OpenVZ Forum


Home » General » Support » xt_NFQUEUE and netfilter_queue inside container not supported?
xt_NFQUEUE and netfilter_queue inside container not supported? [message #40886] Wed, 20 October 2010 17:52 Go to next message
Lorddusty is currently offline  Lorddusty
Messages: 6
Registered: January 2008
Location: Cologne, Germany
Junior Member
From: *opteamax.de
Hi,

for a filtering-applications I need xt_NFQUEUE available inside a container. The modules are properly loaded on hostnode and added to IPTABLES-Variable for this container.

But on starting the container I get

Unknown iptables-module xt_NFQUEUE: skipped
Unknown iptables-module netfilter_queue: skipped

This causes the application not to run as it can't connect to netfilter.

Does anyone have an idea how to solve this problem?

I'm running 2.6.27-openvz-levitan.1 on a gentoo-hostnode.

BR
Jens
Re: xt_NFQUEUE and netfilter_queue inside container not supported? [message #40980 is a reply to message #40886] Sat, 30 October 2010 16:50 Go to previous messageGo to next message
curx
Messages: 739
Registered: February 2006
Location: Nürnberg, Germany
Senior Member

From: *sys3.org
Hi,

after loading NFQUEUE is listed in: /proc/net/ip_tables_target

(ct0)-% vzctl exec <CTID> cat /proc/net/ip_tables_target

Bye,
Thorsten

Re: xt_NFQUEUE and netfilter_queue inside container not supported? [message #40981 is a reply to message #40980] Sat, 30 October 2010 21:04 Go to previous messageGo to next message
Lorddusty is currently offline  Lorddusty
Messages: 6
Registered: January 2008
Location: Cologne, Germany
Junior Member
From: *opteamax.de
Hi,

well, I found out, that the target is available, but it is not possible to connect to nfqueue using libnetfilter inside the container for processing those queued packets with userspace-application.

But the host-system is able to read and process containers queue. For now I set up a workaround running the application which decides how to handle a packet on the host-system. But for sure, this is only a dirty workaround.

As it works fine in 2.6.18-RHEL-Based kernel, this libnetfilter-connection hopefully will become available in 2.6.27/.32 or later somewhen soon.

BR
Jens
Re: xt_NFQUEUE and netfilter_queue inside container not supported? [message #40982 is a reply to message #40981] Sun, 31 October 2010 09:20 Go to previous messageGo to next message
curx
Messages: 739
Registered: February 2006
Location: Nürnberg, Germany
Senior Member

From: *sys3.org
Hi Jens,

please open a bug report to enable this feature in the development kernels at http://bugzilla.openvz.org/

Bye,
Thorsten
Re: xt_NFQUEUE and netfilter_queue inside container not supported? [message #40984 is a reply to message #40982] Sun, 31 October 2010 10:38 Go to previous messageGo to next message
Lorddusty is currently offline  Lorddusty
Messages: 6
Registered: January 2008
Location: Cologne, Germany
Junior Member
From: *opteamax.de
Hi Thorsten,

this bug is already filed some days ago Wink See Bug-ID 1677 (unfortunately I'm not allowed to post links yet Wink

BR
Jens
Re: xt_NFQUEUE and netfilter_queue inside container not supported? [message #44169 is a reply to message #40984] Tue, 22 November 2011 21:25 Go to previous messageGo to next message
derbot is currently offline  derbot
Messages: 1
Registered: November 2011
Junior Member
From: *distinctgroup.net
hi,
has anyone succeded to use iptables NFQUEUE target inside VE ?
Bug-ID 1677 seems stalled.

Using:

2.6.26-2-openvz-686 (debian)

running the user-space program inside VE I'm getting:

strace:

bind(3, {sa_family=AF_NETLINK, pid=476, groups=00000000}, 12) = 0
write(1, "bind\n"..., 5bind
) = 5
sendto(3, "\34\0\0\0\2\3\5\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\3\0\0\2"..., 28, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = -1 ECONNREFUSED (Connection refused)
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

running it in HN works as expected:

bind(3, {sa_family=AF_NETLINK, pid=16928, groups=00000000}, 12) = 0
write(1, "bind\n", 5bind
) = 5
sendto(3, " \34\0\0\0\2\3\5\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\3\204\0\2 ", 28, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 28
recvfrom(3, "$\0\0\0\2\0\0\0\0\0\0\0 B\0\0\0\0\0\0\34\0\0\0\2\3\5\0\0\0\0\0\0\0\0\0", 8192, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36


Thanks,
Bogdan.
Re: xt_NFQUEUE and netfilter_queue inside container not supported? [message #51855 is a reply to message #44169] Mon, 26 January 2015 03:04 Go to previous message
spoke2u
Messages: 12
Registered: September 2013
Junior Member
From: *cpe.pppoe.ca
I recently been looking at this issue and I upgraded to latest kernel

uname -r
2.6.32-openvz-042stab102.9-amd64

vzctl --version
vzctl version 4.5.1

modprobe xt_mark
modprobe xt_conntrack
modprobe xt_NFQUEUE
modprobe xt_iprange

lsmod|grep -E "^x|^nf|^ip"|grep -Ev "^ip6|^ipv6|^nfs|^xhci"|sed "s| .*||"|sortiptable_filter
iptable_mangle
iptable_nat
ip_tables
ipt_LOG
ipt_REDIRECT
ipt_REJECT
nf_conntrack
nf_conntrack_ftp
nf_conntrack_ipv4
nf_defrag_ipv4
nf_nat
nf_nat_ftp
xt_dscp
xt_hl
xt_length
xt_limit
xt_multiport
xt_NFQUEUE
xt_state
xt_string
xt_TCPMSS
xt_tcpmss

I was able to run peerguardian then realized thats not what I really needed.

pglcmd start
[....] Starting PeerGuardian Linux: pgld.

hope this helps


--
I am unable to see
Previous Topic: Failed to get D-Bus connection Centos7
Next Topic: sshfs files disapearing
Goto Forum:
  


Current Time: Wed Aug 21 07:18:10 GMT 2019