405919 – net-firewall/conntrack-tools: init-script did not check kernel version for disabling tcp window tracking

Bug 405919 - net-firewall/conntrack-tools: init-script did not check kernel version for disabling tcp window tracking

Summary: net-firewall/conntrack-tools: init-script did not check kernel version for di...

Status:	RESOLVED TEST-REQUEST

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Cédric Krier

URL:
Whiteboard:
Keywords:	PATCH

Duplicates (1):	410091 (view as bug list)
Depends on:
Blocks:

Reported:	2012-02-26 16:11 UTC by Marcel Pennewiß
Modified:	2012-11-09 20:09 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
conntrackd.initd-r1.patch (conntrackd.initd-r1.patch,2.42 KB, patch) 2012-02-26 16:12 UTC, Marcel Pennewiß	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcel Pennewiß 2012-02-26 16:11:33 UTC

TCP Window tracking should be disabled using kernel < 2.6.22 (http://conntrack-tools.netfilter.org/manual.html#sync). Without disabled TCP Window Tracking conntrackd did not start, although running kernel >= 2.6.22.

Reproducible: Always

Steps to Reproduce:
1. emerge net-firewall/conntrack-tools
2. /etc/init.d/conntrackd start
Actual Results:  
 * You need to disable TCP window tracking
 * Add the following line to your /etc/sysctl.conf:
 *   net.netfilter.nf_conntrack_tcp_be_liberal = 1
 * ...and run this to activate the setting: sysctl -q -p
 * ERROR: conntrackd failed to start

Expected Results:  
 * Starting conntrackd [ ok ]

Comment 1 Marcel Pennewiß 2012-02-26 16:12:13 UTC

Created attachment 303371 [details, diff]
conntrackd.initd-r1.patch

init-script-patch borrowing some code from udev-init-script ;)

Comment 2 kfm 2012-05-28 08:51:18 UTC

*** Bug 410091 has been marked as a duplicate of this bug. ***

Comment 3 kfm 2012-05-28 09:04:23 UTC

I ran into the same problem. I really think that the check should just be dropped; this is a marked example of what happens if a runscript tries to be too clever.

Consider the following:

* The requirement is clearly stated in the upstream documentation
* The chances of a Gentoo user wanting to use a kernel older than 2.6.22 are slim
* These sorts of checks and balances should be properly reviewed every time the ebuild receives a major version bump - otherwise they do more harm than good and we're better off without them.

In my view, it would be more constructive to look at how conntrackd behaves where it is started with window tracking requested *and* a < 2.6.22 kernel running. Does it ignore the window tracking option or refuse to start? Does it log anything? Why, exactly, do we need to hold the user's hand here? If it doesn't behave in a fashion amenable to problem resolution, we can ask Pablo Neira Ayuso to change it for the better. That way everyone benefits and we don't end up with situations such as this one, where the Gentoo package is effectively broken out of the box until - eventually - something gets done.

For this particular issue, it hardly seems worth the effort. Nobody in their right mind should be running a production firewall on any kernel older than the currently supported longterm release.

Comment 4 Jeroen Roovers (RETIRED) gentoo-dev

2012-09-06 14:38:51 UTC

I have followed up on Kerin's suggestion and put a 1.2.2-r1 ebuild in the tree that installs an init.d script with the exclusion of the TCP window tracking check.

Comment 5 Marcel Pennewiß 2012-11-09 20:09:34 UTC

using your init-script in our overlay for conntrack-tools-1.0.0 (no time for upgrade-tests now ;)) works fine. Thanks!