<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hello,<br>
<br>
recently I updated my CT0 from vzctl-3.1-1 to vzctl-4.1-1<br>
all my CTx failed because of a radical change in the way iptables
"ip_conntrack" and "state" work<br>
I don't know how it worked before, but after the update iptables
rules like:<br>
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT<br>
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22
-j ACCEPT<br>
in CTx didn't worked anymore, failing all Internet services ....<br>
<br>
did I miss something ? I don't see anything regarding iptables and
contrack in the changelog <br>
rpm -q --changelog vzctl-core | grep -i ipta<br>
- vzctl set --features/--iptables/--capability: ability to specify<br>
<br>
Adding "ipt_state ip_conntrack" to the IPTABLES="... in
/etc/vz/vz.conf corrected the pb, but I am very surprise of this
change<br>
<br>
I run on:<br>
CentOS release 5.8 (Final)<br>
Linux epidau 2.6.18-308.8.2.el5.028stab101.1 #1 SMP Sun Jun 24
20:25:35 MSD 2012 x86_64 x86_64 x86_64 GNU/Linux<br>
<br>
I had to remove and install vzctl, <font size="2"><span
style="font-family: lucida console,sans-serif;"></span></font>vzctl-lib
because of a yum update error:<br>
Error: ploop-lib conflicts with ovzkernel<br>
then reinstall vzctl packages which were updated to 4.1 .<br>
<br>
before applying the same procedure on other CT0, I would like to
know if this is the right procedure and if that change in contrack
is expected !?<br>
<br>
Thanks .
</body>
</html>