Uploaded image for project: 'OpenVZ'
  1. OpenVZ
  2. OVZ-4777

ip6tables does not work in VE

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Duplicate
    • Fix Version/s: OpenVZ-legacy
    • Component/s: Containers::Userspace
    • Security Level: Public
    • Environment:
      Operating System: Debian
      Platform: x86_64 (AMD64)

      Description

      For more information see http://bugs.debian.org/590321


      Hi,

      I've just discovered, that in a squeeze VE on a squeeze OpenVZ host, ip6tables does not work:

      root@guest:~# ip6tables -nL
      FATAL: Module ip6_tables not found.
      ip6tables v1.4.8: can't initialize ip6tables table `filter': Permission denied (you must be root)
      Perhaps ip6tables or your kernel needs to be upgraded.

      vz.conf vars:
      ## IPv4 iptables kernel modules
      IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length"

      ## Enable IPv6
      IPV6="yes"

      ## IPv6 ip6tables kernel modules
      IP6TABLES="ip6_tables ip6table_filter ip6table_mangle ip6t_REJECT"

      root@guest:~# cat /proc/net/ip6_tables_names
      mangle
      filter


      I'm unsure where to go debug next; filing against vzctl as I think this is probably a configuration problem.

      Thanks,
      Christian

        Issue Links

          Activity

          Hide
          fossmail@gmail.com Andres Martinson added a comment -

          I have noticed that if you add net_admin capability VE can use ip6tables command afterward.

          Imo, it affects both amd64 and i386.

          versions used:

          1. vzctl --version
            vzctl version 3.0.24
          2. apt-cache policy vzctl
            vzctl:
            Installed: 3.0.24-3
          Show
          fossmail@gmail.com Andres Martinson added a comment - I have noticed that if you add net_admin capability VE can use ip6tables command afterward. Imo, it affects both amd64 and i386. versions used: vzctl --version vzctl version 3.0.24 apt-cache policy vzctl vzctl: Installed: 3.0.24-3
          Hide
          wirtz@dfn.de Holger Wirtz added a comment -

          Hi,

          after "vzctl set $VEID --capability net_admin:on --save" and starting $VEID I can call ip[6]tables but it has much problems with setting up a fwbuilder generated firewall inside VE, e.g.

          ...
          /sbin/iptables -t filter -F INPUT
          FATAL: Could not load /lib/modules/2.6.32.25-openvz-pae/modules.dep: No such file or directory
          ...
          cannot create /proc/sys/net/ipv4/ip_dynaddr: Permission denied
          ...
          /sbin/iptables -A INPUT -p udp -m udp -m multiport --dports 5060,4569 -m state --state NEW -j Cid12608X3530.0
          FATAL: Could not load /lib/modules/2.6.32.25-openvz-pae/modules.dep: No such file or directory
          FATAL: Could not load /lib/modules/2.6.32.25-openvz-pae/modules.dep: No such file or directory
          ...
          + /sbin/ip6tables -N Cid12608X3530.0
          ip6tables: Memory allocation problem.

          Host System:
          "Ubuntu-Server-10.04.1" (self build kernel, see https://help.ubuntu.com/community/OpenVZ)

          VE System:
          "ubuntu-10.04-minimal_10.04_i386"

          Any ideas?

          Regards, Holger

          Show
          wirtz@dfn.de Holger Wirtz added a comment - Hi, after "vzctl set $VEID --capability net_admin:on --save" and starting $VEID I can call ip [6] tables but it has much problems with setting up a fwbuilder generated firewall inside VE, e.g. ... /sbin/iptables -t filter -F INPUT FATAL: Could not load /lib/modules/2.6.32.25-openvz-pae/modules.dep: No such file or directory ... cannot create /proc/sys/net/ipv4/ip_dynaddr: Permission denied ... /sbin/iptables -A INPUT -p udp -m udp -m multiport --dports 5060,4569 -m state --state NEW -j Cid12608X3530.0 FATAL: Could not load /lib/modules/2.6.32.25-openvz-pae/modules.dep: No such file or directory FATAL: Could not load /lib/modules/2.6.32.25-openvz-pae/modules.dep: No such file or directory ... + /sbin/ip6tables -N Cid12608X3530.0 ip6tables: Memory allocation problem. Host System: "Ubuntu-Server-10.04.1" (self build kernel, see https://help.ubuntu.com/community/OpenVZ ) VE System: "ubuntu-10.04-minimal_10.04_i386" Any ideas? Regards, Holger
          Hide
          ola@inguza.com Ola Lundqvist added a comment -

          I have got the information that this is actually the same bug as stated in 1723.

          On Thu, Dec 23, 2010 at 07:32:55AM +0000, Steven Chamberlain wrote:
          > Hi Christian,
          >
          > Your bug report is the same issue I've reported here – actually a
          > kernel bug:
          >
          > * http://bugs.debian.org/607041
          > * http://bugzilla.openvz.org/show_bug.cgi?id=1723
          >
          > If you're able to patch and rebuild your Debian kernel you could try the
          > patch available here:
          >
          > * http://bugzilla.openvz.org/attachment.cgi?id=1339
          >
          > Regards,
          > –
          > Steven Chamberlain
          > steven@pyro.eu.org

          Show
          ola@inguza.com Ola Lundqvist added a comment - I have got the information that this is actually the same bug as stated in 1723. On Thu, Dec 23, 2010 at 07:32:55AM +0000, Steven Chamberlain wrote: > Hi Christian, > > Your bug report is the same issue I've reported here – actually a > kernel bug: > > * http://bugs.debian.org/607041 > * http://bugzilla.openvz.org/show_bug.cgi?id=1723 > > If you're able to patch and rebuild your Debian kernel you could try the > patch available here: > > * http://bugzilla.openvz.org/attachment.cgi?id=1339 > > Regards, > – > Steven Chamberlain > steven@pyro.eu.org

            People

            • Assignee:
              kir Kir Kolyshkin
              Reporter:
              ola@inguza.com Ola Lundqvist
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: