Home / server / Questions / 477718
Accepted
Mohammad Ali Akbari
Asked: 2013-02-12 09:55:46 +0800 CST

sysctl -p /etc/sysctl.conf returns error

  • 772

In a fresh installation of CenotOS 6 in a VPS after running sysctl -p /etc/sysctl.conf I got this errors:

error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key

What is the starting point to solving this errors?

centos6

5 Answers

  1. Try:

    modprobe bridge
lsmod | grep bridge

    You don't the those modules loaded into the kernel.

    • 6

  2. There are several bugreports about this on Red Hat Bugzilla, for example here, here and here.

    Just remove the lines or run sysctl -e -p instead of sysctl -p.

    • 6

  3. You get the errors because you do not have the bridge kernel module loaded. Three choices:

    1. Load the module if you need it
    2. Comment those lines out from /etc/sysctl.conf
    3. Let sysctl ignore the errors by giving it the -e flag.
    • 3
  4. Best Answer

    You mention in your question that you are using a VPS. What kind of VPS? It sounds like you are in a OpenVZ VPS. If it is OpenVZ, it is sharing the kernel among many containers like yours and you cannot change the kernel configuration per container but directly on the host. I actually build a litlle OpenVZ centos container and I tried to apply the kernel config net.bridge.bridge-nf-call-ip6tables = 0 followed by sysctl -p and I got the same error as you do. If you really need it, that means you may have to think about changing the type of virtualization you are using or you may try to contact your VPS provider and ask him to enable this setting.

    Best.

    • 3

  5. This has been fixed in a redhat errata:RHBA-2015:1289 (Possibly paywall).

    In summary - the fix is to move the configuration from sysctl.conf to modprobe.d/dist.conf:

    Delete the offending lines from /etc/sysctl.conf 

    sed -i '/net.bridge.bridge-nf-call-/d' /etc/sysctl.conf

    And add the behavior to your /etc/modprobe.d/dist.conf

    cat <<EOF>>/etc/modprobe.d/dist.conf

# Disable netfilter on bridges when the bridge module is loaded
install bridge /sbin/modprobe --ignore-install bridge && /sbin/sysctl -q -w net.bridge.bridge-nf-call-arptables=0 net.bridge.bridge-nf-call-iptables=0 net.bridge.bridge-nf-call-ip6tables=0
EOF

    Which will set the values correctly upon load of the bridge module, or simply update your rpms to versions 

    module-init-tools-3.9-25.el6  
initscripts-9.03.53-1.el6

    Both are present by default in RHEL 6.8

    If anyone is interested in the history behind this, it's present here with an explanation there.

    • 0