Uploaded image for project: 'OpenVZ'
  1. OpenVZ
  2. OVZ-6659

ipt_owner module support in Containers

    Details

    • Type: New Feature
    • Status: Patch Sent
    • Priority: Major
    • Resolution: Unresolved
    • Fix Version/s: Vz7.0-Update6
    • Component/s: Containers::Kernel
    • Security Level: Public
    • Environment:
      Kernel vz7.9.29, Libvzctl 7.0.171, vzctl 7.0.85

      Description

      Module ipt_owner does not seem to work:

      # iptables -t nat -A OUTPUT -d 10.0.0.0/8 -p tcp -m tcp --dport 2751 -m owner --uid-owner 1001 -j ACCEPT
      iptables: Invalid argument. Run `dmesg' for more information.

      it works fine without the "-m owner --uid-owner 1001" part however fine.

      vz.conf contains:
      IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_owner ip_tables iptable_nat"

      the same iptables .. command works on the host fine.

      the xt_owner module is loaded on the host.

      >Host OS:
      Debian 8.3

      >Guest OS:
      Debian 8.3

      Or has this been dropped in VZ7?

        Attachments

          Issue Links

            Activity

            Hide
            szenkov.int Zenkov Sergey added a comment -
            Show
            szenkov.int Zenkov Sergey added a comment - [Aqua Networks Ltd] https://help.virtuozzo.com/web/agent/case/15563
            Hide
            szenkov.int Zenkov Sergey added a comment -

            one more customer, case #15563

            [root@node ~]# grep NETFILTER /vz/private/fc74346e/ve.conf
            NETFILTER="full"
            [root@node ~]# vzctl enter fc74346e
            entered into CT
            CT-fc74346e /# /sbin/iptables -w 10 -A cpanel-dovecot-solr --protocol tcp -m multiport --sports 8984,7984 -m owner --uid-owner 988 -j ACCEPT
            iptables: Invalid argument. Run `dmesg' for more information.
            CT-fc74346e /#

            virtuozzo-release-7.0.4-29.vz7.x86_64

            Show
            szenkov.int Zenkov Sergey added a comment - one more customer, case #15563 [root@node ~] # grep NETFILTER /vz/private/fc74346e/ve.conf NETFILTER="full" [root@node ~] # vzctl enter fc74346e entered into CT CT-fc74346e /# /sbin/iptables -w 10 -A cpanel-dovecot-solr --protocol tcp -m multiport --sports 8984,7984 -m owner --uid-owner 988 -j ACCEPT iptables: Invalid argument. Run `dmesg' for more information. CT-fc74346e /# virtuozzo-release-7.0.4-29.vz7.x86_64
            Hide
            jcats Justin Catello added a comment -

            Yes 2 common causes is

            the new SOLR feature cPanel has added and the UDP protection in CSF

            1. UDPFLOOD has to be disbaled in virtuozzo7 https://bugs.openvz.org/browse/OVZ-6659
              sed -i '/UDPFLOOD = /c\UDPFLOOD = "0"' /etc/csf/csf.conf

            otherwise you get

            You have an unresolved error when starting csf:
            Error: iptables command [/sbin/iptables -v -A UDPFLOOD -p udp -m owner --uid-owner 0 -j RETURN] failed, at line 2665 in /usr/sbin/csf

            Show
            jcats Justin Catello added a comment - Yes 2 common causes is the new SOLR feature cPanel has added and the UDP protection in CSF UDPFLOOD has to be disbaled in virtuozzo7 https://bugs.openvz.org/browse/OVZ-6659 sed -i '/UDPFLOOD = /c\UDPFLOOD = "0"' /etc/csf/csf.conf otherwise you get You have an unresolved error when starting csf: Error: iptables command [/sbin/iptables -v -A UDPFLOOD -p udp -m owner --uid-owner 0 -j RETURN] failed, at line 2665 in /usr/sbin/csf
            Hide
            aborodin.int Alexander Borodin added a comment -

            QR review pending (today-tomorrow)

            Show
            aborodin.int Alexander Borodin added a comment - QR review pending (today-tomorrow)
            Hide
            vkuleshov Vadim added a comment -

            QR4 due to PSBM-69409

            Show
            vkuleshov Vadim added a comment - QR4 due to PSBM-69409

              People

              • Assignee:
                khorenko Konstantin Khorenko
                Reporter:
                ashlee Ashley Moravek
              • Votes:
                3 Vote for this issue
                Watchers:
                17 Start watching this issue

                Dates

                • Created:
                  Updated: