OpenVZ Forum


Home » General » Support » ipt_MARK missed?
icon9.gif  ipt_MARK missed? [message #16173] Sun, 26 August 2007 15:46 Go to next message
Hibin is currently offline  Hibin
Messages: 7
Registered: August 2007
Junior Member
Have CentOS 5 (x86_64), latest OpenVZ kernel and tools, VPS based on centos-4-x86_64-minimal template.

Trying to set iptables modules to vps:

Quote:

vzctl set 200 --iptables "iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_MARK"


But the error acquires:

Quote:

Warning: Unknown iptable module: ipt_MARK, skipped
Bad parameter for --iptables: iptable_filter


How to fix this?

[Updated on: Sun, 26 August 2007 15:50]

Report message to a moderator

Re: ipt_MARK missed? [message #16224 is a reply to message #16173] Wed, 29 August 2007 08:42 Go to previous messageGo to next message
vaverin is currently offline  vaverin
Messages: 708
Registered: September 2005
Senior Member
Are you sure that this module is loaded on the Host Node?

Report message to a moderator

Re: ipt_MARK missed? [message #16226 is a reply to message #16224] Wed, 29 August 2007 08:58 Go to previous messageGo to next message
vaverin is currently offline  vaverin
Messages: 708
Registered: September 2005
Senior Member
Sorry, I was err,
it looks like this error occured because "vzctl --iptables" have no support for ipt_MARK module.

However this parameter is used to restrict access to iptable modules inside VE (by default all iptables modules that loaded in host system are accessible inside VE).

Could you please explain, why you want to restrict access to iptable modules?

Thank you,
Vasily Averin

Report message to a moderator

Re: ipt_MARK missed? [message #35790 is a reply to message #16226] Wed, 22 April 2009 17:00 Go to previous message
hoppaz is currently offline  hoppaz
Messages: 11
Registered: December 2007
Location: Pulheim - Germany
Junior Member
Hi Vasily,

seems that after a long time... I can recycle this thread Wink

I'm running into the same prob.

I like to use MARK within the VE. At the VE0 the module has been loaded and is in use - so it works there...

If I try to use it inside the container:
/sbin/iptables -t mangle -I PREROUTING -p tcp -d MYHOST --dport 3690 -j MARK --set-mark 1
FATAL: Could not load /lib/modules/2.6.27.21-briullov/modules.dep: No such file or directory
FATAL: Could not load /lib/modules/2.6.27.21-briullov/modules.dep: No such file or directory


Yes... I use 2.6.27.21-briullov...

---- sniplet from strace ---
open("/lib/iptables/libxt_tcp.so", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\7\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=9736, ...}) = 0
mmap2(NULL, 12580, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb8036000
mmap2(0xb8038000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb8038000
close(3)                                = 0
mprotect(0xb8038000, 4096, PROT_READ)   = 0
open("/lib/iptables/libxt_MARK.so", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\5\0\000"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=5708, ...}) = 0
mmap2(NULL, 8552, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7edf000
mmap2(0xb7ee0000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0xb7ee0000
close(3)                                = 0
mprotect(0xb7ee0000, 4096, PROT_READ)   = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3
open("/proc/sys/kernel/modprobe", O_RDONLY) = 4
read(4, "/sbin/modprobe\n", 1024)       = 15
close(4)                                = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb8056b28) = 2598
wait4(-1, FATAL: Could not load /lib/modules/2.6.27.21-briullov/modules.dep: No such file or directory
[{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 2598
--- SIGCHLD (Child exited) @ 0 (0) ---
getsockopt(3, SOL_IP, 0x43 /* IP_??? */, "MARK\0\t\0Z\205\277\244\20\356\267\\=\5\270eH\5\270\240"..., [30]) = 0
close(3)                                = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3
open("/proc/sys/kernel/modprobe", O_RDONLY) = 4
read(4, "/sbin/modprobe\n", 1024)       = 15
close(4)                                = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb8056b28) = 2599
wait4(-1, FATAL: Could not load /lib/modules/2.6.27.21-briullov/modules.dep: No such file or directory
[{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 2599
--- SIGCHLD (Child exited) @ 0 (0) ---
getsockopt(3, SOL_IP, 0x43 /* IP_??? */, "MARK\0\t\0Z\205\277\244\20\356\267\\=\5\270eH\5\270\240"..., [30]) = 0
close(3)                                = 0
getpid()                                = 2597
open("/etc/resolv.conf", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=113, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb8035000
read(3, "domain cmi\nsearch cmi"..., 4096) = 113
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0xb8035000, 4096)                = 0
open("/etc/networks", O_RDONLY|0x80000 /* O_??? */) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=91, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb8035000
read(3, "# symbolic names for networks, s"..., 4096) = 91

---- sniplet from strace ---

Any ideas ?

Lars

[Updated on: Wed, 22 April 2009 17:03]

Report message to a moderator

Previous Topic: HA cluster with DRBD and Heartbeat
Next Topic: IPsec with rebuilt kernel possible?
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Tue Nov 04 03:38:49 GMT 2025

Total time taken to generate the page: 0.41129 seconds
Powered by FUDforum Powered by Virtuozzo Containers