FS#24466 - iptables restart resets /proc/sys/net/ipv4/ip_forward to 0

Attached to Project: Arch Linux
Opened by Marc Rechté (mrechte) - Friday, 27 May 2011, 09:02 GMT
Last edited by Dan McGee (toofishes) - Saturday, 23 July 2011, 18:09 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Ronald van Haren (pressh)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
iptables restart resets /proc/sys/net/ipv4/ip_forward to 0

Additional info:
* package version(s)
iptables 1.4.10-1
* config and/or log files etc.


Steps to reproduce:
rc.d restart iptables
This task depends upon

Closed by  Dan McGee (toofishes)
Saturday, 23 July 2011, 18:09 GMT
Reason for closing:  Fixed
Additional comments about closing:  Will be fixed in 1.4.12
Comment by Jan de Groot (JGC) - Monday, 30 May 2011, 08:05 GMT
IMHO the iptables script should not touch those variables at all. The start action enables it conditionally, the stop action doesn't check that condition.
Setting sysctl values should be done from /etc/sysctl.conf, not from rc.d scripts.
Comment by Nick Cardullo (kofrad) - Saturday, 04 June 2011, 15:51 GMT
I'm going to go ahead and agree, rc.d scripts should not set sysctl values. However, based on the integration between iptables and the kernel, it is probably required for NAT and routing features of iptables. Looking through my own /etc/rc.d/iptables , it appears that the setting is set based on IPTABLES_FORWARD (/etc/conf.d/iptables). There is no preference to the initial value of ip_forward , that may be considered the bug as it will always reset to 0 when stopping iptables. Once you start it back up, the value is read from /etc/conf.d/iptables again and set properly.
Comment by Ronald van Haren (pressh) - Wednesday, 20 July 2011, 06:53 GMT
I'll take a look at the rc.d scripts and possibly rewrite it for the next version (so not the one that is currently in [testing]). I don't have time to properly change it now and give it a significant amount of testing.

We probably want to set a default value for ipv6 ip forwarding in /etc/sysctl.conf as well when we remove it from iptables.

Loading...