[Firehol-support] Răspuns: firehol dual-stack and service helpers

Mihai Hanor mhanor at yahoo.com
Sun Nov 20 12:46:20 CET 2016


Hi Phil,
You were right, the kernel parameter can be set after the nf_conntrack module is loaded. Before loading it, sysctl -a doesn't show any of the nf_conntrack kernel variables. For some reason, setting 'require_kernel_module nf_conntrack' at the top of the firehol.conf file doesn't help, but I've put it in /etc/modules and now firehol is able to set nf_conntrack_helper to 1 at boot. I'm also not sure why the kernel loads all the helper modules, I can't yet reproduce it on my virtual machine.
Thanks,Mihai

      De la: Phil Whineray <phil at firehol.org>
 Către: Mihai Hanor <mhanor at yahoo.com> 
Cc: "firehol-support at lists.firehol.org" <firehol-support at lists.firehol.org>
 Trimis: Duminică, 20 Noiembrie 2016 11:22:05
 Subiect: Re: Răspuns: [Firehol-support] Răspuns: firehol dual-stack and service helpers
   
Hi Mihai

On Sun, Nov 20, 2016 at 02:18:28AM +0000, Mihai Hanor wrote:
> I have found the cause. Newer kernels have the connection tracking 
> disabled by default and (for some reason) 
> setting net.netfilter.nf_conntrack_helper to 1 fails at boot. I think 
> firehol does try to set it, I also added a .conf file in 
> /etc/sysctl.d/, then edited /etc/sysctl.conf, I don't know why it 
> fails. The client4 statement had nothing to do with the fix, running 
> firehol again was actually setting the kernel parameter to 1, that's 
> why it was working until reboot. I don't know why, the virtual machine 
> also has it set to 0, but the ftp data connection gets established with 
> success, most times.

Glad you found the cause; thanks for letting us know.

Does Sid list specify nf_conntrack_helper=0 as a value when loading the
module? You might be able to change that. If the module is loaded after
sysctl.conf is processed, that would explain why that does not seem to work.

I am not sure what could be preventing the setting of the value, though.
Perhaps something like apparmor (but then why would it work on a second
attempt?).

Hope that helps a bit

Phil


   


More information about the Firehol-support mailing list