Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#38977 - When reboot don't changed sysctl variables for iptables
Attached to Project:
Arch Linux
Opened by Anatoly (fantom) - Friday, 21 February 2014, 12:59 GMT
Last edited by Dave Reisner (falconindy) - Friday, 21 February 2014, 15:04 GMT
Opened by Anatoly (fantom) - Friday, 21 February 2014, 12:59 GMT
Last edited by Dave Reisner (falconindy) - Friday, 21 February 2014, 15:04 GMT
|
DetailsDescription:
Not apply sysctl variables.+ Additional info: * package version(s) pacman -Qi iptables Name : iptables Version : 1.4.21-1 Description : Linux kernel packet control tool Architecture : x86_64 URL : http://www.netfilter.org/projects/iptables/index.html Licenses : GPL2 Groups : None Provides : None Depends On : glibc bash Optional Deps : None Required By : iproute2 Optional For : None Conflicts With : None Replaces : None Installed Size : 1492.00 KiB Packager : Ronald van Haren <ronald@archlinux.org> Build Date : Tue Dec 10 22:49:14 2013 Install Date : Thu Feb 20 15:33:59 2014 Install Reason : Installed as a dependency for another package Install Script : No Validated By : Signature Steps to reproduce: #sysctl net.netfilter.nf_conntrack_max net.netfilter.nf_conntrack_max = 65535 #echo "net.netfilter.nf_conntrack_max=70000" > /etc/sysctl.d/91-net-var.conf # reboot After rebooting #sysctl net.netfilter.nf_conntrack_max net.netfilter.nf_conntrack_max = 65535 Solution: Modify file /usr/lib/systemd/system/iptables.service Add string ExecStartPost=/usr/bin/systemctl restart systemd-sysctl.service Final /etc/systemd/system/iptables.service # cat /etc/systemd/system/iptables.service [Unit] Description=Packet Filtering Framework [Service] Type=oneshot ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules ExecStartPost=/usr/bin/systemctl restart systemd-sysctl.service ExecReload=/usr/bin/iptables-restore /etc/iptables/iptables.rules ExecStop=/usr/lib/systemd/scripts/iptables-flush RemainAfterExit=yes [Install] WantedBy=multi-user.target P.S. When systemd-sysctl.service starting, iptables not running and variable "net.netfilter.nf_conntrack_max" don't exist. |
This task depends upon
Closed by Dave Reisner (falconindy)
Friday, 21 February 2014, 15:04 GMT
Reason for closing: Not a bug
Additional comments about closing: Load the modules explicitly if you need them available to set sysctl options.
Friday, 21 February 2014, 15:04 GMT
Reason for closing: Not a bug
Additional comments about closing: Load the modules explicitly if you need them available to set sysctl options.
Comment by Daniel Micay (thestinger) -
Friday, 21 February 2014, 13:03 GMT
I don't think this is really a bug. The sysctl settings appear after loading the modules, so if you want the settings to be available when sysctl is run then you need to load the modules manually rather than having them load lazily when the iptables service starts. The iptables service doesn't actually *start* iptables, but rather just loads a set of rules. It happens to cause the modules to load, but the service isn't required for that.
Comment by Dave Reisner (falconindy) -
Friday, 21 February 2014, 15:03 GMT
Agreed with the above. Your "fix" isn't really appropriate anyways, since you shouldn't be calling systemctl from a unit.