OpenVZ Forum


Home » General » Support » BUG? OVZ 7 + CentOS 8 + iptables v1.8.4 (nf_tables) (Rules being multiplied?)
BUG? OVZ 7 + CentOS 8 + iptables v1.8.4 (nf_tables) [message #53659] Thu, 09 July 2020 01:19 Go to next message
andre is currently offline  andre
Messages: 34
Registered: January 2008
Member
 From: *virtua.com.br
It looks like as iptables is multiplying its rules at OVZ7+CentOS8

Steps bellow:

First, we confirm that there are no references to chain TEST
# iptables-save | grep -c TEST
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
0



Next, we create a chain TEST, a basic rule and at the end we count the number of references to it
# iptables -N TEST ; iptables -A TEST -j ACCEPT ; iptables-save | grep -c TEST
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
31


31 referentes. Shouldn't there be just 2? (chain creation + rule?)

Let's check which references are those:
# iptables-save
# Generated by iptables-save v1.8.4 on Wed Jul  8 22:11:17 2020
*filter
:INPUT ACCEPT [3859:241253]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [830:110277]
:TEST - [0:0]
-A TEST -j ACCEPT
-A TEST -j ACCEPT
-A TEST -j ACCEPT
-A TEST -j ACCEPT
COMMIT
# Completed on Wed Jul  8 22:11:17 2020
# Generated by iptables-save v1.8.4 on Wed Jul  8 22:11:17 2020
*raw
:PREROUTING ACCEPT [117105:12625485]
:OUTPUT ACCEPT [120335:94805945]
-A TEST -j ACCEPT
-A TEST -j ACCEPT
COMMIT
# Completed on Wed Jul  8 22:11:17 2020
# Generated by iptables-save v1.8.4 on Wed Jul  8 22:11:17 2020
*mangle
:PREROUTING ACCEPT [117100:12624568]
:INPUT ACCEPT [117100:12624568]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [120331:94804518]
:POSTROUTING ACCEPT [120331:94804518]
-A TEST -j ACCEPT
-A TEST -j ACCEPT
-A TEST -j ACCEPT
-A TEST -j ACCEPT
-A TEST -j ACCEPT
COMMIT
# Completed on Wed Jul  8 22:11:17 2020
# Generated by iptables-save v1.8.4 on Wed Jul  8 22:11:17 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A TEST -j ACCEPT
-A TEST -j ACCEPT
-A TEST -j ACCEPT
-A TEST -j ACCEPT
COMMIT
# Completed on Wed Jul  8 22:11:17 2020
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them



Report message to a moderator

Re: BUG? OVZ 7 + CentOS 8 + iptables v1.8.4 (nf_tables) [message #53660 is a reply to message #53659] Thu, 09 July 2020 14:13 Go to previous messageGo to next message
vaverin is currently offline  vaverin
Messages: 698
Registered: September 2005
Senior Member
 From: *virtuozzo.com
Could you please specify kernel version is used on your node?
Also it's interesting how did you created Centos 8 container.
We saw some similar issue on old kernels,
it was fixed both in kernel and in centos 8 template settings (IIRC we have modified some config defaults).

thank you,
Vasily Averin

Report message to a moderator

Re: BUG? OVZ 7 + CentOS 8 + iptables v1.8.4 (nf_tables) [message #53662 is a reply to message #53659] Thu, 16 July 2020 20:07 Go to previous messageGo to next message
andre is currently offline  andre
Messages: 34
Registered: January 2008
Member
 From: *virtua.com.br
Sorry for the delay, we redid all the steps with the lastest versions:
Kernel 3.10.0-1127.8.2.vz7.151.14
Virtuozzo Linux release 7.8.0 (627)

- created new template: yum install centos-8-x86_64-ez ; vzpkg create cache centos-8-x86_64
- created VE, started ve
- once inside VE: 

systemctl disable firewalld ; systemctl stop firewalld
iptables-save | grep -c TEST
iptables -N TEST ; iptables -A TEST -j ACCEPT ; iptables-save | grep -c TEST


Result:
CT-105 /# iptables-save | grep -c TEST
1
CT-105 /# iptables -N TEST ; iptables -A TEST -j ACCEPT ; iptables-save | grep -c TEST
iptables: Chain already exists.
19
CT-105 /#




It looks like that the issue persists with the most recent version

Report message to a moderator

Re: BUG? OVZ 7 + CentOS 8 + iptables v1.8.4 (nf_tables) [message #53663 is a reply to message #53662] Fri, 17 July 2020 05:50 Go to previous messageGo to next message
vaverin is currently offline  vaverin
Messages: 698
Registered: September 2005
Senior Member
 From: *virtuozzo.com
I've submitted
https://bugs.openvz.org/browse/OVZ-7223

Report message to a moderator

Re: BUG? OVZ 7 + CentOS 8 + iptables v1.8.4 (nf_tables) [message #53712 is a reply to message #53659] Wed, 02 December 2020 13:14 Go to previous messageGo to next message
HHawk is currently offline  HHawk
Messages: 22
Registered: September 2017
Location: Europe
Junior Member
 From: *cable.dynamic.v4.ziggo.nl
I am experiencing the same issue when setting up a new CT with CentOS 8.x along with DirectAdmin (CSF/LFD).
Exactly the same issues as mentioned by the topic starter.

Since this is already some time ago, I would assume it was fixed already, but apparently not?

When is this being fixed or even looked at?
...or is there a workaround?

Report message to a moderator

Re: BUG? OVZ 7 + CentOS 8 + iptables v1.8.4 (nf_tables) [message #53718 is a reply to message #53659] Thu, 03 December 2020 19:16 Go to previous messageGo to next message
wsap is currently offline  wsap
Messages: 43
Registered: March 2018
Location: Halifax, NS
Member
 From: *dhcp-dynamic.fibreop.ns.bellaliant.net
Yep definitely seeing this issue here too. Had to convert a bunch of stuff to ipset to help lighten the overhead that this issue inevitably creates. Someone had commented in the official bug report that they didn't think this would be fixed until OpenVZ 8, but that seems pretty unlikely to me given that iptables management is handled by the OpenVZ kernel (ie: they have full access to deal with that) and even if the changes need to occur within the CentOS 8 container, that could be adjusted via the ez template.

Then again, devs have indeed taken their time with this...

Report message to a moderator

icon4.gif  Re: BUG? OVZ 7 + CentOS 8 + iptables v1.8.4 (nf_tables) [message #53719 is a reply to message #53659] Thu, 03 December 2020 20:07 Go to previous messageGo to next message
HHawk is currently offline  HHawk
Messages: 22
Registered: September 2017
Location: Europe
Junior Member
 From: *dynamic.caiway.nl
Yeah, exactly. I also emailed OpenVZ and Virtuozzo. And Virtuozzo responded quite quickly and logged in etc on the server I freshly created for their testing...
They appeared to be doing / testing stuff, but then they said I needed a Virtuozzo license. So I guess they don't really care even though OpenVZ 7 shares Virtuozzo 7 stuff.

Oh well. Maybe they will fix it. Hopefully sooner than later.



//edit

@Khorenko: maybe you can investigate this issue?

[Updated on: Thu, 03 December 2020 20:18]

Report message to a moderator

Re: BUG? OVZ 7 + CentOS 8 + iptables v1.8.4 (nf_tables) [message #53720 is a reply to message #53659] Wed, 09 December 2020 12:10 Go to previous message
HHawk is currently offline  HHawk
Messages: 22
Registered: September 2017
Location: Europe
Junior Member
 From: *cable.dynamic.v4.ziggo.nl
Good news, after sending Virtuozzo (and OpenVZ) another email, I got a confirmation this issue and a fix will be applied in a future release.
I will quote their reply in here for everyone interested:

The case has been analyzed further, and submitted to the Development Team as internal issue with id #PSBM-105903; the issue will be investigated further on their side and the fix, once found, will considered to be included in one of the next product updates.

I am setting the status of this support ticket to "resolved" in recognition of the fact that Support Engineers have completed our portion of the work on this case.
Thank you for reporting an issue in our software.

So let's hope for a fix soon that we can use iptables without issues on e.g. CentOS 8.x + DirectAdmin.

Report message to a moderator

Previous Topic: Minor issue with CentOS 8 and SSH connection delays
Next Topic: CentOS 8 Stream and Virtuozzo
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Wed Jan 27 10:54:58 GMT 2021
Powered by FUDforum Powered by Virtuozzo Containers