[Users] radical change from vz 3.x to 4.x concerning iptables !?

helpaz helpaz at gmail.com
Wed Nov 28 15:21:21 EST 2012


I don't know is it expected or not but I always add needed modules to
vz.conf which I know that I probably will use in CT. it is ipt_state,
ipt_LOG.
I guess I encountered some of your problems in similar situation in the
past:
http://bugzilla.openvz.org/show_bug.cgi?id=1429

so my guess is that you changed HN fw rules, or your HN rules didn't
applied because of some error. so there was no iptables rules with "state"
in HN, thus CT firewall rules failed.

about second problem:
http://openvz.livejournal.com/43060.html


On Fri, Nov 16, 2012 at 6:06 PM, Jehan Procaccia <jehan.procaccia at tem-tsp.eu
> wrote:

>  Hello,
>
> recently I updated my CT0 from vzctl-3.1-1 to vzctl-4.1-1
> all my CTx failed because of a radical change in the way iptables
> "ip_conntrack" and "state" work
> I don't know how it worked before, but after the update iptables rules
> like:
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
> ACCEPT
> in CTx didn't worked anymore, failing all Internet services ....
>
> did I miss something ? I don't see anything regarding iptables and
> contrack in the changelog
> rpm -q --changelog vzctl-core | grep -i ipta
>   - vzctl set --features/--iptables/--capability: ability to specify
>
> Adding "ipt_state ip_conntrack" to the IPTABLES="... in /etc/vz/vz.conf
> corrected the pb, but I am very surprise of this change
>
> I run on:
> CentOS release 5.8 (Final)
> Linux epidau 2.6.18-308.8.2.el5.028stab101.1 #1 SMP Sun Jun 24 20:25:35
> MSD 2012 x86_64 x86_64 x86_64 GNU/Linux
>
> I had to remove and install vzctl, vzctl-lib because of a yum update
> error:
> Error: ploop-lib conflicts with ovzkernel
> then reinstall vzctl packages which were updated to 4.1 .
>
> before applying the same procedure on other CT0, I would like to know if
> this is the right procedure and if that change in contrack is expected !?
>
> Thanks .
>
> _______________________________________________
> Users mailing list
> Users at openvz.org
> http://lists.openvz.org/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/users/attachments/20121128/e541f559/attachment-0001.html>


More information about the Users mailing list