It seems that the kernel crash comes from only the iptables rules using "recent" module. (rules in the conainers) Since i removed the -m recent rules , i did not succeed to reproduce the kernel hang.
Thanks Jean-Marc for your firewall rules. My question was not about the iptables rules, but regarding the isolation of syslog and my LOG rules insides containers. Actually all containers LOG rules are logging packets of their own containers as usual, the problem comes that the syslog host intercept too the log packets. Thanks for you support. Le 17/10/11 07:17, LACROIX Jean Marc a écrit : >> Date: Fri, 14 Oct 2011 17:35:02 +0200 >> From: Admin<[email protected]> >> Subject: [Lxc-users] lxc-stop make Kernel crashing >> To: [email protected] >> Message-ID:<[email protected]> >> Content-Type: text/plain; charset="iso-8859-1" >> Another question, anybody implement iptables inside containers and could >> give me advices configuring LOG chain or rsyslog inside container to >> isolate iptables kernel log message from the hypervisor ? >> > Tony, > Please find one firewall example running in a container. > Step 0: all chain must be in DROP condition as a default case... > in my case, for the FORWARD chain... > > /sbin/iptables \ > --table filter \ > --policy FORWARD DROP > > step 1: in the last table before, insert a rule in order to drop traffic > in the log, and never forget to limit total number of packet (!) > /sbin/iptables \ > --table filter \ > --append FORWARD \ > --jump LOG \ > --log-prefix "gateway-3: DROP " \ > --match limit \ > --limit 4/second \ > --limit-burst 5 > > step 2: in the last chain, insert a SROP condition > /sbin/iptables \ > --table filter \ > --append FORWARD \ > --jump DROP > > > root@gateway-3:~# iptables --verbose --line-numbers --list FORWARD > Chain FORWARD (policy DROP 0 packets, 0 bytes) > num pkts bytes target prot opt in out source > destination > .............. > 13 0 0 ACCEPT tcp -- eth3 eth2 192.168.22.0/24 > anywhere tcp dpt:www > 14 0 0 ACCEPT tcp -- eth2 eth3 anywhere > 192.168.22.0/24 tcp spt:www > 15 1779 364K LOG all -- any any anywhere > anywhere limit: avg 4/sec burst 5 LOG level warning prefix > `gateway-3: DROP ' > 16 1784 365K DROP all -- any any anywhere > anywhere > > > Regards > ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Lxc-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/lxc-users
