[Users] iptables MASQUERADE and MARK

Kelvin Raywood kray at triumf.ca
Mon Jul 5 18:55:25 EDT 2010


We're using OpenVZ to host firewalls for multiple VLANs and it's working 
out really well in the cases where we write the iptables rules 
ourselves.  We add the network interface of each VLAN directly to a VPS 
and use a bridge on the other side.

For some VLANs, we want to use iptables rules generated by some other 
software.    One of these use both ipt_MASQUERADE and ipt_MARK.  It 
seems as though MASQUERADE is now working in 
ovzkernel-2.6.18-194.3.1.el5.028stab069.6 although vzctl-3.0.24-1 
doesn't recognize it. However, ipt_MARK is not OpenVZ-ised so we have to 
run a couple of separate stand-alone non-OpenVZ boxes for the VLANs that 
use this software.  Unfortunately, the software is not easily hackable 
making one box per VLAN necessary.

I searched the OpenVZ bugzilla but couldn't find any entries for 
ipt_MARK.  Does anyone know if this module will be OpenVZ-ised in some 
future kernel ?

If not, I'll add a feature request.

BTW, the message quoted below did not receive a response on the list but 
I confirm that MASQUERADE is now virtualized but the tools don't yet 
know.  So you have to use some non-OpenVZ method to ensure that it gets 
loaded.  On CentOS-5, I drop short scripts in /etc/sysconfig/modules/ to 
ensure that various modules are loaded.

Cheers,

--
Kelvin Raywood
Vancouver BC

On Fri Jun 4 Aleksandar Ivanisevic wrote:
> I've googled a bit and it seems that everyone claims that
> ipt_MASQUERADE isn't virtualized, and indeed if I add it to vz.conf
> under IPTABLES=, all tools are complaining that it is unknown
> 
> BUT! ;)
> 
> if I load the module manually in the HN (modprobe ipt_MASQUERADE),
> masquerading works as advertised in the container.
> 
> So, is MASQUERADE virtualized or not? It seems to be, but I may be
> missing something.
> 
> What is the proper way to load ipt_MASQUERADE in the container?



More information about the Users mailing list