Article ID: 116973, created on Aug 28, 2013, last review on Nov 19, 2014

  • Applies to:
  • Virtuozzo containers for Linux 4.7


After in-place upgrade of Parallels Virtuozzo Containers for Linux from versions 4.0 and 4.6 to the version 4.7, some IPtables rules can stop working properly.

In PVC 4.0/4.6, the file /etc/modprobe.conf had the option ip_connrack_disable_ve0 set to 0 to allow connection tracking on the node.

~# cat /etc/modprobe.conf
options ip_conntrack ip_conntrack_disable_ve0=0

After upgrade, the following line can be put in addition or replacing this option:

~# cat /etc/modprobe.conf
options nf_conntrack ip_conntrack_disable_ve0=1

The firewall rules might look like in the output below - disabling connections by default and allowing connections by checking state of connections.

~# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -s MN.IP.ADDR.ESS -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
... other permissive rules ...
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited


In PVC 4.7, the newer version of the kernel is used, 2.6.32. Few modules have different names and different options in comparison with the kernel of PVC 4.0/4.6, 2.6.18.

During upgrade, the package vzctl checks the current configuration and places the option to disable connection tracking in the configuration file. The following part of the postinstall script explains the logic:

for f in /etc/modprobe.conf /etc/modules.conf; do
    if [ ! -f $f ]; then let $((not_found++)); continue; fi
    if ! grep -qE "nf_conntrack ip_conntrack_disable_ve0" $f >/dev/null 2>&1; then
        echo 'options nf_conntrack ip_conntrack_disable_ve0=1' >> $f
if [ $not_found -eq 2  -a -d /etc/modprobe.d -a ! -f /etc/modprobe.d/vz-parallels.conf ] ; then 
    echo 'options nf_conntrack ip_conntrack_disable_ve0=1' >> /etc/modprobe.d/vz-parallels.conf


Update the value in the configuration file /etc/modprobe.conf or /etc/modprobe.d/vz-parallels.conf (whichever exists on the server and contains the line with the option) to be like this:

~# grep nf_conntrack /etc/modprobe.conf /etc/modprobe.d/vz-parallels.conf
options nf_conntrack ip_conntrack_disable_ve0=0

NOTE: To apply the change, the module needs to be reloaded on the hardware node. If containers are running, this module is locked and cannot be unloaded. To proceed, either:

  • Reboot the hardware node.
  • Stop Virtuozzo service, restart IPtables and start Virtuozzo service. ALL containers will be stopped!

    ~# service vz stop
    ~# service iptables stop
    ~# rmmod nf_conntrack
    ~# serivce iptables start
    ~# service vz start

    If rmmod complains that the module is in use then restart the hardware node without starting IPtables and Virtuozzo services.

Search Words





e8e50b42231236b82df27684e7ec0beb 2897d76d56d2010f4e3a28f864d69223 d02f9caf3e11b191a38179103495106f 0c05f0c76fec3dd785e9feafce1099a9

Email subscription for changes to this article
Save as PDF