Bug 1646 - ip6tables does not work in VE
ip6tables does not work in VE
Status: RESOLVED DUPLICATE of bug 1723
Product: OpenVZ
Classification: Unclassified
Component: vzctl
unspecified
x86_64 (AMD64) Debian
: P2 major
Assigned To: Kir Kolyshkin
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-09-11 15:49 EDT by Ola Lundqvist
Modified: 2011-01-15 11:18 EST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ola Lundqvist 2010-09-11 15:49:55 EDT
For more information see http://bugs.debian.org/590321


Hi,

I've just discovered, that in a squeeze VE on a squeeze OpenVZ host, ip6tables does not work:

root@guest:~# ip6tables -nL
FATAL: Module ip6_tables not found.
ip6tables v1.4.8: can't initialize ip6tables table `filter': Permission denied (you must be root)
Perhaps ip6tables or your kernel needs to be upgraded.

vz.conf vars:
## IPv4 iptables kernel modules
IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length"

## Enable IPv6
IPV6="yes"

## IPv6 ip6tables kernel modules
IP6TABLES="ip6_tables ip6table_filter ip6table_mangle ip6t_REJECT"

root@guest:~# cat /proc/net/ip6_tables_names
mangle
filter


I'm unsure where to go debug next; filing against vzctl as I think this is probably a configuration problem.

Thanks,
Christian
Comment 1 Andres Martinson 2010-09-13 17:32:08 EDT
I have noticed that if you add net_admin capability VE can use ip6tables command afterward.

Imo, it affects both amd64 and i386.

versions used:
# vzctl --version
vzctl version 3.0.24
# apt-cache policy vzctl
vzctl:
  Installed: 3.0.24-3
Comment 2 Holger Wirtz 2010-11-08 05:46:59 EST
Hi,

after "vzctl set $VEID --capability net_admin:on --save" and starting $VEID I can call ip[6]tables but it has much problems with setting up a fwbuilder generated firewall inside VE, e.g.

...
/sbin/iptables -t filter -F INPUT
FATAL: Could not load /lib/modules/2.6.32.25-openvz-pae/modules.dep: No such file or directory
...
cannot create /proc/sys/net/ipv4/ip_dynaddr: Permission denied
...
/sbin/iptables -A INPUT -p udp -m udp -m multiport --dports 5060,4569 -m state --state NEW -j Cid12608X3530.0
FATAL: Could not load /lib/modules/2.6.32.25-openvz-pae/modules.dep: No such file or directory
FATAL: Could not load /lib/modules/2.6.32.25-openvz-pae/modules.dep: No such file or directory
...
+ /sbin/ip6tables -N Cid12608X3530.0
ip6tables: Memory allocation problem.

Host System:
"Ubuntu-Server-10.04.1" (self build kernel, see https://help.ubuntu.com/community/OpenVZ)

VE System:
"ubuntu-10.04-minimal_10.04_i386"

Any ideas?

Regards, Holger
Comment 3 Ola Lundqvist 2011-01-15 11:18:14 EST
I have got the information that this is actually the same bug as stated in 1723.

On Thu, Dec 23, 2010 at 07:32:55AM +0000, Steven Chamberlain wrote:
> Hi Christian,
>
> Your bug report is the same issue I've reported here -- actually a
> kernel bug:
>
> * http://bugs.debian.org/607041
> * http://bugzilla.openvz.org/show_bug.cgi?id=1723
>
> If you're able to patch and rebuild your Debian kernel you could try the
> patch available here:
>
> * http://bugzilla.openvz.org/attachment.cgi?id=1339
>
> Regards,
> --
> Steven Chamberlain
> steven@pyro.eu.org

*** This bug has been marked as a duplicate of bug 1723 ***