关于RHEL6.3 sysctl 一个错误问题的解决
来源:互联网 发布:比知乎的质量高的平台 编辑:程序博客网 时间:2024/06/11 17:27
笔者在RHEL6.3中执行sysctl -p的时候发现输出出现以下错误
# sysctl -pnet.ipv4.ip_forward = 0net.ipv4.conf.default.rp_filter = 1net.ipv4.conf.default.accept_source_route = 0kernel.sysrq = 0kernel.core_uses_pid = 1net.ipv4.tcp_syncookies = 1error: "net.bridge.bridge-nf-call-ip6tables" is an unknown keyerror: "net.bridge.bridge-nf-call-iptables" is an unknown keyerror: "net.bridge.bridge-nf-call-arptables" is an unknown keykernel.msgmnb = 65536kernel.msgmax = 65536kernel.shmmax = 68719476736kernel.shmall = 4294967296
经过Google大神点击打开链接后来找到的了原因所在,原来以下3个参数依赖于bridge模块,该模块如果没有加载则会现上面的输出错误
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown keyerror: "net.bridge.bridge-nf-call-iptables" is an unknown keyerror: "net.bridge.bridge-nf-call-arptables" is an unknown key
加载模块测试,发现问题解决
# modprobe bridge# sysctl -pnet.ipv4.ip_forward = 0net.ipv4.conf.default.rp_filter = 1net.ipv4.conf.default.accept_source_route = 0kernel.sysrq = 0kernel.core_uses_pid = 1net.ipv4.tcp_syncookies = 1net.bridge.bridge-nf-call-ip6tables = 0net.bridge.bridge-nf-call-iptables = 0net.bridge.bridge-nf-call-arptables = 0kernel.msgmnb = 65536kernel.msgmax = 65536kernel.shmmax = 68719476736kernel.shmall = 4294967296
有人可能会好奇这三个值得意义所在,我在红帽官网找到了相关说明点击打开链接
以下大致的意思主要说使用以上3个选项阻止桥接流量获得通过主机iptables规则,Netfilter是默认情况下启用了桥梁,如果不阻止会导致严重的混乱
netfilter is currently enabled on bridges by default. This means, for example, that IP packets that are forwarded across the bridge are filtered by the iptables FORWARD rules.In practice, this can lead to serious confusion where someone creates a bridge and finds that some traffic isn't being forwarded across the bridge. Because it's so unexpected that IP firewall rules apply to frames on a bridge, it can take quite some time to figure out what's going on.The libvirt wiki has this advice: http://wiki.libvirt.org/page/Networking#Fedora.2FRHEL_Bridging The final step is to configure iptables to allow all traffic to be forwarded across the bridge # echo "-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT" > \ /etc/sysconfig/iptables-forward-bridged # lokkit --custom-rules=ipv4:filter:/etc/sysconfig/iptables-forward-bridged # service libvirtd reload Alternatively, you can prevent bridged traffic getting pushed through the host's iptables rules. In /etc/sysctl.conf add # cat >> /etc/sysctl.conf <<EOF net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 EOF # sysctl -p /etc/sysctl.confIt sucks that people have to do this, especially since it's a very rare user who would be using iptables on a bridge for something useful.I posted a patch to netdev which would have allowed us to disable it by default in our kernel builds: http://patchwork.ozlabs.org/patch/29319/The conclusion seems to be an agreement that distros should disable this, but using sysctl.conf insteadIn the thread Herbert describes a security issue with the current default: I still think the risk with bridging is higher, especially in the presence of virtualisation. Consider the scenario where you have to VMs on the one host, each with a dedicated bridge with the intention that neither should know anything about the other's traffic. With conntrack running as part of bridging, the traffic can now cross over which is a serious security hole.and goes on to say: FWIW I don't really care what we have as the default for bridge netfilter. I just want to make sure that people who do have bridge netfilter (and in particular, conntrack + bridge) active on their machines are aware of the security implications. Otherwise we'd be negligent. As you said distros can change the default regardless of what the kernel does.In summary, I think we should add the following to sysctl.conf: net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0
- 关于RHEL6.3 sysctl 一个错误问题的解决
- 关于CentOs sysctl -p 一个错误问题的解决
- sysctl 一个错误问题的解决
- 关于RHEL6.5挂载光驱出现的错误
- 解决rpc.rstatd无法在RHEL6中启动的问题
- RHEL6 设置ip时不起作用问题的解决
- 关于面试的一个问题的解决
- 关于interbase一个怪问题的解决
- 一个关于Eclipse问题的解决
- 关于RHEL6系统时间相差8小时的问题
- 关于validator验证的一个错误的解决!
- 关于sysctl
- 【未解决】碰到一个关于报磁盘失败的错误
- sysctl -p net.bridge.bridge-nf-call-ip6tables" is an unknown key 问题的解决。。
- 解决一个错误封禁的问题的过程和思路
- Problem 60 关于解决X11的错误的问题?
- RHEL6 虚拟机克隆网络问题,未解决
- RHEL6解决无法使用YUM源问题
- Android 制定的ROM包(文件系统根目录结构分析)
- asp.net 验证控件
- 数学基础专项(一)basic problems
- Hadoop的输入输出格式(重要)
- osql执行SQL脚本内容包含中文时出现乱码问题的解决办法
- 关于RHEL6.3 sysctl 一个错误问题的解决
- 交换两个数组值使两个数组之差最小
- 智能家居不是“连连看”
- 生日
- Unity3D Built-in Shader详解一
- Android基本开发环境配置。
- iOS中如何生成变暗的图片
- 工信部鼓励已建数据中心改造升级意见出台
- JNI实例2---扫描SD卡中mp3文件,native层调用Java自定义的类