Article ID: 113056, created on Dec 26, 2011, last review on Jun 17, 2016

  • Applies to:
  • Virtuozzo
  • Virtuozzo containers for Linux
  • Virtuozzo hypervisor

Information

This article describes the mechanism by which iptables modules are loaded in containers on a Parallels Virtuozzo Containers (PVC) for Linux or Parallels Server Bare Metal (PSBM) host.

Some iptables modules, like ipt_conntrack, may produce additional load on the host, which is why a provider may want to prevent particular modules from being loaded inside a container.

The Parallels Virtuozzo Containers for Linux and Parallels Server Bare Metal kernel provides a flexible way to manage iptables modules available on a host and inside a container, both globally and on a per-container basis.

First, all necessary modules should be loaded onto the Hardware Node itself, as specified in /etc/sysconfig/iptables-config. If the file does not contain any modules in the IPTABLES_MODULES variable, then the modules listed in the global PVC configuration file and all dependencies will be loaded upon vz service startup.

The Parallels kernel will then allow modules, listed in the global PVC configuration file /etc/vz/vz.conf, to be loaded in containers. All other iptables modules will be restricted.

Finally, a per-container mask is applied, which restricts modules per-container only. If a container's configuration file contains modules that are prohibited (not listed) in the global configuration file, then they will not be loaded in the container either.

The current version of the Parallels Virtuozzo Containers for Linux kernel effectively restricts the following modules for the sake of density and performance:

ip_tables
ip_filter
ip_mangle
ip_nat
ip6_tables
ip6_filter
ip6_mangle
ip_conntrack (nf_conntrack in RHEL 6.x-based kernels)

For more information about enabling and managing a firewall inside a container, refer to this article:
How do I enable a firewall in a container?

For more information about a stateful firewall on the Hardware Node itself, refer to these articles:
Issues with firewall on HW Node -- Impossible to use ip_nat and ipt_state modules (for PVCfL 4.6 and older)
Issues with firewall on HW Node -- Impossible to use ip_nat and ipt_state modules (for PVCfL 4.7, PSBM 5.0 and PCS 6.0)

Search Words

containers

iptables

container firewall

a26b38f94253cdfbf1028d72cf3a498b e8e50b42231236b82df27684e7ec0beb d02f9caf3e11b191a38179103495106f 2897d76d56d2010f4e3a28f864d69223 0dd5b9380c7d4884d77587f3eb0fa8ef

Email subscription for changes to this article
Save as PDF