netfilter connection tracking fails on older Linux kernels

[noemif]

Hi !

We're using the "conntrack" check on both RHEL5 and RHEL6 boxes, and the check fails on RHEL5 with the errors:
"net.netfilter.nf_conntrack_count" is an unknown key
"net.netfilter.nf_conntrack_max" is an unknown key

I've tracked it down to the fact that the conntrack kernel module was renamed from "ip_conntrack" to "nf_conntrack" sometime after kernel 2.6.18 - which in Red Hat land corresponds to the transition between 5 and 6, hence what we observe. Under the ip_conntrack module, the above keys were called "net.ipv4.netfilter.ip_conntrack_xxx".

The fix is pretty straightforward, it would just involve checking what version of the kernel we're on, then adapt the name of the keys used in the sysctl command. Something like:
LINUX_KERNEL=$(uname -r | sed -r 's/-.*$//')
if [[ "$LINUX_KERNEL" < '2.6.20' ]]; then
  CONNTRACK_COUNT_KEY='net.ipv4.netfilter.ip_conntrack_count'
  CONNTRACK_MAX_KEY='net.ipv4.netfilter.ip_conntrack_max'
else
  CONNTRACK_COUNT_KEY='net.netfilter.nf_conntrack_count'
  CONNTRACK_MAX_KEY='net.netfilter.nf_conntrack_max'
fi
Then further down, when we run the actual check (lines 55-56), replace the hardcoded command with the variables we've set above:
USED=$(sysctl -n net.netfilter.nf_conntrack_count)
MAX=$(sysctl -n net.netfilter.nf_conntrack_max)
with:
USED=$(sysctl -n $CONNTRACK_COUNT_KEY)
MAX=$(sysctl -n $CONNTRACK_MAX_KEY)

Do you think you could put that quick fix in ? Not sure it's the right place to report it, please let me know if it's not ! And yeah, we should not be running anything on RHEL5 anymore, but that's another story ;-)

Cheers,
Noemi