OpenVZ Forum


Home » General » Support » Can you use "ipset" with OpenVZ 7 / Virtuozzo 7? (...if so, how can you enable it for CT's?)
Can you use "ipset" with OpenVZ 7 / Virtuozzo 7? [message #53538] Fri, 31 May 2019 08:03 Go to next message
HHawk is currently offline  HHawk
Messages: 16
Registered: September 2017
Location: Europe
Junior Member
From: *cable.dynamic.v4.ziggo.nl
I understand this was never really possible under OpenVZ 6 (or Virtuozzo 6), however apparently it's possible with the new version of OpenVZ 7 (Virtuozzo 7).

I quote Konstantin Khorenko's post on https://bugs.openvz.org/browse/OVZ-5736:

Quote:
By the way, Virtuozzo 7 with kernel 3.10.0-327.10.1.vz7.12.8 or later has support for ipset in Containers.


So @khorenko or someone else can explain how to do this correctly for CT's?
Would be great. Especially considering it works way faster (apparently) compared to using iptables.

Thank you in advance!
Re: Can you use "ipset" with OpenVZ 7 / Virtuozzo 7? [message #53539 is a reply to message #53538] Fri, 31 May 2019 08:49 Go to previous messageGo to next message
khorenko is currently offline  khorenko
Messages: 511
Registered: January 2006
Location: Moscow, Russia
Senior Member
From: *virtuozzo.com
Quote:
how to do this correctly for CT's?


Just configure ipset inside a Container like you do this on a Hardware Node,
that should work.
Link to an example.


If you problem is solved - please, report it!
It's even more important than reporting the problem itself...
Re: Can you use "ipset" with OpenVZ 7 / Virtuozzo 7? [message #53540 is a reply to message #53538] Fri, 31 May 2019 10:53 Go to previous messageGo to next message
HHawk is currently offline  HHawk
Messages: 16
Registered: September 2017
Location: Europe
Junior Member
From: *cable.dynamic.v4.ziggo.nl
Thank you khorenko! Highly appreciated. Smile

ipset performance is better right, compared to iptables?
I think I read somewhere is can handle more IP's without performance issues. Is that true?
Re: Can you use "ipset" with OpenVZ 7 / Virtuozzo 7? [message #53541 is a reply to message #53540] Fri, 31 May 2019 11:27 Go to previous messageGo to next message
khorenko is currently offline  khorenko
Messages: 511
Registered: January 2006
Location: Moscow, Russia
Senior Member
From: *virtuozzo.com
i did not measure them myself, but
https://workshop.netfilter.org/2013/wiki/images/a/ab/Jozsef_ Kadlecsik_ipset-osd-public.pdf


If you problem is solved - please, report it!
It's even more important than reporting the problem itself...
Re: Can you use "ipset" with OpenVZ 7 / Virtuozzo 7? [message #53542 is a reply to message #53541] Mon, 03 June 2019 08:00 Go to previous messageGo to next message
HHawk is currently offline  HHawk
Messages: 16
Registered: September 2017
Location: Europe
Junior Member
From: *cable.dynamic.v4.ziggo.nl
Thank you. Smile
Re: Can you use "ipset" with OpenVZ 7 / Virtuozzo 7? [message #53544 is a reply to message #53540] Sun, 09 June 2019 01:21 Go to previous message
websavers is currently offline  websavers
Messages: 25
Registered: March 2018
Location: Halifax, NS
Junior Member
From: 170.10.225*
HHawk wrote on Fri, 31 May 2019 07:53
Thank you khorenko! Highly appreciated. Smile

ipset performance is better right, compared to iptables?
I think I read somewhere is can handle more IP's without performance issues. Is that true?


Yep! As long as you don't require more advanced control over the IP than block/allow type controls then it's much faster and does work with OpenVZ 7. Only had to install ipset and it worked right off the bat, but we also have NETFILTER=full enabled for all containers using ipset, which may help with that being so straightforward.
Previous Topic: Error while starting the container - Failed to exec quotaon
Next Topic: Is buyvirtuozzo.com legit for readykernel licenses?
Goto Forum:
  


Current Time: Mon Jun 17 07:08:08 GMT 2019