OpenVZ Forum


Home » General » Support » BUG? OVZ 7 + CentOS 8 + iptables v1.8.4 (nf_tables) (Rules being multiplied?)
BUG? OVZ 7 + CentOS 8 + iptables v1.8.4 (nf_tables) [message #53659] Thu, 09 July 2020 01:19 Go to next message
andre is currently offline  andre
Messages: 34
Registered: January 2008
Member
From: *virtua.com.br
It looks like as iptables is multiplying its rules at OVZ7+CentOS8

Steps bellow:

First, we confirm that there are no references to chain TEST
# iptables-save | grep -c TEST
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
0



Next, we create a chain TEST, a basic rule and at the end we count the number of references to it
# iptables -N TEST ; iptables -A TEST -j ACCEPT ; iptables-save | grep -c TEST
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
31


31 referentes. Shouldn't there be just 2? (chain creation + rule?)

Let's check which references are those:
# iptables-save
# Generated by iptables-save v1.8.4 on Wed Jul  8 22:11:17 2020
*filter
:INPUT ACCEPT [3859:241253]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [830:110277]
:TEST - [0:0]
-A TEST -j ACCEPT
-A TEST -j ACCEPT
-A TEST -j ACCEPT
-A TEST -j ACCEPT
COMMIT
# Completed on Wed Jul  8 22:11:17 2020
# Generated by iptables-save v1.8.4 on Wed Jul  8 22:11:17 2020
*raw
:PREROUTING ACCEPT [117105:12625485]
:OUTPUT ACCEPT [120335:94805945]
-A TEST -j ACCEPT
-A TEST -j ACCEPT
COMMIT
# Completed on Wed Jul  8 22:11:17 2020
# Generated by iptables-save v1.8.4 on Wed Jul  8 22:11:17 2020
*mangle
:PREROUTING ACCEPT [117100:12624568]
:INPUT ACCEPT [117100:12624568]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [120331:94804518]
:POSTROUTING ACCEPT [120331:94804518]
-A TEST -j ACCEPT
-A TEST -j ACCEPT
-A TEST -j ACCEPT
-A TEST -j ACCEPT
-A TEST -j ACCEPT
COMMIT
# Completed on Wed Jul  8 22:11:17 2020
# Generated by iptables-save v1.8.4 on Wed Jul  8 22:11:17 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A TEST -j ACCEPT
-A TEST -j ACCEPT
-A TEST -j ACCEPT
-A TEST -j ACCEPT
COMMIT
# Completed on Wed Jul  8 22:11:17 2020
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them




Re: BUG? OVZ 7 + CentOS 8 + iptables v1.8.4 (nf_tables) [message #53660 is a reply to message #53659] Thu, 09 July 2020 14:13 Go to previous messageGo to next message
vaverin is currently offline  vaverin
Messages: 698
Registered: September 2005
Senior Member
From: *virtuozzo.com
Could you please specify kernel version is used on your node?
Also it's interesting how did you created Centos 8 container.
We saw some similar issue on old kernels,
it was fixed both in kernel and in centos 8 template settings (IIRC we have modified some config defaults).

thank you,
Vasily Averin
Re: BUG? OVZ 7 + CentOS 8 + iptables v1.8.4 (nf_tables) [message #53662 is a reply to message #53659] Thu, 16 July 2020 20:07 Go to previous messageGo to next message
andre is currently offline  andre
Messages: 34
Registered: January 2008
Member
From: *virtua.com.br
Sorry for the delay, we redid all the steps with the lastest versions:
Kernel 3.10.0-1127.8.2.vz7.151.14
Virtuozzo Linux release 7.8.0 (627)

- created new template: yum install centos-8-x86_64-ez ; vzpkg create cache centos-8-x86_64
- created VE, started ve
- once inside VE:

systemctl disable firewalld ; systemctl stop firewalld
iptables-save | grep -c TEST
iptables -N TEST ; iptables -A TEST -j ACCEPT ; iptables-save | grep -c TEST


Result:
CT-105 /# iptables-save | grep -c TEST
1
CT-105 /# iptables -N TEST ; iptables -A TEST -j ACCEPT ; iptables-save | grep -c TEST
iptables: Chain already exists.
19
CT-105 /# 




It looks like that the issue persists with the most recent version







Re: BUG? OVZ 7 + CentOS 8 + iptables v1.8.4 (nf_tables) [message #53663 is a reply to message #53662] Fri, 17 July 2020 05:50 Go to previous message
vaverin is currently offline  vaverin
Messages: 698
Registered: September 2005
Senior Member
From: *virtuozzo.com
I've submitted
https://bugs.openvz.org/browse/OVZ-7223
Previous Topic: vzpkg clean error
Next Topic: Trouble using iptables with Centos 8
Goto Forum:
  


Current Time: Tue Oct 27 20:42:24 GMT 2020