Uploaded image for project: 'OpenVZ'
  1. OpenVZ
  2. OVZ-4854

Bug#607041: linux-image-2.6.32-5-openvz-amd64: amd64 ip6tables broken in OpenVZ VE

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Fix Version/s: OpenVZ-legacy
    • Component/s: Containers::Kernel
    • Security Level: Public
    • Environment:
      Operating System: Debian
      Platform: x86_64 (AMD64)

      Description

      Hi

      This is a forward of a bug report in the Debian bugtracking system. It is onlt partly included below as the original one is rather long.

      Please see http://bugs.debian.org/607041 for more relevant information.

      Best regards,

      // Ola

      ------ Part of original bug report in Debian bugtracking system below ----

      Package: linux-image-2.6.32-5-openvz-amd64
      Version: 2.6.32-29

      Hi,

      I noticed that on kernel 2.6.32-5-openvz-amd64 (Debian 2.6.32-29), the
      amd64 build of ip6tables does not work at all in an OpenVZ VE, but the
      i386 build does. Within the OpenVZ host itself though (VE0), both
      versions work. So I'm inclined to say this is more likely a kernel/OpenVZ
      bug than a bug in ip6tables.

      IPv4 iptables works fine in all cases.

      I tested this within a OpenVZ VE, which is an amd64 Debian lenny install,
      with an i386 chroot inside of it:


      # dpkg-query -Wf '${Package}-${Version}_${Architecture}\n' iptables
      iptables-1.4.2-6_amd64

      # ip6tables -L
      FATAL: Could not load /lib/modules/2.6.32-5-openvz-amd64/modules.dep: No
      such file or directory
      ip6tables v1.4.2: can't initialize ip6tables table `filter': Permission
      denied (you must be root)
      Perhaps ip6tables or your kernel needs to be upgraded.


      # chroot lenny-i386/ dpkg-query -Wf
      '${Package}-${Version}_${Architecture}\n' iptables
      iptables-1.4.2-6_i386

      # chroot lenny-i386/ ip6tables -L
      Chain INPUT (policy ACCEPT)
      target prot opt source destination
      ...
      1. bug1723-iptables6
        13 kB
        Cyrill Gorcunov
      2. openvz-bug-1723.patch
        0.6 kB
        Steven Chamberlain
      3. openvz-ip6t_LOG-printk.patch
        11 kB
        Steven Chamberlain
      4. openvz-ip6t_LOG-printk.patch
        11 kB
        Steven Chamberlain

        Issue Links

          Activity

          Hide
          s.priebe@profihost.com Stefan Priebe added a comment -

          Oh man really crazy uff. I got the output from shorewall and messed it up.

          I now started a more specific session. So i'm really really sorry for that.

          1. /etc/init.d/shorewall6 start
            Starting "Shorewall6 firewall": not done (check /var/log/shorewall6-init.log).

          Jun 7 16:23:43 ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system
          ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system

          Shorewall is executing the following stuff to determine this sitation:
          /sbin/ip6tables -L shorewall -n
          /sbin/ip6tables -N fooX8608
          /sbin/ip6tables -N foo1X8608
          /sbin/ip6tables -A fooX8608 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
          /sbin/ip6tables -A fooX8608 -m state --state ESTABLISHED,RELATED -j ACCEPT
          /sbin/ip6tables -F fooX8608
          /sbin/ip6tables -X fooX8608
          /sbin/ip6tables -F foo1X8608
          /sbin/ip6tables -X foo1X8608
          /sbin/ip6tables -t mangle -F fooX8608
          /sbin/ip6tables -t mangle -X fooX8608

          What fails isn't mangle it's the state and conntrack ;-(
          ~/# /sbin/ip6tables -N fooX8608
          ~/# /sbin/ip6tables -A fooX8608 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
          ip6tables: Invalid argument
          ~/# /sbin/ip6tables -A fooX8608 -m state --state ESTABLISHED,RELATED -j ACCEPT
          ip6tables: Invalid argument

          But these commands work fine on HN.

          ~#: lsmod|grep state
          xt_state 1327 0
          nf_conntrack 44151 11 vzrst,nf_nat_irc,nf_nat_ftp,iptable_nat,xt_helper,xt_state,xt_conntrack,nf_conntrack_irc,nf_conntrack_ftp,nf_nat,nf_conntrack_ipv4
          x_tables 12862 21 ip6t_REJECT,ip6_tables,xt_tcpudp,ipt_REDIRECT,iptable_nat,xt_helper,xt_state,xt_conntrack,xt_length,ipt_LOG,xt_hl,xt_tcpmss,xt_TCPMSS,ipt_REJECT,xt_DSCP,xt_dscp,xt_multiport,xt_limit,ip_tables,xt_mac,ipt_MASQUERADE

          Show
          s.priebe@profihost.com Stefan Priebe added a comment - Oh man really crazy uff . I got the output from shorewall and messed it up. I now started a more specific session. So i'm really really sorry for that. /etc/init.d/shorewall6 start Starting "Shorewall6 firewall": not done (check /var/log/shorewall6-init.log). Jun 7 16:23:43 ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system Shorewall is executing the following stuff to determine this sitation: /sbin/ip6tables -L shorewall -n /sbin/ip6tables -N fooX8608 /sbin/ip6tables -N foo1X8608 /sbin/ip6tables -A fooX8608 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT /sbin/ip6tables -A fooX8608 -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/ip6tables -F fooX8608 /sbin/ip6tables -X fooX8608 /sbin/ip6tables -F foo1X8608 /sbin/ip6tables -X foo1X8608 /sbin/ip6tables -t mangle -F fooX8608 /sbin/ip6tables -t mangle -X fooX8608 What fails isn't mangle it's the state and conntrack ;-( ~/# /sbin/ip6tables -N fooX8608 ~/# /sbin/ip6tables -A fooX8608 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables: Invalid argument ~/# /sbin/ip6tables -A fooX8608 -m state --state ESTABLISHED,RELATED -j ACCEPT ip6tables: Invalid argument But these commands work fine on HN. ~#: lsmod|grep state xt_state 1327 0 nf_conntrack 44151 11 vzrst,nf_nat_irc,nf_nat_ftp,iptable_nat,xt_helper,xt_state,xt_conntrack,nf_conntrack_irc,nf_conntrack_ftp,nf_nat,nf_conntrack_ipv4 x_tables 12862 21 ip6t_REJECT,ip6_tables,xt_tcpudp,ipt_REDIRECT,iptable_nat,xt_helper,xt_state,xt_conntrack,xt_length,ipt_LOG,xt_hl,xt_tcpmss,xt_TCPMSS,ipt_REJECT,xt_DSCP,xt_dscp,xt_multiport,xt_limit,ip_tables,xt_mac,ipt_MASQUERADE
          Hide
          gorcunov@openvz.org Cyrill Gorcunov added a comment -

          (In reply to comment #35)
          > Oh man really crazy uff. I got the output from shorewall and messed it up.
          >
          > I now started a more specific session. So i'm really really sorry for that.
          >

          ok, no problem

          > # /etc/init.d/shorewall6 start
          ...

          Will check, this is different issue.

          Show
          gorcunov@openvz.org Cyrill Gorcunov added a comment - (In reply to comment #35) > Oh man really crazy uff . I got the output from shorewall and messed it up. > > I now started a more specific session. So i'm really really sorry for that. > ok, no problem > # /etc/init.d/shorewall6 start ... Will check, this is different issue.
          Hide
          s.priebe@profihost.com Stefan Priebe added a comment -

          Thanks Cyrill and i'm really really sorry.

          Show
          s.priebe@profihost.com Stefan Priebe added a comment - Thanks Cyrill and i'm really really sorry.
          Hide
          gorcunov@openvz.org Cyrill Gorcunov added a comment -

          (In reply to comment #37)
          > Thanks Cyrill and i'm really really sorry.

          no problem, don't worry

          Show
          gorcunov@openvz.org Cyrill Gorcunov added a comment - (In reply to comment #37) > Thanks Cyrill and i'm really really sorry. no problem, don't worry
          Hide
          sergeyb Sergey Bronnikov added a comment -

          Bug was fixed more than one year ago and there were no complains from reporter after fix. We believe bug fix helped and mark bug as closed.

          Show
          sergeyb Sergey Bronnikov added a comment - Bug was fixed more than one year ago and there were no complains from reporter after fix. We believe bug fix helped and mark bug as closed.

            People

            • Assignee:
              gorcunov@openvz.org Cyrill Gorcunov
              Reporter:
              ola@inguza.com Ola Lundqvist
            • Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: