iptables stop/start vs restart ...

Linux Netfilter discussions
 help / color / mirror / Atom feed

* iptables stop/start vs restart ...
@ 2005-09-29  9:50 Chicken of the Apocalypse
  2005-09-29 10:34 ` John A. Sullivan III
  2005-09-29 12:16 ` Sai Kiran
  0 siblings, 2 replies; 6+ messages in thread
From: Chicken of the Apocalypse @ 2005-09-29  9:50 UTC (permalink / raw)
  To: netfilter

Hi All,

Simple problem, although I'm sure it's been raised before and I need to search harder!

I've got a basic setup/configuration of iptables-1.2.11-3.1 running on 2.6.10-1.766_FC3smp with one change in the /etc/sysconfig/iptables-config file. I increase the hashsize using:
/sbin/modprobe ip_conntrack hashsize=32767.

If I run service iptables stop/start and then cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets the value is 32767. If I run service iptables restart the value in the file goes back to default. I've noticed the same in a power failure scenario where the machine lost power and on reboot didn't change the hashsize.
I've had a quick look through /etc/init.d/tideway and as far as I can tell a restart just runs a stop and start. I'm assuming some sort of save/restore flag is or isn't set and this is causing the problem during a restart or power cut.

I need to ensure that the correct hashsize is always set. Any have any ideas?

Thanks

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: iptables stop/start vs restart ...
  2005-09-29  9:50 iptables stop/start vs restart Chicken of the Apocalypse
@ 2005-09-29 10:34 ` John A. Sullivan III
  2005-09-29 10:48   ` Chicken of the Apocalypse
  2005-09-29 12:16 ` Sai Kiran
  1 sibling, 1 reply; 6+ messages in thread
From: John A. Sullivan III @ 2005-09-29 10:34 UTC (permalink / raw)
  To: Chicken of the Apocalypse; +Cc: netfilter

On Thu, 2005-09-29 at 10:50 +0100, Chicken of the Apocalypse wrote:
> Hi All,
>  
> Simple problem, although I'm sure it's been raised before and I need to search harder!
>  
> I've got a basic setup/configuration of iptables-1.2.11-3.1 running on 2.6.10-1.766_FC3smp with one change in the /etc/sysconfig/iptables-config file. I increase the hashsize using:
> /sbin/modprobe ip_conntrack hashsize=32767.
>  
> If I run service iptables stop/start and then cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets the value is 32767. If I run service iptables restart the value in the file goes back to default. I've noticed the same in a power failure scenario where the machine lost power and on reboot didn't change the hashsize.
> I've had a quick look through /etc/init.d/tideway and as far as I can tell a restart just runs a stop and start. I'm assuming some sort of save/restore flag is or isn't set and this is causing the problem during a restart or power cut.
>  
> I need to ensure that the correct hashsize is always set. Any have any ideas?
>  
> Thanks
Can you use the options parameter in modprobe.conf rather than
specifying the option on the command line? - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: iptables stop/start vs restart ...
  2005-09-29 10:34 ` John A. Sullivan III
@ 2005-09-29 10:48   ` Chicken of the Apocalypse
  2005-09-29 13:02     ` John A. Sullivan III
  0 siblings, 1 reply; 6+ messages in thread
From: Chicken of the Apocalypse @ 2005-09-29 10:48 UTC (permalink / raw)
  To: netfilter

Hi John,

> Can you use the options parameter in modprobe.conf
> rather than specifying the option on the command 
> line? - John

I can, not sure of what the format would be?

Thanks


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: iptables stop/start vs restart ...
  2005-09-29 10:48   ` Chicken of the Apocalypse
@ 2005-09-29 13:02     ` John A. Sullivan III
  2005-09-29 15:54       ` Chicken of the Apocalypse
  0 siblings, 1 reply; 6+ messages in thread
From: John A. Sullivan III @ 2005-09-29 13:02 UTC (permalink / raw)
  To: Chicken of the Apocalypse; +Cc: netfilter

On Thu, 2005-09-29 at 11:48 +0100, Chicken of the Apocalypse wrote:
> Hi John,
> 
> > Can you use the options parameter in modprobe.conf
> > rather than specifying the option on the command 
> > line? - John
> 
> I can, not sure of what the format would be?
> 
> Thanks
> 
I'm not entirely sure since I don't do it myself but you can check man
modprobe.conf.  It is probably something like:

options ip_conntrack hashsize=32767
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: iptables stop/start vs restart ...
  2005-09-29 13:02     ` John A. Sullivan III
@ 2005-09-29 15:54       ` Chicken of the Apocalypse
  0 siblings, 0 replies; 6+ messages in thread
From: Chicken of the Apocalypse @ 2005-09-29 15:54 UTC (permalink / raw)
  To: netfilter

Thanks both for the replies.

--- "John A. Sullivan III"
<jsullivan@opensourcedevel.com> wrote:
> I'm not entirely sure since I don't do it myself but
> you can check man modprobe.conf.  It is probably 
> something like:
> 
> options ip_conntrack hashsize=32767

I checked the man page and your command was right.
I've tested it and works perfectly.

Thanks again!




> -- 
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan@opensourcedevel.com
> 
> If you would like to participate in the development
> of an open source
> enterprise class network security management system,
> please visit
> http://iscs.sourceforge.net
> 
> 



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: iptables stop/start vs restart ...
  2005-09-29  9:50 iptables stop/start vs restart Chicken of the Apocalypse
  2005-09-29 10:34 ` John A. Sullivan III
@ 2005-09-29 12:16 ` Sai Kiran
  1 sibling, 0 replies; 6+ messages in thread
From: Sai Kiran @ 2005-09-29 12:16 UTC (permalink / raw)
  To: Chicken of the Apocalypse; +Cc: netfilter

hi,

> /sbin/modprobe ip_conntrack hashsize=32767.


>/proc/sys/net/ipv4/netfilter/ip_conntrack_buckets the value is 32767.
If I run service iptables

try putting the following line into /etc/sysctl.conf


net.ipv4.netfilter.ip_conntrack_buckets = 32767

and try adding the following cmd to iptables script in /etc/rc.d/init.d

/sbin/sysctl -p


hope this would update the values.


regards,
kiran


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2005-09-29 15:54 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-09-29  9:50 iptables stop/start vs restart Chicken of the Apocalypse
2005-09-29 10:34 ` John A. Sullivan III
2005-09-29 10:48   ` Chicken of the Apocalypse
2005-09-29 13:02     ` John A. Sullivan III
2005-09-29 15:54       ` Chicken of the Apocalypse
2005-09-29 12:16 ` Sai Kiran

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox