who/what issues iptables commands?
a couple containers lost networking a couple days ago, i'm thinking it likely the issue is iptables commands being issued by system code somewhere. we manage iptables with our own firewall script. we're running openvz7 on centos7. i already removed firewalld, and i would like to know what code causes the following three entries in /var/log/messages:
Oct 5 15:53:05 pecan kernel: Bridge firewalling registered Oct 5 15:53:16 pecan systemd: Started SYSV: setup firewall (iptables) rules (INPUT chain for the HN, FORWARD chain for clients). Oct 5 15:53:48 pecan prl_disp_service: 10-05 15:53:48.987 W /cmn_utils:2214:2391/ Start setting basic firewall rules... |
Code:
Oct 5 15:53:16 pecan systemd: Started SYSV: setup firewall (iptables) rules (INPUT chain for the HN, FORWARD chain for clients). https://wiki.openvz.org/Setting_up_an_iptables_firewall |
Quote:
the dearth of documentation leaves me wondering if the path of least resistance is to give up on our own trusty iptables management script, and reinstall and learn to use firewalld, in the likelihood that's what's expected of us. that's not really what i want to do tho. we already have traffic accounting all implemented in our own script, and learning and reimplementing in a new layer of abstraction doesn't strike me as all that likely to lead to an increase in either functionality or reliability. |
Well, it was your OP output that I used for a quick search, and I noticed the reference to the HN firewall, so I assumed that was involved? Did you not investigate that further?
You're not forced to use firewalld, so you can leave that out of the equation if already disabled. |
indeed, that's the advice from which i wrote our current iptables management script several years ago, and it has served us very well in centos6/openvz6.
documentation for openvz7 however seems rather lacking. i'm trying to find out what system code in centos7/openvz7 is now stepping in to manipulate iptables even in the absence of firewalld. /var/log/messages is filled with messages about manipulating iptables that our script didn't generate. i want to find the code that's generating those messages. |
Well, the first entry is associated with OpenVZ for configured network bridging AFAIU.
Quote:
The third line, references 'prl_disp_service'... https://github.com/OpenVZ/prl-disp-service Quote:
|
All times are GMT -5. The time now is 08:08 PM. |