[Users] iptables connlimit module not working

[Dan Bassett]

I am running 2.6.32-042stab076.8 on a CentOS6 HN with CentOS6 
containers, vzctl-4.2-1.x86_64. I have two containers running on the 
same HN. Each CT has a veth device. Both CT's veth device is connected 
to the same bridge device on the HN. They are assigned the addresses 
192.168.0.1/24 and 192.168.0.2/24 and can ping each other.

On the HN I am able to modprobe the connlimit module (xt_connlimit). I 
can then use iptables rules on the hostnode such as:

iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 
1 --connlimit-mask=32 -j REJECT

If I then attempt to initiate more than one ssh session to this HN from 
the same host, the second (and all subsequent) ssh connections are 
rejected.  This leads me to believe that the connlimit module is working 
properly with the OpenVZ kernel.

I am able to successfully insert the same rule into the iptables 
configuration in either of my containers, so it seems that the 
xt_connlimit module is properly loaded (I get errors if I try to use an 
iptables module that has not been loaded on the hostnode).  However, I 
can create more than one successful ssh session, meaning that the 
iptables rule in the CT is not being matched for some reason. I have 
both "xt_limit" and "xt_connlimit" in the list of iptables modules to 
load in vz.conf. When I am running these tests, I have no iptables rules 
loaded on the HN, and I have no other iptables rules loaded in the 
container.

One interesting thing I have noticed is that when I enter a container on 
this hostnode, I get the following errors:

[root at hn0 ~]# vzctl enter 2033892
Warning: Unknown iptable module: xt_connlimit, skipped
Warning: Unknown iptable module: xt_limit, skipped

It seems like this might be related to my issue, but it might just be a 
red herring.

Am I missing something obvious here? Or is this a bug with OpenVZ?

Thanks,
Dan