who/what issues iptables commands?
 

a couple containers lost networking a couple days ago, i'm thinking it likely the issue is iptables commands being issued by system code somewhere. we manage iptables with our own firewall script. we're running openvz7 on centos7. i already removed firewalld, and i would like to know what code causes the following three entries in /var/log/messages:

Oct 5 15:53:05 pecan kernel: Bridge firewalling registered

Oct 5 15:53:16 pecan systemd: Started SYSV: setup firewall (iptables) rules (INPUT chain for the HN, FORWARD chain for clients).

Oct 5 15:53:48 pecan prl_disp_service: 10-05 15:53:48.987 W /cmn_utils:2214:2391/ Start setting basic firewall rules...

HN firewall perhaps?
https://wiki.openvz.org/Setting_up_an_iptables_firewall

that's the page that primarily served as template for the firewall script we're using. in centos6/openvz6 this has worked fine. in centos7/openvz7, even with firewalld already uninstalled, we see quite a bit of firewall/iptables related logging in /var/log/messages (see my OP for examples), but with no indication where to find the code that's causing the messages!

the dearth of documentation leaves me wondering if the path of least resistance is to give up on our own trusty iptables management script, and reinstall and learn to use firewalld, in the likelihood that's what's expected of us.

that's not really what i want to do tho. we already have traffic accounting all implemented in our own script, and learning and reimplementing in a new layer of abstraction doesn't strike me as all that likely to lead to an increase in either functionality or reliability.

Well, it was your OP output that I used for a quick search, and I noticed the reference to the HN firewall, so I assumed that was involved? Did you not investigate that further?

You're not forced to use firewalld, so you can leave that out of the equation if already disabled.

indeed, that's the advice from which i wrote our current iptables management script several years ago, and it has served us very well in centos6/openvz6.

documentation for openvz7 however seems rather lacking. i'm trying to find out what system code in centos7/openvz7 is now stepping in to manipulate iptables even in the absence of firewalld. /var/log/messages is filled with messages about manipulating iptables that our script didn't generate. i want to find the code that's generating those messages.

Well, the first entry is associated with OpenVZ for configured network bridging AFAIU.

So you are using HN firewall, that seems to be what the second line you shared is about.

The third line, references 'prl_disp_service'...
https://github.com/OpenVZ/prl-disp-service
That's about all I can offer. I'm sure you can search online as well as I. Perhaps you can get the required support from the OpenVZ forum. Good luck with this.