From 8a8d61822d37639e1d952befc4528c32a3240dc5 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Tue, 28 Nov 2017 20:56:38 +0100 Subject: [PATCH] Fix and improve firewalld-sysctls.conf The output generated by the call to sysctl apparently messed up kernel module auto-loading via iptables. To reproduce: | # iptables -F INPUT | # rmmod nf_conntrack_ipv4 xt_connbytes nf_conntrack | # iptables -A INPUT -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes | iptables: No chain/target/match by that name. This is solved by silencing sysctl with '--quiet' parameter. Another (potential) issue is that module parameters passed to modprobe when manually loading nf_conntrack: | # modprobe --ignore-install nf_conntrack nf_conntrack_helper=1 | # cat /sys/module/nf_conntrack/parameters/nf_conntrack_helper | Y | # rmmod nf_conntrack | # modprobe nf_conntrack nf_conntrack_helper=1 | * Applying /usr/lib/sysctl.d/00-system.conf ... | * Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ... | * Applying /usr/lib/sysctl.d/50-default.conf ... | * Applying /etc/sysctl.d/99-sysctl.conf ... | * Applying /etc/sysctl.conf ... | # cat /sys/module/nf_conntrack/parameters/nf_conntrack_helper | N This is fixed by adding $CMDLINE_OPTS as last parameter to the modprobe call as described in modprobe.conf(5). --- config/firewalld-sysctls.conf.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/firewalld-sysctls.conf.in b/config/firewalld-sysctls.conf.in index 976027743e8f..945193f13c75 100644 --- a/config/firewalld-sysctls.conf.in +++ b/config/firewalld-sysctls.conf.in @@ -1 +1 @@ -install nf_conntrack @MODPROBE@ --ignore-install nf_conntrack && @SYSCTL@ --pattern 'net[.]netfilter[.]nf_conntrack.*' --system +install nf_conntrack @MODPROBE@ --ignore-install nf_conntrack $CMDLINE_OPTS && @SYSCTL@ --quiet --pattern 'net[.]netfilter[.]nf_conntrack.*' --system -- 2.12.0