Re: [Devel] double faults in Virtuozzo KVM

[Denis Kirjanov]

On Thursday, September 28, 2017, Roman Kagan  wrote:

> On Thu, Sep 28, 2017 at 05:55:51PM +0300, Denis Kirjanov wrote:
> > Hi, we're seeing double faults in async_page_fault.
>
> async_page_fault is the #PF handler in KVM guests.  It filters out
> specially crafted #PF's from the host; the rest fall through to the
> regular #PF handler.  So most likely you're seeing genuine #PFs,
> unrelated to virtualization.
>
> > _Some_ of them related to the fact that during the faults RSP points
> > to userspace and it leads to double-fault scenario.
>
> The postmortem you quote doesn't support that.


I'll post a relevant trace

>
> > Is it known problem?
>
> There used to be a bug in async pagefault machinery which caused L0
> hypervisor to inject async pagefaults into L2 guest instead of L1.  This
> must've been fixed in sufficiently recent


Yep, I saw the patch and it's imho about the different thing. The patch
fixes the wrong PF injected to an unrelated guest and thus a guest ends up
with the 'CPU stuck' messages since it can't get the requested page

I'd guess the problem is with your kernel.  Doesn't it reproduce on bare
> metal?
>
>
> > [11587.895394] Hardware name: Virtuozzo KVM, BIOS 1.9.1-5.3.2.vz7.6
> 04/01/2014
> > [11587.895394] task: 88020bee ti: 880204b6 task.ti:
> > 880204b6
> > [11587.895394] RIP: 0010:[]  []
> > async_page_fault+0xd/0x30
> > [11587.895394] RSP: 002b:880234f61fd8  EFLAGS: 00010096
> > [11587.895394] RAX: 816a192c RBX: 0001 RCX:
> 816a192c
> > [11587.895394] RDX: 88023fc03fc0 RSI:  RDI:
> 880234f62098
> > [11587.895394] RBP: 880234f62088 R08: 88023fbfffc0 R09:
> 88003642af00
> > [11587.895394] R10: 8000 R11:  R12:
> 88023fc04f58
> > [11587.895394] R13: 0028 R14:  R15:
> 
> > [11587.895394] FS:  7ff80ffc1880() GS:88023fc0()
> > knlGS:
> > [11587.895394] CS:  0010 DS:  ES:  CR0: 8005003b
> > [11587.895394] CR2: 880234f61fc8 CR3: b9436000 CR4:
> 07f0
> > [11587.895394] DR0:  DR1:  DR2:
> 
> > [11587.895394] DR3:  DR6: 0ff0 DR7:
> 0400
> > [11587.895394] Stack:
> > [11587.895394]  c7e9e11c7f44 270f05836600 9090fb02
> > be0001b9d231
> > [11587.895394]  e8df8948 000231a6fba8 00010008
> > 
> > [11587.895394]  0002  0003
> > 
> > [11587.895394] Call Trace:
> > [11587.895394] Code: 48 89 e7 48 8b 74 24 78 48 c7 44 24 78 ff ff ff
> > ff e8 78 3d 00 00 e9 33 02 00 00 0f 1f 00 66 66 90 66 66 90 66 66 90
> > 48 83 ec 78  7e 01 00 00 48 89 e7 48 8b 74 24 78 48 c7 44 24 78 ff
> > ff ff
> > [11587.895394] RIP  [] async_page_fault+0xd/0x30
> > [11587.895394]  RSP 
>
> Roman.
>
___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Re: [Devel] double faults in Virtuozzo KVM

[Vasily Averin]

Dear Denis,
no, we know nothing about this problem.
Could you please create bug in opnevz jira?

Thank you,
Vasily Averin

On 2017-09-28 17:55, Denis Kirjanov wrote:
> Hi, we're seeing double faults in async_page_fault.
> _Some_ of them related to the fact that during the faults RSP points
> to userspace and it leads to double-fault scenario.
> 
> Is it known problem?
> 
> Thanks!
> 
> [11587.895394] Hardware name: Virtuozzo KVM, BIOS 1.9.1-5.3.2.vz7.6 04/01/2014
> [11587.895394] task: 88020bee ti: 880204b6 task.ti:
> 880204b6
> [11587.895394] RIP: 0010:[]  []
> async_page_fault+0xd/0x30
> [11587.895394] RSP: 002b:880234f61fd8  EFLAGS: 00010096
> [11587.895394] RAX: 816a192c RBX: 0001 RCX: 
> 816a192c
> [11587.895394] RDX: 88023fc03fc0 RSI:  RDI: 
> 880234f62098
> [11587.895394] RBP: 880234f62088 R08: 88023fbfffc0 R09: 
> 88003642af00
> [11587.895394] R10: 8000 R11:  R12: 
> 88023fc04f58
> [11587.895394] R13: 0028 R14:  R15: 
> 
> [11587.895394] FS:  7ff80ffc1880() GS:88023fc0()
> knlGS:
> [11587.895394] CS:  0010 DS:  ES:  CR0: 8005003b
> [11587.895394] CR2: 880234f61fc8 CR3: b9436000 CR4: 
> 07f0
> [11587.895394] DR0:  DR1:  DR2: 
> 
> [11587.895394] DR3:  DR6: 0ff0 DR7: 
> 0400
> [11587.895394] Stack:
> [11587.895394]  c7e9e11c7f44 270f05836600 9090fb02
> be0001b9d231
> [11587.895394]  e8df8948 000231a6fba8 00010008
> 
> [11587.895394]  0002  0003
> 
> [11587.895394] Call Trace:
> [11587.895394] Code: 48 89 e7 48 8b 74 24 78 48 c7 44 24 78 ff ff ff
> ff e8 78 3d 00 00 e9 33 02 00 00 0f 1f 00 66 66 90 66 66 90 66 66 90
> 48 83 ec 78  7e 01 00 00 48 89 e7 48 8b 74 24 78 48 c7 44 24 78 ff
> ff ff
> [11587.895394] RIP  [] async_page_fault+0xd/0x30
> [11587.895394]  RSP 
> ___
> Devel mailing list
> Devel@openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
> 
___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

[Devel] double faults in Virtuozzo KVM

[Denis Kirjanov]

Hi, we're seeing double faults in async_page_fault.
_Some_ of them related to the fact that during the faults RSP points
to userspace and it leads to double-fault scenario.

Is it known problem?

Thanks!

[11587.895394] Hardware name: Virtuozzo KVM, BIOS 1.9.1-5.3.2.vz7.6 04/01/2014
[11587.895394] task: 88020bee ti: 880204b6 task.ti:
880204b6
[11587.895394] RIP: 0010:[]  []
async_page_fault+0xd/0x30
[11587.895394] RSP: 002b:880234f61fd8  EFLAGS: 00010096
[11587.895394] RAX: 816a192c RBX: 0001 RCX: 816a192c
[11587.895394] RDX: 88023fc03fc0 RSI:  RDI: 880234f62098
[11587.895394] RBP: 880234f62088 R08: 88023fbfffc0 R09: 88003642af00
[11587.895394] R10: 8000 R11:  R12: 88023fc04f58
[11587.895394] R13: 0028 R14:  R15: 
[11587.895394] FS:  7ff80ffc1880() GS:88023fc0()
knlGS:
[11587.895394] CS:  0010 DS:  ES:  CR0: 8005003b
[11587.895394] CR2: 880234f61fc8 CR3: b9436000 CR4: 07f0
[11587.895394] DR0:  DR1:  DR2: 
[11587.895394] DR3:  DR6: 0ff0 DR7: 0400
[11587.895394] Stack:
[11587.895394]  c7e9e11c7f44 270f05836600 9090fb02
be0001b9d231
[11587.895394]  e8df8948 000231a6fba8 00010008

[11587.895394]  0002  0003

[11587.895394] Call Trace:
[11587.895394] Code: 48 89 e7 48 8b 74 24 78 48 c7 44 24 78 ff ff ff
ff e8 78 3d 00 00 e9 33 02 00 00 0f 1f 00 66 66 90 66 66 90 66 66 90
48 83 ec 78  7e 01 00 00 48 89 e7 48 8b 74 24 78 48 c7 44 24 78 ff
ff ff
[11587.895394] RIP  [] async_page_fault+0xd/0x30
[11587.895394]  RSP 
___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

[Devel] [PATCH rh7] ms/mm: mempool: kasan: don't poot mempool objects in quarantine

[Andrey Ryabinin]

Currently we may put reserved by mempool elements into quarantine via
kasan_kfree().  This is totally wrong since quarantine may really free
these objects.  So when mempool will try to use such element,
use-after-free will happen.  Or mempool may decide that it no longer
need that element and double-free it.

So don't put object into quarantine in kasan_kfree(), just poison it.
Rename kasan_kfree() to kasan_poison_kfree() to respect that.

Also, we shouldn't use kasan_slab_alloc()/kasan_krealloc() in
kasan_unpoison_element() because those functions may update allocation
stacktrace.  This would be wrong for the most of the remove_element call
sites.

(The only call site where we may want to update alloc stacktrace is
 in mempool_alloc(). Kmemleak solves this by calling
 kmemleak_update_trace(), so we could make something like that too.
 But this is out of scope of this patch).

Fixes: 55834c59098d ("mm: kasan: initial memory quarantine implementation")
Link: http://lkml.kernel.org/r/575977c3.1010...@virtuozzo.com
Signed-off-by: Andrey Ryabinin 
Reported-by: Kuthonuzo Luruo 
Acked-by: Alexander Potapenko 
Cc: Dmitriy Vyukov 
Cc: Kostya Serebryany 
Signed-off-by: Andrew Morton 
Signed-off-by: Linus Torvalds 

https://jira.sw.ru/browse/PSBM-73165
(cherry picked from commit 9b75a867cc9ddbafcaf35029358ac500f2635ff3)
Signed-off-by: Andrey Ryabinin 
---
 include/linux/kasan.h |  9 +
 mm/kasan/kasan.c  |  6 +++---
 mm/mempool.c  | 12 
 3 files changed, 12 insertions(+), 15 deletions(-)

diff --git a/include/linux/kasan.h b/include/linux/kasan.h
index 21cedc322d9a..5dc6eef8351d 100644
--- a/include/linux/kasan.h
+++ b/include/linux/kasan.h
@@ -50,14 +50,13 @@ void kasan_init_slab_obj(struct kmem_cache *cache, const 
void *object);
 
 void kasan_kmalloc_large(const void *ptr, size_t size, gfp_t flags);
 void kasan_kfree_large(const void *ptr);
-void kasan_kfree(void *ptr);
+void kasan_poison_kfree(void *ptr);
 void kasan_kmalloc(struct kmem_cache *s, const void *object, size_t size,
  gfp_t flags);
 void kasan_krealloc(const void *object, size_t new_size, gfp_t flags);
 
 void kasan_slab_alloc(struct kmem_cache *s, void *object, gfp_t flags);
 bool kasan_slab_free(struct kmem_cache *s, void *object);
-void kasan_poison_slab_free(struct kmem_cache *s, void *object);
 
 struct kasan_cache {
int alloc_meta_offset;
@@ -67,6 +66,8 @@ struct kasan_cache {
 int kasan_module_alloc(void *addr, size_t size);
 void kasan_free_shadow(const struct vm_struct *vm);
 
+size_t ksize(const void *);
+static inline void kasan_unpoison_slab(const void *ptr) { ksize(ptr); }
 size_t kasan_metadata_size(struct kmem_cache *cache);
 
 #else /* CONFIG_KASAN */
@@ -95,7 +96,7 @@ static inline void kasan_init_slab_obj(struct kmem_cache 
*cache,
 
 static inline void kasan_kmalloc_large(void *ptr, size_t size, gfp_t flags) {}
 static inline void kasan_kfree_large(const void *ptr) {}
-static inline void kasan_kfree(void *ptr) {}
+static inline void kasan_poison_kfree(void *ptr) {}
 static inline void kasan_kmalloc(struct kmem_cache *s, const void *object,
size_t size, gfp_t flags) {}
 static inline void kasan_krealloc(const void *object, size_t new_size,
@@ -107,11 +108,11 @@ static inline bool kasan_slab_free(struct kmem_cache *s, 
void *object)
 {
return false;
 }
-static inline void kasan_poison_slab_free(struct kmem_cache *s, void *object) 
{}
 
 static inline int kasan_module_alloc(void *addr, size_t size) { return 0; }
 static inline void kasan_free_shadow(const struct vm_struct *vm) {}
 
+static inline void kasan_unpoison_slab(const void *ptr) { }
 static inline size_t kasan_metadata_size(struct kmem_cache *cache) { return 0; 
}
 
 #endif /* CONFIG_KASAN */
diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
index 8b9531312417..33bc171b5625 100644
--- a/mm/kasan/kasan.c
+++ b/mm/kasan/kasan.c
@@ -482,7 +482,7 @@ void kasan_slab_alloc(struct kmem_cache *cache, void 
*object, gfp_t flags)
kasan_kmalloc(cache, object, cache->object_size, flags);
 }
 
-void kasan_poison_slab_free(struct kmem_cache *cache, void *object)
+static void kasan_poison_slab_free(struct kmem_cache *cache, void *object)
 {
unsigned long size = cache->object_size;
unsigned long rounded_up_size = round_up(size, KASAN_SHADOW_SCALE_SIZE);
@@ -581,7 +581,7 @@ void kasan_krealloc(const void *object, size_t size, gfp_t 
flags)
kasan_kmalloc(page->slab_cache, object, size, flags);
 }
 
-void kasan_kfree(void *ptr)
+void kasan_poison_kfree(void *ptr)
 {
struct page *page;
 
@@ -591,7 +591,7 @@ void kasan_kfree(void *ptr)
kasan_poison_shadow(ptr, PAGE_SIZE << compound_order(page),
KASAN_FREE_PAGE);

Re: [Devel] [PATCH] scripts: add "-w" to iptables command

[Kirill Tkhai]

The oldest version from VZ7, I suppose. I don't know which it is.

On 28.09.2017 13:58, Stanislav Kinsburskiy wrote:
> How old should it be?
> I checked with v1.4.21
> 
> 28.09.2017 12:55, Kirill Tkhai пишет:
>> Could you please to say will it work on old iptables?
>>
>> On 28.09.2017 13:03, Stanislav Kinsburskiy wrote:
>>> What a brilliant idea it was to ignore unknown keys.
>>> Should take it into account.
>>>
>>> 28.09.2017 10:26, Vasily Averin пишет:
 kthai@ explained that old version of iptables ignores unknown keys, so 
 adding -w is safe.

 On 2017-09-28 10:40, Pavel Tikhomirov wrote:
> Can we have these script running with older iptables version which does 
> not have "-w"?
>
> On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:
>> Neede to support new versions of iptables.
>>
>> https://jira.sw.ru/browse/PSBM-73153
>>
>> Signed-off-by: Stanislav Kinsburskiy 
>> ---
>>   scripts/nfs-ports-allow.sh |   16 
>>   1 file changed, 8 insertions(+), 8 deletions(-)
>>
>> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
>> index 97541dc..ac5cf5f 100644
>> --- a/scripts/nfs-ports-allow.sh
>> +++ b/scripts/nfs-ports-allow.sh
>> @@ -36,10 +36,10 @@ function add_accept_rules {
>>   local server=$1
>>   local port=$2
>>   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
>> $server --sport $port -j ACCEPT &&
>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
>> $server --dport $port -j ACCEPT &&
>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
>> $server --sport $port -j ACCEPT &&
>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
>> $server --dport $port -j ACCEPT
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
>> $server --sport $port -j ACCEPT &&
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
>> $server --dport $port -j ACCEPT &&
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
>> $server --sport $port -j ACCEPT &&
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
>> $server --dport $port -j ACCEPT
>>   }
>> function iptables_allow_nfs_ports {
>> @@ -63,10 +63,10 @@ function allow_portmapper_port {
>>   local server=$1
>>   local port=111
>>   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
>> $server --sport $port -j ACCEPT &&
>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
>> $server --dport $port -j ACCEPT &&
>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
>> $server --sport $port -j ACCEPT &&
>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
>> $server --dport $port -j ACCEPT
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
>> $server --sport $port -j ACCEPT &&
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
>> $server --dport $port -j ACCEPT &&
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
>> $server --sport $port -j ACCEPT &&
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
>> $server --dport $port -j ACCEPT
>>   }
>> for s in $servers; do
>>
>> ___
>> Devel mailing list
>> Devel@openvz.org
>> https://lists.openvz.org/mailman/listinfo/devel
>>
>
 ___
 Devel mailing list
 Devel@openvz.org
 https://lists.openvz.org/mailman/listinfo/devel

>>> ___
>>> Devel mailing list
>>> Devel@openvz.org
>>> https://lists.openvz.org/mailman/listinfo/devel
>>>
___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Re: [Devel] [PATCH] scripts: add "-w" to iptables command

[Stanislav Kinsburskiy]

How old should it be?
I checked with v1.4.21

28.09.2017 12:55, Kirill Tkhai пишет:
> Could you please to say will it work on old iptables?
> 
> On 28.09.2017 13:03, Stanislav Kinsburskiy wrote:
>> What a brilliant idea it was to ignore unknown keys.
>> Should take it into account.
>>
>> 28.09.2017 10:26, Vasily Averin пишет:
>>> kthai@ explained that old version of iptables ignores unknown keys, so 
>>> adding -w is safe.
>>>
>>> On 2017-09-28 10:40, Pavel Tikhomirov wrote:
 Can we have these script running with older iptables version which does 
 not have "-w"?

 On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:
> Neede to support new versions of iptables.
>
> https://jira.sw.ru/browse/PSBM-73153
>
> Signed-off-by: Stanislav Kinsburskiy 
> ---
>   scripts/nfs-ports-allow.sh |   16 
>   1 file changed, 8 insertions(+), 8 deletions(-)
>
> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
> index 97541dc..ac5cf5f 100644
> --- a/scripts/nfs-ports-allow.sh
> +++ b/scripts/nfs-ports-allow.sh
> @@ -36,10 +36,10 @@ function add_accept_rules {
>   local server=$1
>   local port=$2
>   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
> $server --sport $port -j ACCEPT &&
> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
> $server --dport $port -j ACCEPT &&
> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
> $server --sport $port -j ACCEPT &&
> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
> $server --dport $port -j ACCEPT
> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
> $server --sport $port -j ACCEPT &&
> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
> $server --dport $port -j ACCEPT &&
> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
> $server --sport $port -j ACCEPT &&
> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
> $server --dport $port -j ACCEPT
>   }
> function iptables_allow_nfs_ports {
> @@ -63,10 +63,10 @@ function allow_portmapper_port {
>   local server=$1
>   local port=111
>   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
> $server --sport $port -j ACCEPT &&
> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
> $server --dport $port -j ACCEPT &&
> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
> $server --sport $port -j ACCEPT &&
> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
> $server --dport $port -j ACCEPT
> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
> $server --sport $port -j ACCEPT &&
> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
> $server --dport $port -j ACCEPT &&
> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
> $server --sport $port -j ACCEPT &&
> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
> $server --dport $port -j ACCEPT
>   }
> for s in $servers; do
>
> ___
> Devel mailing list
> Devel@openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
>

>>> ___
>>> Devel mailing list
>>> Devel@openvz.org
>>> https://lists.openvz.org/mailman/listinfo/devel
>>>
>> ___
>> Devel mailing list
>> Devel@openvz.org
>> https://lists.openvz.org/mailman/listinfo/devel
>>
___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Re: [Devel] [PATCH] scripts: add "-w" to iptables command

[Kirill Tkhai]

Could you please to say will it work on old iptables?

On 28.09.2017 13:03, Stanislav Kinsburskiy wrote:
> What a brilliant idea it was to ignore unknown keys.
> Should take it into account.
> 
> 28.09.2017 10:26, Vasily Averin пишет:
>> kthai@ explained that old version of iptables ignores unknown keys, so 
>> adding -w is safe.
>>
>> On 2017-09-28 10:40, Pavel Tikhomirov wrote:
>>> Can we have these script running with older iptables version which does not 
>>> have "-w"?
>>>
>>> On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:
 Neede to support new versions of iptables.

 https://jira.sw.ru/browse/PSBM-73153

 Signed-off-by: Stanislav Kinsburskiy 
 ---
   scripts/nfs-ports-allow.sh |   16 
   1 file changed, 8 insertions(+), 8 deletions(-)

 diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
 index 97541dc..ac5cf5f 100644
 --- a/scripts/nfs-ports-allow.sh
 +++ b/scripts/nfs-ports-allow.sh
 @@ -36,10 +36,10 @@ function add_accept_rules {
   local server=$1
   local port=$2
   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
 $server --sport $port -j ACCEPT &&
 -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server 
 --dport $port -j ACCEPT &&
 -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server 
 --sport $port -j ACCEPT &&
 -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server 
 --dport $port -j ACCEPT
 +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
 $server --sport $port -j ACCEPT &&
 +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
 $server --dport $port -j ACCEPT &&
 +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
 $server --sport $port -j ACCEPT &&
 +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
 $server --dport $port -j ACCEPT
   }
 function iptables_allow_nfs_ports {
 @@ -63,10 +63,10 @@ function allow_portmapper_port {
   local server=$1
   local port=111
   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
 $server --sport $port -j ACCEPT &&
 -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server 
 --dport $port -j ACCEPT &&
 -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server 
 --sport $port -j ACCEPT &&
 -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server 
 --dport $port -j ACCEPT
 +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
 $server --sport $port -j ACCEPT &&
 +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
 $server --dport $port -j ACCEPT &&
 +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
 $server --sport $port -j ACCEPT &&
 +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
 $server --dport $port -j ACCEPT
   }
 for s in $servers; do

 ___
 Devel mailing list
 Devel@openvz.org
 https://lists.openvz.org/mailman/listinfo/devel

>>>
>> ___
>> Devel mailing list
>> Devel@openvz.org
>> https://lists.openvz.org/mailman/listinfo/devel
>>
> ___
> Devel mailing list
> Devel@openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
> 
___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Re: [Devel] [PATCH] scripts: add "-w" to iptables command

[Kirill Tkhai]

iptables-restore does ignore them.

On 28.09.2017 11:26, Vasily Averin wrote:
> kthai@ explained that old version of iptables ignores unknown keys, so adding 
> -w is safe.
> 
> On 2017-09-28 10:40, Pavel Tikhomirov wrote:
>> Can we have these script running with older iptables version which does not 
>> have "-w"?
>>
>> On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:
>>> Neede to support new versions of iptables.
>>>
>>> https://jira.sw.ru/browse/PSBM-73153
>>>
>>> Signed-off-by: Stanislav Kinsburskiy 
>>> ---
>>>   scripts/nfs-ports-allow.sh |   16 
>>>   1 file changed, 8 insertions(+), 8 deletions(-)
>>>
>>> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
>>> index 97541dc..ac5cf5f 100644
>>> --- a/scripts/nfs-ports-allow.sh
>>> +++ b/scripts/nfs-ports-allow.sh
>>> @@ -36,10 +36,10 @@ function add_accept_rules {
>>>   local server=$1
>>>   local port=$2
>>>   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
>>> $server --sport $port -j ACCEPT &&
>>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server 
>>> --dport $port -j ACCEPT &&
>>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server 
>>> --sport $port -j ACCEPT &&
>>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server 
>>> --dport $port -j ACCEPT
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
>>> $server --sport $port -j ACCEPT &&
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
>>> $server --dport $port -j ACCEPT &&
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
>>> $server --sport $port -j ACCEPT &&
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
>>> $server --dport $port -j ACCEPT
>>>   }
>>> function iptables_allow_nfs_ports {
>>> @@ -63,10 +63,10 @@ function allow_portmapper_port {
>>>   local server=$1
>>>   local port=111
>>>   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
>>> $server --sport $port -j ACCEPT &&
>>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server 
>>> --dport $port -j ACCEPT &&
>>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server 
>>> --sport $port -j ACCEPT &&
>>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server 
>>> --dport $port -j ACCEPT
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
>>> $server --sport $port -j ACCEPT &&
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
>>> $server --dport $port -j ACCEPT &&
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
>>> $server --sport $port -j ACCEPT &&
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
>>> $server --dport $port -j ACCEPT
>>>   }
>>> for s in $servers; do
>>>
>>> ___
>>> Devel mailing list
>>> Devel@openvz.org
>>> https://lists.openvz.org/mailman/listinfo/devel
>>>
>>
> ___
> Devel mailing list
> Devel@openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
> 
___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Re: [Devel] [PATCH] scripts: add "-w" to iptables command

[Stanislav Kinsburskiy]

What a brilliant idea it was to ignore unknown keys.
Should take it into account.

28.09.2017 10:26, Vasily Averin пишет:
> kthai@ explained that old version of iptables ignores unknown keys, so adding 
> -w is safe.
> 
> On 2017-09-28 10:40, Pavel Tikhomirov wrote:
>> Can we have these script running with older iptables version which does not 
>> have "-w"?
>>
>> On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:
>>> Neede to support new versions of iptables.
>>>
>>> https://jira.sw.ru/browse/PSBM-73153
>>>
>>> Signed-off-by: Stanislav Kinsburskiy 
>>> ---
>>>   scripts/nfs-ports-allow.sh |   16 
>>>   1 file changed, 8 insertions(+), 8 deletions(-)
>>>
>>> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
>>> index 97541dc..ac5cf5f 100644
>>> --- a/scripts/nfs-ports-allow.sh
>>> +++ b/scripts/nfs-ports-allow.sh
>>> @@ -36,10 +36,10 @@ function add_accept_rules {
>>>   local server=$1
>>>   local port=$2
>>>   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
>>> $server --sport $port -j ACCEPT &&
>>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server 
>>> --dport $port -j ACCEPT &&
>>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server 
>>> --sport $port -j ACCEPT &&
>>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server 
>>> --dport $port -j ACCEPT
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
>>> $server --sport $port -j ACCEPT &&
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
>>> $server --dport $port -j ACCEPT &&
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
>>> $server --sport $port -j ACCEPT &&
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
>>> $server --dport $port -j ACCEPT
>>>   }
>>> function iptables_allow_nfs_ports {
>>> @@ -63,10 +63,10 @@ function allow_portmapper_port {
>>>   local server=$1
>>>   local port=111
>>>   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
>>> $server --sport $port -j ACCEPT &&
>>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server 
>>> --dport $port -j ACCEPT &&
>>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server 
>>> --sport $port -j ACCEPT &&
>>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server 
>>> --dport $port -j ACCEPT
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
>>> $server --sport $port -j ACCEPT &&
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
>>> $server --dport $port -j ACCEPT &&
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
>>> $server --sport $port -j ACCEPT &&
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
>>> $server --dport $port -j ACCEPT
>>>   }
>>> for s in $servers; do
>>>
>>> ___
>>> Devel mailing list
>>> Devel@openvz.org
>>> https://lists.openvz.org/mailman/listinfo/devel
>>>
>>
> ___
> Devel mailing list
> Devel@openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
> 
___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Re: [Devel] [PATCH] scripts: add "-w" to iptables command

[Vasily Averin]

kthai@ explained that old version of iptables ignores unknown keys, so adding 
-w is safe.

On 2017-09-28 10:40, Pavel Tikhomirov wrote:
> Can we have these script running with older iptables version which does not 
> have "-w"?
> 
> On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:
>> Neede to support new versions of iptables.
>>
>> https://jira.sw.ru/browse/PSBM-73153
>>
>> Signed-off-by: Stanislav Kinsburskiy 
>> ---
>>   scripts/nfs-ports-allow.sh |   16 
>>   1 file changed, 8 insertions(+), 8 deletions(-)
>>
>> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
>> index 97541dc..ac5cf5f 100644
>> --- a/scripts/nfs-ports-allow.sh
>> +++ b/scripts/nfs-ports-allow.sh
>> @@ -36,10 +36,10 @@ function add_accept_rules {
>>   local server=$1
>>   local port=$2
>>   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server 
>> --sport $port -j ACCEPT &&
>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server 
>> --dport $port -j ACCEPT &&
>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server 
>> --sport $port -j ACCEPT &&
>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server 
>> --dport $port -j ACCEPT
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
>> $server --sport $port -j ACCEPT &&
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
>> $server --dport $port -j ACCEPT &&
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
>> $server --sport $port -j ACCEPT &&
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
>> $server --dport $port -j ACCEPT
>>   }
>> function iptables_allow_nfs_ports {
>> @@ -63,10 +63,10 @@ function allow_portmapper_port {
>>   local server=$1
>>   local port=111
>>   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server 
>> --sport $port -j ACCEPT &&
>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server 
>> --dport $port -j ACCEPT &&
>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server 
>> --sport $port -j ACCEPT &&
>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server 
>> --dport $port -j ACCEPT
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
>> $server --sport $port -j ACCEPT &&
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
>> $server --dport $port -j ACCEPT &&
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
>> $server --sport $port -j ACCEPT &&
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
>> $server --dport $port -j ACCEPT
>>   }
>> for s in $servers; do
>>
>> ___
>> Devel mailing list
>> Devel@openvz.org
>> https://lists.openvz.org/mailman/listinfo/devel
>>
> 
___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Re: [Devel] [PATCH] scripts: add "-w" to iptables command

[Pavel Tikhomirov]

Can we have these script running with older iptables version which does 
not have "-w"?


On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:

Neede to support new versions of iptables.

https://jira.sw.ru/browse/PSBM-73153

Signed-off-by: Stanislav Kinsburskiy 
---
  scripts/nfs-ports-allow.sh |   16 
  1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
index 97541dc..ac5cf5f 100644
--- a/scripts/nfs-ports-allow.sh
+++ b/scripts/nfs-ports-allow.sh
@@ -36,10 +36,10 @@ function add_accept_rules {
local server=$1
local port=$2
  
-	${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&

-   ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport 
$port -j ACCEPT &&
-   ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport 
$port -j ACCEPT &&
-   ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server 
--dport $port -j ACCEPT
+   ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server 
--sport $port -j ACCEPT &&
+   ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server 
--dport $port -j ACCEPT &&
+   ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server 
--sport $port -j ACCEPT &&
+   ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
$server --dport $port -j ACCEPT
  }
  
  function iptables_allow_nfs_ports {

@@ -63,10 +63,10 @@ function allow_portmapper_port {
local server=$1
local port=111
  
-	${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&

-   ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport 
$port -j ACCEPT &&
-   ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport 
$port -j ACCEPT &&
-   ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server 
--dport $port -j ACCEPT
+   ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server 
--sport $port -j ACCEPT &&
+   ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server 
--dport $port -j ACCEPT &&
+   ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server 
--sport $port -j ACCEPT &&
+   ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
$server --dport $port -j ACCEPT
  }
  
  for s in $servers; do


___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel



--
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.
___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel