[Devel] [PATCH] scripts: add "-w" to iptables command

Fri Sep 29 15:36:31 MSK 2017

Pavel,
this particular case executed on vz7 host only.
RHEL7 had  started from iptables 1.4.21,
so it is safe for us.

Anyway thank you for your report, it was very useful!

On 2017-09-29 15:30, Pavel Tikhomirov wrote:
> It seem my comment missed the list, sorry...
> 
> [root at cat ~]# iptables -w -L || echo ERROR
> iptables v1.4.7: option `-w' requires an argument
> Try `iptables -h' or 'iptables --help' for more information.
> ERROR
> 
> on 1.4.7 -w option is not ignored but asks for an argument with error for me. Checked on cat.qa.sw.ru
> 
> On 09/28/2017 01:59 PM, Kirill Tkhai wrote:
>> The oldest version from VZ7, I suppose. I don't know which it is.
>>
>> On 28.09.2017 13:58, Stanislav Kinsburskiy wrote:
>>> How old should it be?
>>> I checked with v1.4.21
>>>
>>> 28.09.2017 12:55, Kirill Tkhai пишет:
>>>> Could you please to say will it work on old iptables?
>>>>
>>>> On 28.09.2017 13:03, Stanislav Kinsburskiy wrote:
>>>>> What a brilliant idea it was to ignore unknown keys.
>>>>> Should take it into account.
>>>>>
>>>>> 28.09.2017 10:26, Vasily Averin пишет:
>>>>>> kthai@ explained that old version of iptables ignores unknown keys, so adding -w is safe.
>>>>>>
>>>>>> On 2017-09-28 10:40, Pavel Tikhomirov wrote:
>>>>>>> Can we have these script running with older iptables version which does not have "-w"?
>>>>>>>
>>>>>>> On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:
>>>>>>>> Neede to support new versions of iptables.
>>>>>>>>
>>>>>>>> https://jira.sw.ru/browse/PSBM-73153
>>>>>>>>
>>>>>>>> Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
>>>>>>>> ---
>>>>>>>>    scripts/nfs-ports-allow.sh |   16 ++++++++--------
>>>>>>>>    1 file changed, 8 insertions(+), 8 deletions(-)
>>>>>>>>
>>>>>>>> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
>>>>>>>> index 97541dc..ac5cf5f 100644
>>>>>>>> --- a/scripts/nfs-ports-allow.sh
>>>>>>>> +++ b/scripts/nfs-ports-allow.sh
>>>>>>>> @@ -36,10 +36,10 @@ function add_accept_rules {
>>>>>>>>        local server=$1
>>>>>>>>        local port=$2
>>>>>>>>    -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT &&
>>>>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT
>>>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT &&
>>>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT
>>>>>>>>    }
>>>>>>>>      function iptables_allow_nfs_ports {
>>>>>>>> @@ -63,10 +63,10 @@ function allow_portmapper_port {
>>>>>>>>        local server=$1
>>>>>>>>        local port=111
>>>>>>>>    -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT &&
>>>>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT
>>>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT &&
>>>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT
>>>>>>>>    }
>>>>>>>>      for s in $servers; do
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Devel mailing list
>>>>>>>> Devel at openvz.org
>>>>>>>> https://lists.openvz.org/mailman/listinfo/devel
>>>>>>>>
>>>>>>>
>>>>>> _______________________________________________
>>>>>> Devel mailing list
>>>>>> Devel at openvz.org
>>>>>> https://lists.openvz.org/mailman/listinfo/devel
>>>>>>
>>>>> _______________________________________________
>>>>> Devel mailing list
>>>>> Devel at openvz.org
>>>>> https://lists.openvz.org/mailman/listinfo/devel
>>>>>
>> _______________________________________________
>> Devel mailing list
>> Devel at openvz.org
>> https://lists.openvz.org/mailman/listinfo/devel
>>
> 