Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#3530 - ip_forward is overwritten after iptables start

Attached to Project: Arch Linux
Opened by Not Important (pholie) - Sunday, 27 November 2005, 19:44 GMT
Task Type Bug Report
Category System
Status Closed
Assigned To No-one
Architecture not specified
Severity High
Priority Normal
Reported Version 0.7 Wombat
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

I use masquerading with iptables on my system, iptables are in DAEMONS array in rc.conf. rc.d/iptables script writes "1" into /proc/sys/net/ipv4/ip_forward after it is started (i made the script more verbose to make sure it does, yes it does) but then something changes the content of the ip_forward back to 0. I don't know which process does it, but this makes my masquerading not working. I need to restart iptables everytime even though it is already started. When starting iptables manually, this problem won't occur.
Related bbs thread where one more user describes the same problem:

http://bbs.archlinux.org/viewtopic.php?t=16658&start=0&postdays=0&postorder=asc&highlight=
This task depends upon

Closed by  Judd Vinet (judd)
Monday, 28 November 2005, 19:15 GMT
Reason for closing:  Fixed
Comment by Not Important (pholie) - Sunday, 27 November 2005, 20:04 GMT
I found out sysctl is started after daemons from rc.multi:
# Load sysctl variables if sysctl.conf is present
[ -r /etc/sysctl.conf ] && /sbin/sysctl -q -p &>/dev/null

The thing is, there is
# Disable packet forwarding
net.ipv4.ip_forward=0

in sysctl.conf. Shouldn't the iptables script modify sysctl.conf too and not only ip_forward? I'm not kernel/system hacker so I don't know which one has bigger priority or what. I just want it to be working correctly :)
Comment by Jürgen Hötzel (juergen) - Sunday, 27 November 2005, 22:07 GMT
Yes, kernel configuration via sysctl should be done before starting any daemons (Think about a database system which needs more shared memory or semaphores via sysctl).

Configuration files should not be modified by services like iptables.

Jürgen
Comment by Judd Vinet (judd) - Monday, 28 November 2005, 19:15 GMT
Ah, good bug.

I've moved sysctl stuff to precede daemon startup in rc.multi. The next initscripts build will have this change.

Loading...