conntracd init.d reload is broken on Centos6

conntracd init.d reload is broken on Centos6

[Jason Hendry]

Hi,

Was not sure where to send this so hoping this is the right place.  We
am running Centos6 with conntrack-tools.  The reload option to the
conntrackd init.d script does not work due to a syntax error on the
killproc init function.

Bug:

[root@test-brfw01 ~]# /etc/init.d/conntrackd reload
Reloading conntrackd configuration: pidof: invalid options on command line!

pidof: invalid options on command line!

                                                           [FAILED]


Environment:

[root@test-brfw01 ~]# uname -a
Linux test-brfw01.london.mintel.ad 2.6.32-696.10.1.el6.x86_64 #1 SMP
Tue Aug 22 18:51:35 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

[root@test-brfw01 ~]# yum info conntrack-tools.x86_64
Loaded plugins: changelog, fastestmirror, priorities, rhnplugin,
security, versionlock
This system is receiving updates from RHN Classic or Red Hat Satellite.
Loading mirror speeds from cached hostfile
106 packages excluded due to repository priority protections
Installed Packages
Name        : conntrack-tools
Arch        : x86_64
Version     : 0.9.13
Release     : 3.el6
Size        : 403 k
Repo        : installed
>From repo   : el6_epel
Summary     : Tools to manipulate netfilter connection tracking table
URL         : http://netfilter.org
License     : GPLv2


Patch/Fix:

Index: conntrackd
===================================================================
--- conntrackd   (revision 46829)
+++ conntrackd   (working copy)
@@ -85,7 +85,7 @@
 # XXX: can conntrackd reload?
 reload() {
         echo -n $"Reloading $prog configuration: "
-        killproc -HUP $prog
+        killproc $prog -HUP
         retval=$?
         echo
         return $retval


If you prefer this be submitted somewhere else or in a different
format I am happy to do so.

Jason H
Senior Systems Administrator
+44 (0)203 416 4316

-- 

Mintel Group Ltd | 11 Pilgrim Street | London | EC4V 6RN
Registered in England: Number 1475918. | VAT Number: GB 232 9342 72

Contact details for our other offices can be found at 
http://www.mintel.com/office-locations.

This email and any attachments may include content that is confidential, 
privileged 
or otherwise protected under applicable law. Unauthorised disclosure, 
copying, distribution 
or use of the contents is prohibited and may be unlawful. If you have 
received this email in error,
including without appropriate authorisation, then please reply to the 
sender about the error 
and delete this email and any attachments.

Re: conntracd init.d reload is broken on Centos6

[Pablo Neira Ayuso]

On Thu, Nov 16, 2017 at 10:47:15AM +0000, Jason Hendry wrote:
> Hi,
> 
> Was not sure where to send this so hoping this is the right place.  We
> am running Centos6 with conntrack-tools.  The reload option to the
> conntrackd init.d script does not work due to a syntax error on the
> killproc init function.
[...]
> Index: conntrackd
> ===================================================================
> --- conntrackd   (revision 46829)
> +++ conntrackd   (working copy)
> @@ -85,7 +85,7 @@
>  # XXX: can conntrackd reload?
>  reload() {
>          echo -n $"Reloading $prog configuration: "
> -        killproc -HUP $prog
> +        killproc $prog -HUP
>          retval=$?
>          echo
>          return $retval
> 
> 
> If you prefer this be submitted somewhere else or in a different
> format I am happy to do so.

I think you have to send this to the CentOS people, I don't see such
script on our git tree.

Thanks.

Re: conntracd init.d reload is broken on Centos6

[Jason Hendry]

Turns out sending conntrackd a -HUP signal causes it to die. I can not
find any documentation/reference on what signals conntrackd accepts,
is there one to tell it to reload its config?  We are running
conntrackd 0.9.14

Can you also clarify the effect of restarting conntrackd, is it a safe
operation to do? Will it cause any interruption to connections? Will
it re-sync with the kernel state table? Will it re-sync with its peer?

Jason H
Senior Systems Administrator
+44 (0)203 416 4316


On 16 November 2017 at 13:25, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Thu, Nov 16, 2017 at 10:47:15AM +0000, Jason Hendry wrote:
>> Hi,
>>
>> Was not sure where to send this so hoping this is the right place.  We
>> am running Centos6 with conntrack-tools.  The reload option to the
>> conntrackd init.d script does not work due to a syntax error on the
>> killproc init function.
> [...]
>> Index: conntrackd
>> ===================================================================
>> --- conntrackd   (revision 46829)
>> +++ conntrackd   (working copy)
>> @@ -85,7 +85,7 @@
>>  # XXX: can conntrackd reload?
>>  reload() {
>>          echo -n $"Reloading $prog configuration: "
>> -        killproc -HUP $prog
>> +        killproc $prog -HUP
>>          retval=$?
>>          echo
>>          return $retval
>>
>>
>> If you prefer this be submitted somewhere else or in a different
>> format I am happy to do so.
>
> I think you have to send this to the CentOS people, I don't see such
> script on our git tree.
>
> Thanks.

-- 

Mintel Group Ltd | 11 Pilgrim Street | London | EC4V 6RN
Registered in England: Number 1475918. | VAT Number: GB 232 9342 72

Contact details for our other offices can be found at 
http://www.mintel.com/office-locations.

This email and any attachments may include content that is confidential, 
privileged 
or otherwise protected under applicable law. Unauthorised disclosure, 
copying, distribution 
or use of the contents is prohibited and may be unlawful. If you have 
received this email in error,
including without appropriate authorisation, then please reply to the 
sender about the error 
and delete this email and any attachments.

Re: conntracd init.d reload is broken on Centos6

[Arturo Borrero Gonzalez]

Please avoid top-posting.

On 17 November 2017 at 23:55, Jason Hendry <jhendry@mintel.com> wrote:
> Turns out sending conntrackd a -HUP signal causes it to die. I can not
> find any documentation/reference on what signals conntrackd accepts,
> is there one to tell it to reload its config?  We are running
> conntrackd 0.9.14
>

That's a very old version of conntrackd (8+ years ago?). Please use a
newer version.

ATM conntrackd is unable to reload config. This is something I would
like to improve in the future.

> Can you also clarify the effect of restarting conntrackd, is it a safe
> operation to do? Will it cause any interruption to connections? Will
> it re-sync with the kernel state table? Will it re-sync with its peer?
>

Connections are in the kernel and those are not affected by conntrackd restart.
Depending on your conntrackd config you may lose state updates which
are in the conntrackd cache but not in the kernel yet.
In newer versions of conntrackd there is a StartupResync option to
request resync with other node at startup.