<br><br><div class="gmail_quote">On 21 June 2013 08:09, Dan Bassett <span dir="ltr"><<a href="mailto:dbassett@oreillyschool.com" target="_blank">dbassett@oreillyschool.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I am running 2.6.32-042stab076.8 on a CentOS6 HN with CentOS6 containers, vzctl-4.2-1.x86_64. I have two containers running on the same HN. Each CT has a veth device. Both CT's veth device is connected to the same bridge device on the HN. They are assigned the addresses <a href="http://192.168.0.1/24" target="_blank">192.168.0.1/24</a> and <a href="http://192.168.0.2/24" target="_blank">192.168.0.2/24</a> and can ping each other.<br>
<br>
On the HN I am able to modprobe the connlimit module (xt_connlimit).</blockquote><div><br></div><div>You are supposed to load it before loading VZ modules (and this is the reason of having it listed in vz.conf so vz initscript takes care of loading it.</div>
<div><br></div><div>If you loaded it after loading vz modules it might not work. So, to make sure you'd do a reboot (or reloading of all vz modules -- /etc/init.d/vz stop, then make sure vz modules such as vznet are not loaded, then /etc/init.d/vz start).</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I can then use iptables rules on the hostnode such as:<br>
<br>
iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 1 --connlimit-mask=32 -j REJECT<br>
<br>
If I then attempt to initiate more than one ssh session to this HN from the same host, the second (and all subsequent) ssh connections are rejected. This leads me to believe that the connlimit module is working properly with the OpenVZ kernel.<br>
<br>
I am able to successfully insert the same rule into the iptables configuration in either of my containers, so it seems that the xt_connlimit module is properly loaded (I get errors if I try to use an iptables module that has not been loaded on the hostnode). However, I can create more than one successful ssh session, meaning that the iptables rule in the CT is not being matched for some reason. I have both "xt_limit" and "xt_connlimit" in the list of iptables modules to load in vz.conf. When I am running these tests, I have no iptables rules loaded on the HN, and I have no other iptables rules loaded in the container.<br>
<br>
One interesting thing I have noticed is that when I enter a container on this hostnode, I get the following errors:<br>
<br>
[root@hn0 ~]# vzctl enter 2033892<br>
Warning: Unknown iptable module: xt_connlimit, skipped<br>
Warning: Unknown iptable module: xt_limit, skipped<br>
<br>
It seems like this might be related to my issue, but it might just be a red herring.<br></blockquote><div><br></div><div><br></div><div>This warning is harmless, it is not a bug, details are here:</div><div><a href="http://git.openvz.org/?p=vzctl;a=commit;h=d284c8a7">http://git.openvz.org/?p=vzctl;a=commit;h=d284c8a7</a></div>
<div><br></div><div>Or see vz.conf(5) man page, description of IPTABLES and IPTABLES_MODULES.</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Am I missing something obvious here? Or is this a bug with OpenVZ?<br>
<br>
Thanks,<br>
Dan<br>
______________________________<u></u>_________________<br>
Users mailing list<br>
<a href="mailto:Users@openvz.org" target="_blank">Users@openvz.org</a><br>
<a href="https://lists.openvz.org/mailman/listinfo/users" target="_blank">https://lists.openvz.org/<u></u>mailman/listinfo/users</a><br>
</blockquote></div><br>