Re: [Devel] double faults in Virtuozzo KVM
On Thursday, September 28, 2017, Roman Kaganwrote: > On Thu, Sep 28, 2017 at 05:55:51PM +0300, Denis Kirjanov wrote: > > Hi, we're seeing double faults in async_page_fault. > > async_page_fault is the #PF handler in KVM guests. It filters out > specially crafted #PF's from the host; the rest fall through to the > regular #PF handler. So most likely you're seeing genuine #PFs, > unrelated to virtualization. > > > _Some_ of them related to the fact that during the faults RSP points > > to userspace and it leads to double-fault scenario. > > The postmortem you quote doesn't support that. I'll post a relevant trace > > > Is it known problem? > > There used to be a bug in async pagefault machinery which caused L0 > hypervisor to inject async pagefaults into L2 guest instead of L1. This > must've been fixed in sufficiently recent Yep, I saw the patch and it's imho about the different thing. The patch fixes the wrong PF injected to an unrelated guest and thus a guest ends up with the 'CPU stuck' messages since it can't get the requested page I'd guess the problem is with your kernel. Doesn't it reproduce on bare > metal? > > > > [11587.895394] Hardware name: Virtuozzo KVM, BIOS 1.9.1-5.3.2.vz7.6 > 04/01/2014 > > [11587.895394] task: 88020bee ti: 880204b6 task.ti: > > 880204b6 > > [11587.895394] RIP: 0010:[] [] > > async_page_fault+0xd/0x30 > > [11587.895394] RSP: 002b:880234f61fd8 EFLAGS: 00010096 > > [11587.895394] RAX: 816a192c RBX: 0001 RCX: > 816a192c > > [11587.895394] RDX: 88023fc03fc0 RSI: RDI: > 880234f62098 > > [11587.895394] RBP: 880234f62088 R08: 88023fbfffc0 R09: > 88003642af00 > > [11587.895394] R10: 8000 R11: R12: > 88023fc04f58 > > [11587.895394] R13: 0028 R14: R15: > > > [11587.895394] FS: 7ff80ffc1880() GS:88023fc0() > > knlGS: > > [11587.895394] CS: 0010 DS: ES: CR0: 8005003b > > [11587.895394] CR2: 880234f61fc8 CR3: b9436000 CR4: > 07f0 > > [11587.895394] DR0: DR1: DR2: > > > [11587.895394] DR3: DR6: 0ff0 DR7: > 0400 > > [11587.895394] Stack: > > [11587.895394] c7e9e11c7f44 270f05836600 9090fb02 > > be0001b9d231 > > [11587.895394] e8df8948 000231a6fba8 00010008 > > > > [11587.895394] 0002 0003 > > > > [11587.895394] Call Trace: > > [11587.895394] Code: 48 89 e7 48 8b 74 24 78 48 c7 44 24 78 ff ff ff > > ff e8 78 3d 00 00 e9 33 02 00 00 0f 1f 00 66 66 90 66 66 90 66 66 90 > > 48 83 ec 78 7e 01 00 00 48 89 e7 48 8b 74 24 78 48 c7 44 24 78 ff > > ff ff > > [11587.895394] RIP [] async_page_fault+0xd/0x30 > > [11587.895394] RSP > > Roman. > ___ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
Re: [Devel] double faults in Virtuozzo KVM
Dear Denis, no, we know nothing about this problem. Could you please create bug in opnevz jira? Thank you, Vasily Averin On 2017-09-28 17:55, Denis Kirjanov wrote: > Hi, we're seeing double faults in async_page_fault. > _Some_ of them related to the fact that during the faults RSP points > to userspace and it leads to double-fault scenario. > > Is it known problem? > > Thanks! > > [11587.895394] Hardware name: Virtuozzo KVM, BIOS 1.9.1-5.3.2.vz7.6 04/01/2014 > [11587.895394] task: 88020bee ti: 880204b6 task.ti: > 880204b6 > [11587.895394] RIP: 0010:[] [] > async_page_fault+0xd/0x30 > [11587.895394] RSP: 002b:880234f61fd8 EFLAGS: 00010096 > [11587.895394] RAX: 816a192c RBX: 0001 RCX: > 816a192c > [11587.895394] RDX: 88023fc03fc0 RSI: RDI: > 880234f62098 > [11587.895394] RBP: 880234f62088 R08: 88023fbfffc0 R09: > 88003642af00 > [11587.895394] R10: 8000 R11: R12: > 88023fc04f58 > [11587.895394] R13: 0028 R14: R15: > > [11587.895394] FS: 7ff80ffc1880() GS:88023fc0() > knlGS: > [11587.895394] CS: 0010 DS: ES: CR0: 8005003b > [11587.895394] CR2: 880234f61fc8 CR3: b9436000 CR4: > 07f0 > [11587.895394] DR0: DR1: DR2: > > [11587.895394] DR3: DR6: 0ff0 DR7: > 0400 > [11587.895394] Stack: > [11587.895394] c7e9e11c7f44 270f05836600 9090fb02 > be0001b9d231 > [11587.895394] e8df8948 000231a6fba8 00010008 > > [11587.895394] 0002 0003 > > [11587.895394] Call Trace: > [11587.895394] Code: 48 89 e7 48 8b 74 24 78 48 c7 44 24 78 ff ff ff > ff e8 78 3d 00 00 e9 33 02 00 00 0f 1f 00 66 66 90 66 66 90 66 66 90 > 48 83 ec 78 7e 01 00 00 48 89 e7 48 8b 74 24 78 48 c7 44 24 78 ff > ff ff > [11587.895394] RIP [] async_page_fault+0xd/0x30 > [11587.895394] RSP > ___ > Devel mailing list > Devel@openvz.org > https://lists.openvz.org/mailman/listinfo/devel > ___ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
[Devel] double faults in Virtuozzo KVM
Hi, we're seeing double faults in async_page_fault. _Some_ of them related to the fact that during the faults RSP points to userspace and it leads to double-fault scenario. Is it known problem? Thanks! [11587.895394] Hardware name: Virtuozzo KVM, BIOS 1.9.1-5.3.2.vz7.6 04/01/2014 [11587.895394] task: 88020bee ti: 880204b6 task.ti: 880204b6 [11587.895394] RIP: 0010:[] [] async_page_fault+0xd/0x30 [11587.895394] RSP: 002b:880234f61fd8 EFLAGS: 00010096 [11587.895394] RAX: 816a192c RBX: 0001 RCX: 816a192c [11587.895394] RDX: 88023fc03fc0 RSI: RDI: 880234f62098 [11587.895394] RBP: 880234f62088 R08: 88023fbfffc0 R09: 88003642af00 [11587.895394] R10: 8000 R11: R12: 88023fc04f58 [11587.895394] R13: 0028 R14: R15: [11587.895394] FS: 7ff80ffc1880() GS:88023fc0() knlGS: [11587.895394] CS: 0010 DS: ES: CR0: 8005003b [11587.895394] CR2: 880234f61fc8 CR3: b9436000 CR4: 07f0 [11587.895394] DR0: DR1: DR2: [11587.895394] DR3: DR6: 0ff0 DR7: 0400 [11587.895394] Stack: [11587.895394] c7e9e11c7f44 270f05836600 9090fb02 be0001b9d231 [11587.895394] e8df8948 000231a6fba8 00010008 [11587.895394] 0002 0003 [11587.895394] Call Trace: [11587.895394] Code: 48 89 e7 48 8b 74 24 78 48 c7 44 24 78 ff ff ff ff e8 78 3d 00 00 e9 33 02 00 00 0f 1f 00 66 66 90 66 66 90 66 66 90 48 83 ec 78 7e 01 00 00 48 89 e7 48 8b 74 24 78 48 c7 44 24 78 ff ff ff [11587.895394] RIP [] async_page_fault+0xd/0x30 [11587.895394] RSP ___ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
[Devel] [PATCH rh7] ms/mm: mempool: kasan: don't poot mempool objects in quarantine
Currently we may put reserved by mempool elements into quarantine via kasan_kfree(). This is totally wrong since quarantine may really free these objects. So when mempool will try to use such element, use-after-free will happen. Or mempool may decide that it no longer need that element and double-free it. So don't put object into quarantine in kasan_kfree(), just poison it. Rename kasan_kfree() to kasan_poison_kfree() to respect that. Also, we shouldn't use kasan_slab_alloc()/kasan_krealloc() in kasan_unpoison_element() because those functions may update allocation stacktrace. This would be wrong for the most of the remove_element call sites. (The only call site where we may want to update alloc stacktrace is in mempool_alloc(). Kmemleak solves this by calling kmemleak_update_trace(), so we could make something like that too. But this is out of scope of this patch). Fixes: 55834c59098d ("mm: kasan: initial memory quarantine implementation") Link: http://lkml.kernel.org/r/575977c3.1010...@virtuozzo.com Signed-off-by: Andrey RyabininReported-by: Kuthonuzo Luruo Acked-by: Alexander Potapenko Cc: Dmitriy Vyukov Cc: Kostya Serebryany Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds https://jira.sw.ru/browse/PSBM-73165 (cherry picked from commit 9b75a867cc9ddbafcaf35029358ac500f2635ff3) Signed-off-by: Andrey Ryabinin --- include/linux/kasan.h | 9 + mm/kasan/kasan.c | 6 +++--- mm/mempool.c | 12 3 files changed, 12 insertions(+), 15 deletions(-) diff --git a/include/linux/kasan.h b/include/linux/kasan.h index 21cedc322d9a..5dc6eef8351d 100644 --- a/include/linux/kasan.h +++ b/include/linux/kasan.h @@ -50,14 +50,13 @@ void kasan_init_slab_obj(struct kmem_cache *cache, const void *object); void kasan_kmalloc_large(const void *ptr, size_t size, gfp_t flags); void kasan_kfree_large(const void *ptr); -void kasan_kfree(void *ptr); +void kasan_poison_kfree(void *ptr); void kasan_kmalloc(struct kmem_cache *s, const void *object, size_t size, gfp_t flags); void kasan_krealloc(const void *object, size_t new_size, gfp_t flags); void kasan_slab_alloc(struct kmem_cache *s, void *object, gfp_t flags); bool kasan_slab_free(struct kmem_cache *s, void *object); -void kasan_poison_slab_free(struct kmem_cache *s, void *object); struct kasan_cache { int alloc_meta_offset; @@ -67,6 +66,8 @@ struct kasan_cache { int kasan_module_alloc(void *addr, size_t size); void kasan_free_shadow(const struct vm_struct *vm); +size_t ksize(const void *); +static inline void kasan_unpoison_slab(const void *ptr) { ksize(ptr); } size_t kasan_metadata_size(struct kmem_cache *cache); #else /* CONFIG_KASAN */ @@ -95,7 +96,7 @@ static inline void kasan_init_slab_obj(struct kmem_cache *cache, static inline void kasan_kmalloc_large(void *ptr, size_t size, gfp_t flags) {} static inline void kasan_kfree_large(const void *ptr) {} -static inline void kasan_kfree(void *ptr) {} +static inline void kasan_poison_kfree(void *ptr) {} static inline void kasan_kmalloc(struct kmem_cache *s, const void *object, size_t size, gfp_t flags) {} static inline void kasan_krealloc(const void *object, size_t new_size, @@ -107,11 +108,11 @@ static inline bool kasan_slab_free(struct kmem_cache *s, void *object) { return false; } -static inline void kasan_poison_slab_free(struct kmem_cache *s, void *object) {} static inline int kasan_module_alloc(void *addr, size_t size) { return 0; } static inline void kasan_free_shadow(const struct vm_struct *vm) {} +static inline void kasan_unpoison_slab(const void *ptr) { } static inline size_t kasan_metadata_size(struct kmem_cache *cache) { return 0; } #endif /* CONFIG_KASAN */ diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c index 8b9531312417..33bc171b5625 100644 --- a/mm/kasan/kasan.c +++ b/mm/kasan/kasan.c @@ -482,7 +482,7 @@ void kasan_slab_alloc(struct kmem_cache *cache, void *object, gfp_t flags) kasan_kmalloc(cache, object, cache->object_size, flags); } -void kasan_poison_slab_free(struct kmem_cache *cache, void *object) +static void kasan_poison_slab_free(struct kmem_cache *cache, void *object) { unsigned long size = cache->object_size; unsigned long rounded_up_size = round_up(size, KASAN_SHADOW_SCALE_SIZE); @@ -581,7 +581,7 @@ void kasan_krealloc(const void *object, size_t size, gfp_t flags) kasan_kmalloc(page->slab_cache, object, size, flags); } -void kasan_kfree(void *ptr) +void kasan_poison_kfree(void *ptr) { struct page *page; @@ -591,7 +591,7 @@ void kasan_kfree(void *ptr) kasan_poison_shadow(ptr, PAGE_SIZE << compound_order(page), KASAN_FREE_PAGE);
Re: [Devel] [PATCH] scripts: add "-w" to iptables command
The oldest version from VZ7, I suppose. I don't know which it is. On 28.09.2017 13:58, Stanislav Kinsburskiy wrote: > How old should it be? > I checked with v1.4.21 > > 28.09.2017 12:55, Kirill Tkhai пишет: >> Could you please to say will it work on old iptables? >> >> On 28.09.2017 13:03, Stanislav Kinsburskiy wrote: >>> What a brilliant idea it was to ignore unknown keys. >>> Should take it into account. >>> >>> 28.09.2017 10:26, Vasily Averin пишет: kthai@ explained that old version of iptables ignores unknown keys, so adding -w is safe. On 2017-09-28 10:40, Pavel Tikhomirov wrote: > Can we have these script running with older iptables version which does > not have "-w"? > > On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote: >> Neede to support new versions of iptables. >> >> https://jira.sw.ru/browse/PSBM-73153 >> >> Signed-off-by: Stanislav Kinsburskiy>> --- >> scripts/nfs-ports-allow.sh | 16 >> 1 file changed, 8 insertions(+), 8 deletions(-) >> >> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh >> index 97541dc..ac5cf5f 100644 >> --- a/scripts/nfs-ports-allow.sh >> +++ b/scripts/nfs-ports-allow.sh >> @@ -36,10 +36,10 @@ function add_accept_rules { >> local server=$1 >> local port=$2 >> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s >> $server --sport $port -j ACCEPT && >> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d >> $server --dport $port -j ACCEPT && >> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s >> $server --sport $port -j ACCEPT && >> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d >> $server --dport $port -j ACCEPT >> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s >> $server --sport $port -j ACCEPT && >> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d >> $server --dport $port -j ACCEPT && >> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s >> $server --sport $port -j ACCEPT && >> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d >> $server --dport $port -j ACCEPT >> } >> function iptables_allow_nfs_ports { >> @@ -63,10 +63,10 @@ function allow_portmapper_port { >> local server=$1 >> local port=111 >> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s >> $server --sport $port -j ACCEPT && >> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d >> $server --dport $port -j ACCEPT && >> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s >> $server --sport $port -j ACCEPT && >> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d >> $server --dport $port -j ACCEPT >> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s >> $server --sport $port -j ACCEPT && >> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d >> $server --dport $port -j ACCEPT && >> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s >> $server --sport $port -j ACCEPT && >> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d >> $server --dport $port -j ACCEPT >> } >> for s in $servers; do >> >> ___ >> Devel mailing list >> Devel@openvz.org >> https://lists.openvz.org/mailman/listinfo/devel >> > ___ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel >>> ___ >>> Devel mailing list >>> Devel@openvz.org >>> https://lists.openvz.org/mailman/listinfo/devel >>> ___ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
Re: [Devel] [PATCH] scripts: add "-w" to iptables command
How old should it be? I checked with v1.4.21 28.09.2017 12:55, Kirill Tkhai пишет: > Could you please to say will it work on old iptables? > > On 28.09.2017 13:03, Stanislav Kinsburskiy wrote: >> What a brilliant idea it was to ignore unknown keys. >> Should take it into account. >> >> 28.09.2017 10:26, Vasily Averin пишет: >>> kthai@ explained that old version of iptables ignores unknown keys, so >>> adding -w is safe. >>> >>> On 2017-09-28 10:40, Pavel Tikhomirov wrote: Can we have these script running with older iptables version which does not have "-w"? On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote: > Neede to support new versions of iptables. > > https://jira.sw.ru/browse/PSBM-73153 > > Signed-off-by: Stanislav Kinsburskiy> --- > scripts/nfs-ports-allow.sh | 16 > 1 file changed, 8 insertions(+), 8 deletions(-) > > diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh > index 97541dc..ac5cf5f 100644 > --- a/scripts/nfs-ports-allow.sh > +++ b/scripts/nfs-ports-allow.sh > @@ -36,10 +36,10 @@ function add_accept_rules { > local server=$1 > local port=$2 > -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s > $server --sport $port -j ACCEPT && > -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d > $server --dport $port -j ACCEPT && > -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s > $server --sport $port -j ACCEPT && > -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d > $server --dport $port -j ACCEPT > +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s > $server --sport $port -j ACCEPT && > +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d > $server --dport $port -j ACCEPT && > +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s > $server --sport $port -j ACCEPT && > +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d > $server --dport $port -j ACCEPT > } > function iptables_allow_nfs_ports { > @@ -63,10 +63,10 @@ function allow_portmapper_port { > local server=$1 > local port=111 > -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s > $server --sport $port -j ACCEPT && > -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d > $server --dport $port -j ACCEPT && > -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s > $server --sport $port -j ACCEPT && > -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d > $server --dport $port -j ACCEPT > +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s > $server --sport $port -j ACCEPT && > +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d > $server --dport $port -j ACCEPT && > +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s > $server --sport $port -j ACCEPT && > +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d > $server --dport $port -j ACCEPT > } > for s in $servers; do > > ___ > Devel mailing list > Devel@openvz.org > https://lists.openvz.org/mailman/listinfo/devel > >>> ___ >>> Devel mailing list >>> Devel@openvz.org >>> https://lists.openvz.org/mailman/listinfo/devel >>> >> ___ >> Devel mailing list >> Devel@openvz.org >> https://lists.openvz.org/mailman/listinfo/devel >> ___ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
Re: [Devel] [PATCH] scripts: add "-w" to iptables command
Could you please to say will it work on old iptables? On 28.09.2017 13:03, Stanislav Kinsburskiy wrote: > What a brilliant idea it was to ignore unknown keys. > Should take it into account. > > 28.09.2017 10:26, Vasily Averin пишет: >> kthai@ explained that old version of iptables ignores unknown keys, so >> adding -w is safe. >> >> On 2017-09-28 10:40, Pavel Tikhomirov wrote: >>> Can we have these script running with older iptables version which does not >>> have "-w"? >>> >>> On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote: Neede to support new versions of iptables. https://jira.sw.ru/browse/PSBM-73153 Signed-off-by: Stanislav Kinsburskiy--- scripts/nfs-ports-allow.sh | 16 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh index 97541dc..ac5cf5f 100644 --- a/scripts/nfs-ports-allow.sh +++ b/scripts/nfs-ports-allow.sh @@ -36,10 +36,10 @@ function add_accept_rules { local server=$1 local port=$2 -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT && -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT && -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT && -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT && +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT && +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT && +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT } function iptables_allow_nfs_ports { @@ -63,10 +63,10 @@ function allow_portmapper_port { local server=$1 local port=111 -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT && -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT && -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT && -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT && +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT && +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT && +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT } for s in $servers; do ___ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel >>> >> ___ >> Devel mailing list >> Devel@openvz.org >> https://lists.openvz.org/mailman/listinfo/devel >> > ___ > Devel mailing list > Devel@openvz.org > https://lists.openvz.org/mailman/listinfo/devel > ___ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
Re: [Devel] [PATCH] scripts: add "-w" to iptables command
iptables-restore does ignore them. On 28.09.2017 11:26, Vasily Averin wrote: > kthai@ explained that old version of iptables ignores unknown keys, so adding > -w is safe. > > On 2017-09-28 10:40, Pavel Tikhomirov wrote: >> Can we have these script running with older iptables version which does not >> have "-w"? >> >> On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote: >>> Neede to support new versions of iptables. >>> >>> https://jira.sw.ru/browse/PSBM-73153 >>> >>> Signed-off-by: Stanislav Kinsburskiy>>> --- >>> scripts/nfs-ports-allow.sh | 16 >>> 1 file changed, 8 insertions(+), 8 deletions(-) >>> >>> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh >>> index 97541dc..ac5cf5f 100644 >>> --- a/scripts/nfs-ports-allow.sh >>> +++ b/scripts/nfs-ports-allow.sh >>> @@ -36,10 +36,10 @@ function add_accept_rules { >>> local server=$1 >>> local port=$2 >>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s >>> $server --sport $port -j ACCEPT && >>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server >>> --dport $port -j ACCEPT && >>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server >>> --sport $port -j ACCEPT && >>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server >>> --dport $port -j ACCEPT >>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s >>> $server --sport $port -j ACCEPT && >>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d >>> $server --dport $port -j ACCEPT && >>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s >>> $server --sport $port -j ACCEPT && >>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d >>> $server --dport $port -j ACCEPT >>> } >>> function iptables_allow_nfs_ports { >>> @@ -63,10 +63,10 @@ function allow_portmapper_port { >>> local server=$1 >>> local port=111 >>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s >>> $server --sport $port -j ACCEPT && >>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server >>> --dport $port -j ACCEPT && >>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server >>> --sport $port -j ACCEPT && >>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server >>> --dport $port -j ACCEPT >>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s >>> $server --sport $port -j ACCEPT && >>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d >>> $server --dport $port -j ACCEPT && >>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s >>> $server --sport $port -j ACCEPT && >>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d >>> $server --dport $port -j ACCEPT >>> } >>> for s in $servers; do >>> >>> ___ >>> Devel mailing list >>> Devel@openvz.org >>> https://lists.openvz.org/mailman/listinfo/devel >>> >> > ___ > Devel mailing list > Devel@openvz.org > https://lists.openvz.org/mailman/listinfo/devel > ___ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
Re: [Devel] [PATCH] scripts: add "-w" to iptables command
What a brilliant idea it was to ignore unknown keys. Should take it into account. 28.09.2017 10:26, Vasily Averin пишет: > kthai@ explained that old version of iptables ignores unknown keys, so adding > -w is safe. > > On 2017-09-28 10:40, Pavel Tikhomirov wrote: >> Can we have these script running with older iptables version which does not >> have "-w"? >> >> On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote: >>> Neede to support new versions of iptables. >>> >>> https://jira.sw.ru/browse/PSBM-73153 >>> >>> Signed-off-by: Stanislav Kinsburskiy>>> --- >>> scripts/nfs-ports-allow.sh | 16 >>> 1 file changed, 8 insertions(+), 8 deletions(-) >>> >>> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh >>> index 97541dc..ac5cf5f 100644 >>> --- a/scripts/nfs-ports-allow.sh >>> +++ b/scripts/nfs-ports-allow.sh >>> @@ -36,10 +36,10 @@ function add_accept_rules { >>> local server=$1 >>> local port=$2 >>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s >>> $server --sport $port -j ACCEPT && >>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server >>> --dport $port -j ACCEPT && >>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server >>> --sport $port -j ACCEPT && >>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server >>> --dport $port -j ACCEPT >>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s >>> $server --sport $port -j ACCEPT && >>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d >>> $server --dport $port -j ACCEPT && >>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s >>> $server --sport $port -j ACCEPT && >>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d >>> $server --dport $port -j ACCEPT >>> } >>> function iptables_allow_nfs_ports { >>> @@ -63,10 +63,10 @@ function allow_portmapper_port { >>> local server=$1 >>> local port=111 >>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s >>> $server --sport $port -j ACCEPT && >>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server >>> --dport $port -j ACCEPT && >>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server >>> --sport $port -j ACCEPT && >>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server >>> --dport $port -j ACCEPT >>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s >>> $server --sport $port -j ACCEPT && >>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d >>> $server --dport $port -j ACCEPT && >>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s >>> $server --sport $port -j ACCEPT && >>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d >>> $server --dport $port -j ACCEPT >>> } >>> for s in $servers; do >>> >>> ___ >>> Devel mailing list >>> Devel@openvz.org >>> https://lists.openvz.org/mailman/listinfo/devel >>> >> > ___ > Devel mailing list > Devel@openvz.org > https://lists.openvz.org/mailman/listinfo/devel > ___ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
Re: [Devel] [PATCH] scripts: add "-w" to iptables command
kthai@ explained that old version of iptables ignores unknown keys, so adding -w is safe. On 2017-09-28 10:40, Pavel Tikhomirov wrote: > Can we have these script running with older iptables version which does not > have "-w"? > > On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote: >> Neede to support new versions of iptables. >> >> https://jira.sw.ru/browse/PSBM-73153 >> >> Signed-off-by: Stanislav Kinsburskiy>> --- >> scripts/nfs-ports-allow.sh | 16 >> 1 file changed, 8 insertions(+), 8 deletions(-) >> >> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh >> index 97541dc..ac5cf5f 100644 >> --- a/scripts/nfs-ports-allow.sh >> +++ b/scripts/nfs-ports-allow.sh >> @@ -36,10 +36,10 @@ function add_accept_rules { >> local server=$1 >> local port=$2 >> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server >> --sport $port -j ACCEPT && >> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server >> --dport $port -j ACCEPT && >> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server >> --sport $port -j ACCEPT && >> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server >> --dport $port -j ACCEPT >> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s >> $server --sport $port -j ACCEPT && >> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d >> $server --dport $port -j ACCEPT && >> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s >> $server --sport $port -j ACCEPT && >> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d >> $server --dport $port -j ACCEPT >> } >> function iptables_allow_nfs_ports { >> @@ -63,10 +63,10 @@ function allow_portmapper_port { >> local server=$1 >> local port=111 >> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server >> --sport $port -j ACCEPT && >> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server >> --dport $port -j ACCEPT && >> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server >> --sport $port -j ACCEPT && >> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server >> --dport $port -j ACCEPT >> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s >> $server --sport $port -j ACCEPT && >> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d >> $server --dport $port -j ACCEPT && >> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s >> $server --sport $port -j ACCEPT && >> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d >> $server --dport $port -j ACCEPT >> } >> for s in $servers; do >> >> ___ >> Devel mailing list >> Devel@openvz.org >> https://lists.openvz.org/mailman/listinfo/devel >> > ___ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
Re: [Devel] [PATCH] scripts: add "-w" to iptables command
Can we have these script running with older iptables version which does not have "-w"? On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote: Neede to support new versions of iptables. https://jira.sw.ru/browse/PSBM-73153 Signed-off-by: Stanislav Kinsburskiy--- scripts/nfs-ports-allow.sh | 16 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh index 97541dc..ac5cf5f 100644 --- a/scripts/nfs-ports-allow.sh +++ b/scripts/nfs-ports-allow.sh @@ -36,10 +36,10 @@ function add_accept_rules { local server=$1 local port=$2 - ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT && - ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT && - ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT && - ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT + ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT && + ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT && + ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT && + ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT } function iptables_allow_nfs_ports { @@ -63,10 +63,10 @@ function allow_portmapper_port { local server=$1 local port=111 - ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT && - ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT && - ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT && - ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT + ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT && + ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT && + ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT && + ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT } for s in $servers; do ___ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel -- Best regards, Tikhomirov Pavel Software Developer, Virtuozzo. ___ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel