[Users] radical change from vz 3.x to 4.x concerning iptables !?
jehan procaccia
jehan.procaccia at it-sudparis.eu
Fri Nov 16 09:43:50 EST 2012
Hello,
recently I updated my CT0 from vzctl-3.1-1 to vzctl-4.1-1
all my CTx failed because of a radical change in the way iptables
"ip_conntrack" and "state" work
I don't know how it worked before, but after the update iptables rules like:
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
in CTx didn't worked anymore, failing all Internet services ....
did I miss something ? I don't see anything regarding iptables and
contrack in the changelog
rpm -q --changelog vzctl-core | grep -i ipta
- vzctl set --features/--iptables/--capability: ability to specify
Adding "ipt_state ip_conntrack" to the IPTABLES="... in /etc/vz/vz.conf
corrected the pb, but I am very surprise of this change
I run on:
CentOS release 5.8 (Final)
Linux epidau 2.6.18-308.8.2.el5.028stab101.1 #1 SMP Sun Jun 24 20:25:35
MSD 2012 x86_64 x86_64 x86_64 GNU/Linux
I had to remove and install vzctl, vzctl-lib because of a yum update error:
Error: ploop-lib conflicts with ovzkernel
then reinstall vzctl packages which were updated to 4.1 .
before applying the same procedure on other CT0, I would like to know if
this is the right procedure and if that change in contrack is expected !?
Thanks .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/users/attachments/20121116/0aaced65/attachment.html>
More information about the Users
mailing list