<div dir="ltr">Dear Nikolay, you are right!<div>I just saw in /etc/vz/vz.conf the lines:</div><div>---</div><div><pre style="color:rgb(0,0,0)">## WARNING: IPTABLES parameter is deprecated,
## use per-сontainer (not global!) NETFILTER instead
## iptables kernel modules to be loaded by init.d/vz script
IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ip6_tables ip6table_filter ip6table_mangle ip6t_REJECT"</pre><pre style="color:rgb(0,0,0)">
---</pre><pre style="color:rgb(0,0,0)">"vzctl --help" does not say anything about netfilter, but "man vzctl" have:</pre><pre style="color:rgb(0,0,0)">---</pre><pre style="color:rgb(0,0,0)"><pre> Netfilter (iptables) control parameters
--netfilter disabled|stateless|stateful|full
Restrict access to netfilter/iptables modules for a container.
This option replaces obsoleted --iptables.
The following arguments can be used:
· disabled -- no iptables allowed
· stateless -- everything but conntracks and NAT is allowed
(i.e. filter and mangle)
· stateful -- everything but NAT is allowed
· full -- all netfilter functionality</pre><pre>---</pre><pre>When I checked and ensured /etc/vz/conf/12753.conf have NETFILTER line and does not have IPABLES line, all started working as expected.</pre><pre>
I guess this problem is caused by some change in the interface between netfilter kernel modules and iptables binary in Fedora-20, so that guest tries to manage vzkernel in incompatible with it manner in case of "NETFILER" is not defined properly.</pre>
<pre>-- </pre><pre> Regards,</pre><pre> Sergey Ivanov.</pre></pre></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, May 14, 2014 at 12:32 AM, knawnd <span dir="ltr"><<a href="mailto:knawnd@gmail.com" target="_blank">knawnd@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hello, Sergey!<br>
<br>
Another assumption: if you use vzctl-4.7.x and have NETFILTER [1]
parameter set to "stateless" in container's config file then try to
change it to "full".<br>
<br>
Best regards,<br>
Nikolay.<br>
<br>
[1]
<a href="https://github.com/kolyshkin/vzctl/commit/9b8afa654945acc6d3bd782f622aaf9c54e4e87b" target="_blank">https://github.com/kolyshkin/vzctl/commit/9b8afa654945acc6d3bd782f622aaf9c54e4e87b</a><div><div class="h5"><br>
<br>
<div>On 05/14/14 02:28, Jean-Marc Pigeon
wrote:<br>
</div>
</div></div><blockquote type="cite"><div><div class="h5">Bonjour Sergey,
<br>
<br>
<br>
HOST: /etc/vz/vz.conf, could be your IPTABLES definition Wrong??
<br>
<br>
IPTABLES="ipt_state ipt_conntrack ipt_LOG ipt_REJECT ipt_tos
ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS
ipt_tcpmss ipt_ttl ipt_length"
<br>
<br>
<br>
Quoting Sergey Ivanov <a href="mailto:seriv@cs.umd.edu" target="_blank"><seriv@cs.umd.edu></a>:
<br>
<br>
<blockquote type="cite">Hi,
<br>
I need help with openvz setup.
<br>
Here is the problem. In VE I have:
<br>
---
<br>
# iptables -S
<br>
-P INPUT ACCEPT
<br>
-P FORWARD ACCEPT
<br>
-P OUTPUT ACCEPT
<br>
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
<br>
-A INPUT -p icmp -j ACCEPT
<br>
-A INPUT -i lo -j ACCEPT
<br>
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
<br>
-A INPUT -j LOG --log-prefix "ipt.input: " --log-level 7
<br>
-A INPUT -j REJECT --reject-with icmp-host-prohibited
<br>
-A FORWARD -j LOG --log-prefix "ipt.forward: " --log-level 7
<br>
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
<br>
---
<br>
and when I try to ssh to VE, I am failing and in dmesg I see
lines about it
<br>
like these (I've modified MAC):
<br>
---
<br>
[ 9343.653892] ipt.input: IN=eth0 OUT=
<br>
MAC=00:de:ad:be:af:da:de:ad:be:af:de:ad:be:af SRC=10.0.128.117
<br>
DST=10.0.127.53 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=1295 DF
PROTO=TCP
<br>
SPT=48744 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
<br>
---
<br>
Immediately after "service iptables stop" I have working ssh
service and
<br>
can login into VE remotely. I want to do this with iptables.
<br>
<br>
I use RHEL6 as a HE and tried Fedora-20 downloaded from
<br>
<a href="http://download.openvz.org/template/precreated/fedora-20-x86.tar.gz" target="_blank">http://download.openvz.org/template/precreated/fedora-20-x86.tar.gz</a>.
I use
<br>
VLANs, trunk is going to physical interface em1, HE has ip
address on vlan
<br>
128, there are em1.128 interface for it.
<br>
Virtual environment has netif, created by
<br>
---
<br>
vzctl set 12753 --save --netiff-add eth0,,veth12753,,br.127
<br>
---
<br>
I've set up bridge br.127 for this vlan and with automatically
added by
<br>
ifcfg scripts em1.127, and
<br>
---
<br>
EXTERNAL_SCRIPT="/usr/sbin/vznetaddbr"
<br>
---
<br>
in vznet.conf are adding veth to it. I'm using vzkernel
2.6.32-042stab088.4
<br>
<br>
--
<br>
Regards,
<br>
Sergey Ivanov.
<br>
</blockquote>
<br>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>_______________________________________________
Users mailing list
<a href="mailto:Users@openvz.org" target="_blank">Users@openvz.org</a>
<a href="https://lists.openvz.org/mailman/listinfo/users" target="_blank">https://lists.openvz.org/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@openvz.org">Users@openvz.org</a><br>
<a href="https://lists.openvz.org/mailman/listinfo/users" target="_blank">https://lists.openvz.org/mailman/listinfo/users</a><br>
<br></blockquote></div><br></div>