关于CentOs sysctl -p 一个错误问题的解决

在CentOs6.5中执行sysctl -p的时候发现输出出现以下错误

[python]  view plain  copy

 print ?

1. # sysctl -p  
2. net.ipv4.ip_forward = 0  
3. net.ipv4.conf.default.rp_filter = 1  
4. net.ipv4.conf.default.accept_source_route = 0  
5. kernel.sysrq = 0  
6. kernel.core_uses_pid = 1  
7. net.ipv4.tcp_syncookies = 1  
8. error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key  
9. error: "net.bridge.bridge-nf-call-iptables" is an unknown key  
10. error: "net.bridge.bridge-nf-call-arptables" is an unknown key  
11. kernel.msgmnb = 65536  
12. kernel.msgmax = 65536  
13. kernel.shmmax = 68719476736  
14. kernel.shmall = 4294967296  

经过Google大神点击打开链接后来找到的了原因所在，原来以下3个参数依赖于bridge模块，该模块如果没有加载则会现上面的输出错误

[python]  view plain  copy

 print ?

1. error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key  
2. error: "net.bridge.bridge-nf-call-iptables" is an unknown key  
3. error: "net.bridge.bridge-nf-call-arptables" is an unknown key  

加载模块测试，发现问题解决

[plain]  view plain  copy

 print ?

1. # modprobe bridge  
2. # sysctl -p  
3. net.ipv4.ip_forward = 0  
4. net.ipv4.conf.default.rp_filter = 1  
5. net.ipv4.conf.default.accept_source_route = 0  
6. kernel.sysrq = 0  
7. kernel.core_uses_pid = 1  
8. net.ipv4.tcp_syncookies = 1  
9. net.bridge.bridge-nf-call-ip6tables = 0  
10. net.bridge.bridge-nf-call-iptables = 0  
11. net.bridge.bridge-nf-call-arptables = 0  
12. kernel.msgmnb = 65536  
13. kernel.msgmax = 65536  
14. kernel.shmmax = 68719476736  
15. kernel.shmall = 4294967296  

有人可能会好奇这三个值得意义所在，我在红帽官网找到了相关说明 点击打开链接

以下大致的意思主要说使用以上3个选项阻止桥接流量获得通过主机iptables规则，Netfilter是默认情况下启用了桥梁，如果不阻止会导致严重的混乱

netfilter is currently enabled on bridges by default. This means, for example, that IP packets that are forwarded across the bridge are filtered by the iptables FORWARD rules.

In practice, this can lead to serious confusion where someone creates a bridge and finds that some traffic isn't being forwarded across the bridge. Because it's so unexpected that IP firewall rules apply to frames on a bridge, it can take quite some time to figure out what's going on.

The libvirt wiki has this advice:

  <a target=_blank href="http://wiki.libvirt.org/page/Networking#Fedora.2FRHEL_Bridging" style="color: rgb(202, 0, 0); text-decoration: none;">http://wiki.libvirt.org/page/Networking#Fedora.2FRHEL_Bridging</a>

  The final step is to configure iptables to allow all traffic to be forwarded 
  across the bridge

  # echo "-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT" > \
       /etc/sysconfig/iptables-forward-bridged
  # lokkit --custom-rules=ipv4:filter:/etc/sysconfig/iptables-forward-bridged
  # service libvirtd reload

  Alternatively, you can prevent bridged traffic getting pushed through the 
  host's iptables rules. In /etc/sysctl.conf add

  # cat >> /etc/sysctl.conf <<EOF
  net.bridge.bridge-nf-call-ip6tables = 0
  net.bridge.bridge-nf-call-iptables = 0
  net.bridge.bridge-nf-call-arptables = 0
  EOF
  # sysctl -p /etc/sysctl.conf

It sucks that people have to do this, especially since it's a very rare user who would be using iptables on a bridge for something useful.

I posted a patch to netdev which would have allowed us to disable it by default in our kernel builds:

  <a target=_blank href="http://patchwork.ozlabs.org/patch/29319/" style="color: rgb(202, 0, 0); text-decoration: none;">http://patchwork.ozlabs.org/patch/29319/</a>

The conclusion seems to be an agreement that distros should disable this, but using sysctl.conf instead

In the thread Herbert describes a security issue with the current default:

  I still think the risk with bridging is higher, especially
  in the presence of virtualisation.  Consider the scenario where you
  have to VMs on the one host, each with a dedicated bridge with the
  intention that neither should know anything about the other's
  traffic.

  With conntrack running as part of bridging, the traffic can now
  cross over which is a serious security hole.

and goes on to say:

  FWIW I don't really care what we have as the default for bridge
  netfilter.  I just want to make sure that people who do have
  bridge netfilter (and in particular, conntrack + bridge) active
  on their machines are aware of the security implications.  Otherwise
  we'd be negligent.

  As you said distros can change the default regardless of what
  the kernel does.



In summary, I think we should add the following to sysctl.conf:

  net.bridge.bridge-nf-call-ip6tables = 0
  net.bridge.bridge-nf-call-iptables = 0
  net.bridge.bridge-nf-call-arptables = 0

解决方法：

</pre></div>注：此错误可以忽视，也可以使用下面命令解决。<pre name="code" class="plain">[root@oracle11gr2 ]# modprobe bridge


[root@oracle11gr2 ]# lsmod |grep bridge
bridge                 48077  0
stp                     2067  1 bridge
llc                     5352  2 bridge,stp

[root@oracle11gr2 Packages]# sysctl -p
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 2576980377
kernel.shmall = 2097152
kernel.shmmni = 4096
kernel.sem = 250 32000 100 128
fs.file-max = 6815744
fs.aio-max-nr = 1048576
net.ipv4.ip_local_port_range = 9000 65500
net.core.rmem_default = 4194304
net.core.rmem_max = 4194304
net.core.wmem_default = 1048576
net.core.wmem_max = 1048576