Enabling XT_string module on OpenVZ Containers

imperio

Hello,

Is it possible to enable xt_string module to filter some strings via iptables on openvz containers ? Some of the providers claimed it is not possible.

"We're sorry but it seems that currently there is no way to use this module inside openvz container."
"I will confirm with my senior admin regarding this issue and get back to you with an update."
"I loaded the module via modprobe on the main server but unfortunately openvz is rejecting the iptables set --iptables command for xt_string."

24khost

it can be loaded. That is a fact.

doughmanes

Most providers don't go crazy with OpenVZ kernel modules as upgrading to Xen/KVM will solve most OpenVZ issues

Damian

Try having them modprobe ip_string or ipt_string instead.

*_string has been included as a module with OVZ kernels since 2.6.24-16.30, a 2008 kernel.

Otherwise, you may want to move to a different host.

jar

@Damian beat me to it. Pretty sure ipt_string is what they need to enable on the container.

24khost

@Damian @jarland
can confirm that is what they need to enable.

imperio

Thanks.Let see what will happen this time with the ipt_string module.

jar

To be fair, I don't blame him and he did say that he had an admin he was going to double check with. Took me a couple hours to enable all of the modules to make CSF happy the other day because the whole xt/ipt thing just disappeared from my brain. Reinforced the importance of me making little bash scripts to enable things like that on the host node.

imperio

Actually I have pasted replies from 3 different openvz providers.One different provider is also escalated the issue and do not comment yet.I have suggested the ipt_string solution to all and waiting for resolution.

Damian

Our standard /etc/sysconfig/modules/something.modules:

modprobe tun
modprobe fuse
modprobe xt_state
modprobe xt_tcpudp
modprobe ip_conntrack
modprobe ppp_async
modprobe ppp_deflate
modprobe ipt_mark
modprobe ppp_mppe
modprobe ipt_MARK
modprobe ipt_state
modprobe ipt_MASQUERADE
modprobe ipt_REDIRECT
modprobe iptable_nat
modprobe nf_nat
modprobe nf_conntrack_ipv4
modprobe iptable_mangle
modprobe iptable_filter
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ip_tables
modprobe nf_conntrack
modprobe nat_ftp
modprobe xt_state
modprobe xt_owner
modprobe xt_length
modprobe ipt_string
modprobe xt_hl
modprobe xt_hl
modprobe xt_TCPMSS
modprobe xt_tcpmss
modprobe xt_multiport
modprobe xt_limit
modprobe xt_state
modprobe xt_MARK
modprobe xt_mark
modprobe nf_conntrack_ftp
modprobe iptable_nat
modprobe ipip
modprobe ip_gre

Haven't had anyone need anything further.

imperio

One provider replied "Unfortunately module ipt_string loads actually loads xt_string. So it still can't be passed to container."

Should i give up for this provider ?

24khost

what are you trying to load?

imperio

iptables -A FORWARD -m string --to 100 --algo bm --string "string" -j DROP

24khost

what is the error read out?

Damian

@imperio said: One provider replied "Unfortunately module ipt_string loads actually loads xt_string. So it still can't be passed to container."

That's the point... "xt" means "works for both ipv4 and ipv6". You still need to modprobe via "ipt_" because modprobing xt_string will load only the module, while ipt_string will load all modules needed for proper operation.

Should i give up for this provider ?

Might be wise...

imperio

At first "iptables: No chain/target/match by that name."
After they have changed smth it becomes "iptables: Invalid argument. Run `dmesg' for more information."
As usual there is no dmesg.

Damian

Ask them for the output of lsmod.

imperio

Trying..But I am afraid this will end up with "if you need custom modules purchase our XEN package.."

Damian

@imperio said: But I am afraid this will end up with "if you need custom modules purchase our XEN package.."

Would be the response of a host that does not care about its customers. Seriously, enabling modules for OpenVZ is easy and painless.

rds100

@Damian said: enabling modules for OpenVZ is easy and painless.

Until you enable that one module that makes your server crash
Loading kernel code which you haven't stress tested before on a production machine is always a little risky.

imperio

One provider replied "I have tried ipt_string in your individual VM config file. I will try adding it to vz.conf (server-wide)." and "You can try now."

After reboot however nothing changed same error message.
"iptables: Invalid argument. Run `dmesg' for more information."

I think there are still missing modules and i do not want to troubleshoot their own systems adding modules one by one. I guess my vps can live without l7 filtering or upgrade to XEN/KVM for that feature.BTW those vps are hosted on some hard to find locations like toronto,ukraine,panama..

doughmanes

@imperio said: hard to find locations like toronto

Those damn reclusive Canadians

Damian

Hmm... what's the output of uname -a

imperio

@Damian thanks for troubleshooting..

1) [root@ ~]# uname -a
Linux 2.6.32-042stab075.2 #1 SMP Tue Mar 5 15:21:53 MSK 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@tvwatch ~]# cat /etc/redhat-release
CentOS release 6.4 (Final)

2) [root@ua0001081 ~]# uname -a
Linux ua0001081.clientvm 2.6.32-042stab068.8 #1 SMP Fri Dec 7 17:06:14 MSK 2012 x86_64 x86_64 x86_64 GNU/Linux
[root@ua0001081 ~]# cat /etc/redhat-release
CentOS release 6.3 (Final)

3) [root@ ~]# uname -a
Linux 2.6.32-042stab074.10 #1 SMP Fri Mar 1 09:18:44 MSK 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@ ~]# cat /etc/redhat-release
CentOS release 6.2 (Final)

4) [root@vps ~]# uname -a
Linux vps.server.com 2.6.18-308.8.2.el5.028stab101.1 #1 SMP Sun Jun 24 20:25:35 MSD 2012 x86_64 x86_64 x86_64 GNU/Linux
[root@vps ~]# cat /etc/redhat-release
CentOS release 6.3 (Final)

Damian

Some of those are old... but new enough that they should have xt_strings...

imperio

Interesting part is none of the four openvz providers were able to enable that module..

"Module ipt_string was loaded on hardware node, other mentioned modules are also loaded, but as we can see it didn't help to solve problem because openvz doesn't have a possibility to pass this module to container."

Damian

How about the output of:

cat /proc/net/ip_tables_matches

imperio

1)"Module ipt_string was loaded on hardware node, other mentioned modules are also loaded, but as we can see it didn't help to solve problem because openvz doesn't have a possibility to pass this module to container."
mark
mark
string
string
owner
limit
owner
length
ttl
tcpmss
multiport
multiport
tos
tos
dscp
icmp
state
udplite
udp
tcp

2) string
udp
tcp
owner
state
length
ttl
tcpmss
multiport
multiport
limit
tos
icmp

3) mark
mark
owner
limit
recent
owner
state
length
ttl
tcpmss
multiport
multiport
tos
tos
dscp
icmp
udplite
udp
tcp

4) "I have tried ipt_string in your individual VM config file. I will try adding it to vz.conf (server-wide)." and "You can try now."
string
string
connlimit
owner
helper
conntrack
conntrack
conntrack
limit
owner
recent
length
ttl
tcpmss
multiport
multiport
tos
tos
dscp
icmp
state
udplite
udp
tcp

Damian

This bug report from January hasn't been answered: https://bugzilla.openvz.org/show_bug.cgi?id=2481

There's a bunch of angry children here: http://grokbase.com/t/centos/centos/118yhd5tky/centos-vps-kernel-2-6-35-4-string-less-ip-tables

http://www.lowendtalk.com/discussion/7107/iptables-module-inside-openvz-container

imperio

That makes sense, thanks Damian.