[Firehol-support] Răspuns: firehol dual-stack and service helpers
Mihai Hanor
mhanor at yahoo.com
Sun Nov 20 11:46:20 GMT 2016
Hi Phil,
You were right, the kernel parameter can be set after the nf_conntrack module is loaded. Before loading it, sysctl -a doesn't show any of the nf_conntrack kernel variables. For some reason, setting 'require_kernel_module nf_conntrack' at the top of the firehol.conf file doesn't help, but I've put it in /etc/modules and now firehol is able to set nf_conntrack_helper to 1 at boot. I'm also not sure why the kernel loads all the helper modules, I can't yet reproduce it on my virtual machine.
Thanks,Mihai
De la: Phil Whineray <phil at firehol.org>
Către: Mihai Hanor <mhanor at yahoo.com>
Cc: "firehol-support at lists.firehol.org" <firehol-support at lists.firehol.org>
Trimis: Duminică, 20 Noiembrie 2016 11:22:05
Subiect: Re: Răspuns: [Firehol-support] Răspuns: firehol dual-stack and service helpers
Hi Mihai
On Sun, Nov 20, 2016 at 02:18:28AM +0000, Mihai Hanor wrote:
> I have found the cause. Newer kernels have the connection tracking
> disabled by default and (for some reason)
> setting net.netfilter.nf_conntrack_helper to 1 fails at boot. I think
> firehol does try to set it, I also added a .conf file in
> /etc/sysctl.d/, then edited /etc/sysctl.conf, I don't know why it
> fails. The client4 statement had nothing to do with the fix, running
> firehol again was actually setting the kernel parameter to 1, that's
> why it was working until reboot. I don't know why, the virtual machine
> also has it set to 0, but the ftp data connection gets established with
> success, most times.
Glad you found the cause; thanks for letting us know.
Does Sid list specify nf_conntrack_helper=0 as a value when loading the
module? You might be able to change that. If the module is loaded after
sysctl.conf is processed, that would explain why that does not seem to work.
I am not sure what could be preventing the setting of the value, though.
Perhaps something like apparmor (but then why would it work on a second
attempt?).
Hope that helps a bit
Phil
More information about the Firehol-support
mailing list