --git a/firewalld.spec b/firewalld.spec index 7f16f38d2932..476f9668d44f 100644 --- a/firewalld.spec +++ b/firewalld.spec @@ -240,6 +240,7 @@ fi %{_mandir}/man1/firewallctl*.1* %{_mandir}/man1/firewalld*.1* %{_mandir}/man5/firewall*.5* +%{_sysconfdir}/modprobe.d/firewalld-sysctls.conf %files -n python-firewall %attr(0755,root,root) %dir %{python2_sitelib}/firewall -- 2.12.0