OpenVZ Forum


Home » General » Support » ipt_recent is now missing?
ipt_recent is now missing? [message #28754] Thu, 27 March 2008 21:42 Go to next message
TheWiseOne is currently offline  TheWiseOne
Messages: 66
Registered: September 2005
Location: Pennsylvania
Member
[root@vz18 ~]# lsmod | grep ipt_recent
ipt_recent 43404 0
x_tables 52616 14 ipt_recent,xt_conntrack,ipt_REDIRECT,xt_tcpudp,xt_length,ipt _ttl,xt_tcpmss,ipt_TCPMSS,xt_multiport,xt_limit,ipt_tos,ipt_ REJECT,iptable_nat,ip_tables


[root@vz18 ~]# grep ipt_recent /etc/sysconfig/vz
IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT ipt_recent"

[root@vz18 ~]# grep ipt_recent /etc/vz/conf/122.conf
IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT ipt_recent"

[root@vz18 ~]# vzctl enter 122
Warning: Unknown iptable module: ipt_recent, skipped
Warning: Unknown iptable module: ipt_recent, skipped
entered into VE 122


Amy I missing something?

According to http://openvz.org/news/updates ipt_recent was supported since kernel 2.6.18-028stab049.1.

Matt Ayres
TekTonic

[Updated on: Thu, 27 March 2008 21:44]

Report message to a moderator

Re: ipt_recent is now missing? [message #28759 is a reply to message #28754] Fri, 28 March 2008 05:34 Go to previous messageGo to next message
vaverin is currently offline  vaverin
Messages: 708
Registered: September 2005
Senior Member
Matt,

in 2.6.18 kernels we have changed iptables support and now all targets/matches loaded on the node are accessible inside VE.

But all targets and matches should be accessible inside VE, I've checked it on your node: Wink

[root@vz18 ~]# vzctl exec 122 cat /proc/net/ip_tables_matches
Warning: Unknown iptable module: ipt_recent, skipped
Warning: Unknown iptable module: ipt_recent, skipped
udp
tcp
recent <<<<<<< Smile
helper
state
conntrack
length
ttl
tcpmss
tos
multiport
multiport
limit
icmp


Warning is produced by vzctl, it knows nothing about this module. Just remove this module from per-ve IPTABLES variable.

Also I would note that semantic of IPTABLES variable in ve.conf was changed: now you are not need to add any new target/matches into default list.

Via per-ve IPTABLES variable you can restrict now only access to tables and disable conntarcks inside VE:
ipv4 filter and mangle
ipv6 filter and mangle
nat
conntracks
other known modules siletly ignored, but unknown are generates warning message.

How do you mean is it correct or we need to change something?

thank you,
Vasily Averin

Report message to a moderator

Re: ipt_recent is now missing? [message #28800 is a reply to message #28759] Fri, 28 March 2008 14:55 Go to previous messageGo to next message
TheWiseOne is currently offline  TheWiseOne
Messages: 66
Registered: September 2005
Location: Pennsylvania
Member
Still no deals...

[root@vz18 conf]# grep IPTABLES /etc/vz/conf/100.conf
IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT ipt_recent"
[root@vz18 conf]# vzctl enter 100
Warning: Unknown iptable module: ipt_recent, skipped
entered into VE 100

Matt Ayres
TekTonic

Report message to a moderator

Re: ipt_recent is now missing? [message #28807 is a reply to message #28800] Fri, 28 March 2008 16:29 Go to previous messageGo to next message
khorenko is currently offline  khorenko
Messages: 533
Registered: January 2006
Location: Moscow, Russia
Senior Member
Matt,

please, don't pay attention to this warnings,
as Vasily already said - they are generated by vzctl and vzctl really doesn't know anything about ipt_recent.

But despite on this warning, functionality of the ipt_recent module _will be_ available inside a Container - just try to use it!

You can check which modules are available inside a Container by 'cat /proc/net/ip_tables_matches':
# vzctl exec 100 cat /proc/net/ip_tables_matches
recent
length
ttl
tcpmss
multiport
multiport
limit
tos
icmp
udp
tcp

Just try to create a rule inside a Container which requires ipt_recent functionality - it should work. Could you please try and share the results with us?

Thank you,
Konstantin Khorenko

If your problem is solved - please, report it!
It's even more important than reporting the problem itself...

Report message to a moderator

Re: ipt_recent is now missing? [message #28810 is a reply to message #28754] Fri, 28 March 2008 16:55 Go to previous messageGo to next message
TheWiseOne is currently offline  TheWiseOne
Messages: 66
Registered: September 2005
Location: Pennsylvania
Member
I will try, but assuming it does work... shouldn't vzctl being fixed to not display the warning? Should I submit a bug report or will someone from the OpenVZ team?

Matt Ayres
TekTonic

Report message to a moderator

Re: ipt_recent is now missing? [message #28822 is a reply to message #28810] Sat, 29 March 2008 09:48 Go to previous messageGo to next message
vaverin is currently offline  vaverin
Messages: 708
Registered: September 2005
Senior Member
Matt,
I would ask You please submit new bug into bugzilla.
(Your opinion is important for us because of developers tends to not see obvious issues in own product Wink )

Thank you,
Vasily Averin

Report message to a moderator

Re: ipt_recent is now missing? [message #28825 is a reply to message #28754] Sat, 29 March 2008 13:41 Go to previous messageGo to next message
TheWiseOne is currently offline  TheWiseOne
Messages: 66
Registered: September 2005
Location: Pennsylvania
Member
Bug submitted. Thanks.

Matt Ayres
TekTonic

Report message to a moderator

Re: ipt_recent is now missing? [message #35750 is a reply to message #28754] Tue, 21 April 2009 00:21 Go to previous messageGo to next message
bodhi.zazen is currently offline  bodhi.zazen
Messages: 3
Registered: April 2009
Location: Montana
Junior Member
iptables is working (I am on Proxomx)

This is what I added to vz.conf

IPTABLES="ipt_REJECT ipt_tos ipt_TOS ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state ipt_LOG ip_conntrack iptable_nat ip_nat_ftp ipt_recent"


When I enter a guest I get a "Warning" -

Quote:

Warning: Unknown iptable module: ipt_recent, skipped


Despite this warning , iptables is working in the containers, including

-m recent

Smile

Report message to a moderator

Re: ipt_recent is now missing? [message #35751 is a reply to message #35750] Tue, 21 April 2009 02:12 Go to previous message
TheWiseOne is currently offline  TheWiseOne
Messages: 66
Registered: September 2005
Location: Pennsylvania
Member
It is a bug in vzctl and a patch was submitted upstream by another employee here, but as to date it has not been added to the main tree.

Matt Ayres
TekTonic

Report message to a moderator

Previous Topic: Services inside container very slow to start
Next Topic: netmask and broadcast addresses
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Fri Apr 26 17:03:00 GMT 2024

Total time taken to generate the page: 0.02257 seconds
Powered by FUDforum Powered by Virtuozzo Containers