I don't know is it expected or not but I always add needed modules to vz.conf which I know that I probably will use in CT. it is ipt_state, ipt_LOG.<br>I guess I encountered some of your problems in similar situation in the past:<br>
<a href="http://bugzilla.openvz.org/show_bug.cgi?id=1429">http://bugzilla.openvz.org/show_bug.cgi?id=1429</a><br><br>so my guess is that you changed HN fw rules, or your HN rules didn't applied because of some error. so there was no iptables rules with "state" in HN, thus CT firewall rules failed.<br>
<br>about second problem:<br><a href="http://openvz.livejournal.com/43060.html">http://openvz.livejournal.com/43060.html</a><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Nov 16, 2012 at 6:06 PM, Jehan Procaccia <span dir="ltr"><<a href="mailto:jehan.procaccia@tem-tsp.eu" target="_blank">jehan.procaccia@tem-tsp.eu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hello,<br>
<br>
recently I updated my CT0 from vzctl-3.1-1 to vzctl-4.1-1<br>
all my CTx failed because of a radical change in the way iptables
"ip_conntrack" and "state" work<br>
I don't know how it worked before, but after the update iptables
rules like:<br>
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT<br>
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22
-j ACCEPT<br>
in CTx didn't worked anymore, failing all Internet services ....<br>
<br>
did I miss something ? I don't see anything regarding iptables and
contrack in the changelog <br>
rpm -q --changelog vzctl-core | grep -i ipta<br>
- vzctl set --features/--iptables/--capability: ability to specify<br>
<br>
Adding "ipt_state ip_conntrack" to the IPTABLES="... in
/etc/vz/vz.conf corrected the pb, but I am very surprise of this
change<br>
<br>
I run on:<br>
CentOS release 5.8 (Final)<br>
Linux epidau 2.6.18-308.8.2.el5.028stab101.1 #1 SMP Sun Jun 24
20:25:35 MSD 2012 x86_64 x86_64 x86_64 GNU/Linux<br>
<br>
I had to remove and install vzctl, <font><span style="font-family:lucida console,sans-serif"></span></font>vzctl-lib
because of a yum update error:<br>
Error: ploop-lib conflicts with ovzkernel<br>
then reinstall vzctl packages which were updated to 4.1 .<br>
<br>
before applying the same procedure on other CT0, I would like to
know if this is the right procedure and if that change in contrack
is expected !?<br>
<br>
Thanks .
</div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@openvz.org">Users@openvz.org</a><br>
<a href="http://lists.openvz.org/mailman/listinfo/users" target="_blank">http://lists.openvz.org/mailman/listinfo/users</a><br>
<br></blockquote></div><br></div>