Uploaded image for project: 'OpenVZ'
  1. OpenVZ
  2. OVZ-5736

ipset netfilter extension support

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Fix Version/s: OpenVZ-legacy
    • Component/s: Containers::Kernel
    • Security Level: Public
    • Environment:
      Operating System: RHEL/CentOS 6
      Platform: All

      Description

      ipset is a netfilter extension, working in userspace.

      It enhances dramatically iptables capability to handle a set of rules, especially a large set.

      I suggest supporting ipset in containers for CentOS/RHEL 6 and other compatible kernel versions (those for which ipset module exists).

        Activity

        Hide
        avagin@openvz.org Andrey Vagin added a comment -

        commit 6843bc3c568128e8771ba35cfefe95b7ec1c93a8
        Author: Ilia Mirkin <imirkin@alum.mit.edu>
        Date: Wed Mar 5 07:55:10 2014 +0100

        netfilter: ipset: move registration message to init from net_init

        Commit 1785e8f473 ("netfiler: ipset: Add net namespace for ipset") moved
        the initialization print into net_init, which can get called a lot due
        to namespaces. Move it back into init, reduce to pr_info.

        Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
        Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

        Show
        avagin@openvz.org Andrey Vagin added a comment - commit 6843bc3c568128e8771ba35cfefe95b7ec1c93a8 Author: Ilia Mirkin <imirkin@alum.mit.edu> Date: Wed Mar 5 07:55:10 2014 +0100 netfilter: ipset: move registration message to init from net_init Commit 1785e8f473 ("netfiler: ipset: Add net namespace for ipset") moved the initialization print into net_init, which can get called a lot due to namespaces. Move it back into init, reduce to pr_info. Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
        Hide
        khorenko Konstantin Khorenko added a comment -

        Andrey, please port these patches to our kernel.

        Show
        khorenko Konstantin Khorenko added a comment - Andrey, please port these patches to our kernel.
        Hide
        konstantin@boyandin.info Konstantin Boyandin added a comment -

        Is it possible to know current ipset support state/know plans?

        Thanks.

        Show
        konstantin@boyandin.info Konstantin Boyandin added a comment - Is it possible to know current ipset support state/know plans? Thanks.
        Hide
        khorenko Konstantin Khorenko added a comment -
        • diff-ve-netfilter-ipset-prohibit-ipset-from-the-inside-CT
          Added to 042stab093_2

        ve/net/netfilter/ipset: prohibit ipset from the inside CT as it's not virtualized

        Signed-off-by: Kirill Tkhai <ktkhai@parallels.com>

        Plan: we are going to virtualize ipset in PCS7 (3.10-x kernels), as virtualization on 2.6.32-x requires significant efforts.

        Show
        khorenko Konstantin Khorenko added a comment - diff-ve-netfilter-ipset-prohibit-ipset-from-the-inside-CT Added to 042stab093_2 ve/net/netfilter/ipset: prohibit ipset from the inside CT as it's not virtualized Signed-off-by: Kirill Tkhai <ktkhai@parallels.com> Plan: we are going to virtualize ipset in PCS7 (3.10-x kernels), as virtualization on 2.6.32-x requires significant efforts.
        Hide
        khorenko Konstantin Khorenko added a comment -

        By the way, Virtuozzo 7 with kernel 3.10.0-327.10.1.vz7.12.8 or later has support for ipset in Containers.

        In case there is something still wrong there - please let us know (file an issue).

        Show
        khorenko Konstantin Khorenko added a comment - By the way, Virtuozzo 7 with kernel 3.10.0-327.10.1.vz7.12.8 or later has support for ipset in Containers. In case there is something still wrong there - please let us know (file an issue).

          People

          • Assignee:
            avagin@openvz.org Andrey Vagin
            Reporter:
            konstantin@boyandin.info Konstantin Boyandin
          • Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: