New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Enabling XT_string module on OpenVZ Containers
Hello,
Is it possible to enable xt_string module to filter some strings via iptables on openvz containers ? Some of the providers claimed it is not possible.
"We're sorry but it seems that currently there is no way to use this module inside openvz container."
"I will confirm with my senior admin regarding this issue and get back to you with an update."
"I loaded the module via modprobe on the main server but unfortunately openvz is rejecting the iptables set --iptables command for xt_string."
Comments
it can be loaded. That is a fact.
Most providers don't go crazy with OpenVZ kernel modules as upgrading to Xen/KVM will solve most OpenVZ issues
Try having them modprobe ip_string or ipt_string instead.
*_string has been included as a module with OVZ kernels since 2.6.24-16.30, a 2008 kernel.
Otherwise, you may want to move to a different host.
@Damian beat me to it. Pretty sure ipt_string is what they need to enable on the container.
@Damian @jarland
can confirm that is what they need to enable.
Thanks.Let see what will happen this time with the ipt_string module.
To be fair, I don't blame him and he did say that he had an admin he was going to double check with. Took me a couple hours to enable all of the modules to make CSF happy the other day because the whole xt/ipt thing just disappeared from my brain. Reinforced the importance of me making little bash scripts to enable things like that on the host node.
Actually I have pasted replies from 3 different openvz providers.One different provider is also escalated the issue and do not comment yet.I have suggested the ipt_string solution to all and waiting for resolution.
Our standard /etc/sysconfig/modules/something.modules:
Haven't had anyone need anything further.
One provider replied "Unfortunately module ipt_string loads actually loads xt_string. So it still can't be passed to container."
Should i give up for this provider ?
what are you trying to load?
iptables -A FORWARD -m string --to 100 --algo bm --string "string" -j DROP
what is the error read out?
That's the point... "xt" means "works for both ipv4 and ipv6". You still need to modprobe via "ipt_" because modprobing xt_string will load only the module, while ipt_string will load all modules needed for proper operation.
Might be wise...
At first "iptables: No chain/target/match by that name."
After they have changed smth it becomes "iptables: Invalid argument. Run `dmesg' for more information."
As usual there is no dmesg.
Ask them for the output of lsmod.
Trying..But I am afraid this will end up with "if you need custom modules purchase our XEN package.."
Would be the response of a host that does not care about its customers. Seriously, enabling modules for OpenVZ is easy and painless.
Until you enable that one module that makes your server crash
Loading kernel code which you haven't stress tested before on a production machine is always a little risky.
One provider replied "I have tried ipt_string in your individual VM config file. I will try adding it to vz.conf (server-wide)." and "You can try now."
After reboot however nothing changed same error message.
"iptables: Invalid argument. Run `dmesg' for more information."
I think there are still missing modules and i do not want to troubleshoot their own systems adding modules one by one. I guess my vps can live without l7 filtering or upgrade to XEN/KVM for that feature.BTW those vps are hosted on some hard to find locations like toronto,ukraine,panama..
Those damn reclusive Canadians
Hmm... what's the output of uname -a
@Damian thanks for troubleshooting..
1) [root@ ~]# uname -a
Linux 2.6.32-042stab075.2 #1 SMP Tue Mar 5 15:21:53 MSK 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@tvwatch ~]# cat /etc/redhat-release
CentOS release 6.4 (Final)
2) [root@ua0001081 ~]# uname -a
Linux ua0001081.clientvm 2.6.32-042stab068.8 #1 SMP Fri Dec 7 17:06:14 MSK 2012 x86_64 x86_64 x86_64 GNU/Linux
[root@ua0001081 ~]# cat /etc/redhat-release
CentOS release 6.3 (Final)
3) [root@ ~]# uname -a
Linux 2.6.32-042stab074.10 #1 SMP Fri Mar 1 09:18:44 MSK 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@ ~]# cat /etc/redhat-release
CentOS release 6.2 (Final)
4) [root@vps ~]# uname -a
Linux vps.server.com 2.6.18-308.8.2.el5.028stab101.1 #1 SMP Sun Jun 24 20:25:35 MSD 2012 x86_64 x86_64 x86_64 GNU/Linux
[root@vps ~]# cat /etc/redhat-release
CentOS release 6.3 (Final)
Some of those are old... but new enough that they should have xt_strings...
Interesting part is none of the four openvz providers were able to enable that module..
"Module ipt_string was loaded on hardware node, other mentioned modules are also loaded, but as we can see it didn't help to solve problem because openvz doesn't have a possibility to pass this module to container."
How about the output of:
cat /proc/net/ip_tables_matches
1)"Module ipt_string was loaded on hardware node, other mentioned modules are also loaded, but as we can see it didn't help to solve problem because openvz doesn't have a possibility to pass this module to container."
mark
mark
string
string
owner
limit
owner
length
ttl
tcpmss
multiport
multiport
tos
tos
dscp
icmp
state
udplite
udp
tcp
2) string
udp
tcp
owner
state
length
ttl
tcpmss
multiport
multiport
limit
tos
icmp
3) mark
mark
owner
limit
recent
owner
state
length
ttl
tcpmss
multiport
multiport
tos
tos
dscp
icmp
udplite
udp
tcp
4) "I have tried ipt_string in your individual VM config file. I will try adding it to vz.conf (server-wide)." and "You can try now."
string
string
connlimit
owner
helper
conntrack
conntrack
conntrack
limit
owner
recent
length
ttl
tcpmss
multiport
multiport
tos
tos
dscp
icmp
state
udplite
udp
tcp
This bug report from January hasn't been answered: https://bugzilla.openvz.org/show_bug.cgi?id=2481
There's a bunch of angry children here: http://grokbase.com/t/centos/centos/118yhd5tky/centos-vps-kernel-2-6-35-4-string-less-ip-tables
http://www.lowendtalk.com/discussion/7107/iptables-module-inside-openvz-container
That makes sense, thanks Damian.