Re: [Devel] [PATCH] scripts: add "-w" to iptables command

[Vasily Averin]

Pavel,
this particular case executed on vz7 host only.
RHEL7 had  started from iptables 1.4.21,
so it is safe for us.

Anyway thank you for your report, it was very useful!

On 2017-09-29 15:30, Pavel Tikhomirov wrote:
> It seem my comment missed the list, sorry...
> 
> [root@cat ~]# iptables -w -L || echo ERROR
> iptables v1.4.7: option `-w' requires an argument
> Try `iptables -h' or 'iptables --help' for more information.
> ERROR
> 
> on 1.4.7 -w option is not ignored but asks for an argument with error for me. 
> Checked on cat.qa.sw.ru
> 
> On 09/28/2017 01:59 PM, Kirill Tkhai wrote:
>> The oldest version from VZ7, I suppose. I don't know which it is.
>>
>> On 28.09.2017 13:58, Stanislav Kinsburskiy wrote:
>>> How old should it be?
>>> I checked with v1.4.21
>>>
>>> 28.09.2017 12:55, Kirill Tkhai пишет:
 Could you please to say will it work on old iptables?

 On 28.09.2017 13:03, Stanislav Kinsburskiy wrote:
> What a brilliant idea it was to ignore unknown keys.
> Should take it into account.
>
> 28.09.2017 10:26, Vasily Averin пишет:
>> kthai@ explained that old version of iptables ignores unknown keys, so 
>> adding -w is safe.
>>
>> On 2017-09-28 10:40, Pavel Tikhomirov wrote:
>>> Can we have these script running with older iptables version which does 
>>> not have "-w"?
>>>
>>> On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:
 Neede to support new versions of iptables.

 https://jira.sw.ru/browse/PSBM-73153

 Signed-off-by: Stanislav Kinsburskiy 
 ---
scripts/nfs-ports-allow.sh |   16 
1 file changed, 8 insertions(+), 8 deletions(-)

 diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
 index 97541dc..ac5cf5f 100644
 --- a/scripts/nfs-ports-allow.sh
 +++ b/scripts/nfs-ports-allow.sh
 @@ -36,10 +36,10 @@ function add_accept_rules {
local server=$1
local port=$2
-${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
 $server --sport $port -j ACCEPT &&
 -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
 $server --dport $port -j ACCEPT &&
 -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
 $server --sport $port -j ACCEPT &&
 -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
 $server --dport $port -j ACCEPT
 +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
 $server --sport $port -j ACCEPT &&
 +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
 $server --dport $port -j ACCEPT &&
 +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
 $server --sport $port -j ACCEPT &&
 +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
 $server --dport $port -j ACCEPT
}
  function iptables_allow_nfs_ports {
 @@ -63,10 +63,10 @@ function allow_portmapper_port {
local server=$1
local port=111
-${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
 $server --sport $port -j ACCEPT &&
 -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
 $server --dport $port -j ACCEPT &&
 -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
 $server --sport $port -j ACCEPT &&
 -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
 $server --dport $port -j ACCEPT
 +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
 $server --sport $port -j ACCEPT &&
 +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
 $server --dport $port -j ACCEPT &&
 +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
 $server --sport $port -j ACCEPT &&
 +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
 $server --dport $port -j ACCEPT
}
  for s in $servers; do

 ___
 Devel mailing list
 Devel@openvz.org
 https://lists.openvz.org/mailman/listinfo/devel

>>>
>> ___
>> Devel mailing list
>> Devel@openvz.org
>> https://lists.openvz.org/mailman/listinfo/devel
>>
> ___
> Devel mailing list
> Devel@openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
>
>> ___
>> Devel mailing list
>> Devel@openvz.org
>> https://lists.openvz.org/mailman/listinfo/devel
>>
> 
___
Devel 

Re: [Devel] [PATCH] scripts: add "-w" to iptables command

[Pavel Tikhomirov]

It seem my comment missed the list, sorry...

[root@cat ~]# iptables -w -L || echo ERROR
iptables v1.4.7: option `-w' requires an argument
Try `iptables -h' or 'iptables --help' for more information.
ERROR

on 1.4.7 -w option is not ignored but asks for an argument with error 
for me. Checked on cat.qa.sw.ru


On 09/28/2017 01:59 PM, Kirill Tkhai wrote:

The oldest version from VZ7, I suppose. I don't know which it is.

On 28.09.2017 13:58, Stanislav Kinsburskiy wrote:

How old should it be?
I checked with v1.4.21

28.09.2017 12:55, Kirill Tkhai пишет:

Could you please to say will it work on old iptables?

On 28.09.2017 13:03, Stanislav Kinsburskiy wrote:

What a brilliant idea it was to ignore unknown keys.
Should take it into account.

28.09.2017 10:26, Vasily Averin пишет:

kthai@ explained that old version of iptables ignores unknown keys, so adding 
-w is safe.

On 2017-09-28 10:40, Pavel Tikhomirov wrote:

Can we have these script running with older iptables version which does not have 
"-w"?

On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:

Neede to support new versions of iptables.

https://jira.sw.ru/browse/PSBM-73153

Signed-off-by: Stanislav Kinsburskiy 
---
   scripts/nfs-ports-allow.sh |   16 
   1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
index 97541dc..ac5cf5f 100644
--- a/scripts/nfs-ports-allow.sh
+++ b/scripts/nfs-ports-allow.sh
@@ -36,10 +36,10 @@ function add_accept_rules {
   local server=$1
   local port=$2
   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport 
$port -j ACCEPT &&
-${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport 
$port -j ACCEPT &&
-${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport 
$port -j ACCEPT &&
-${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server 
--dport $port -j ACCEPT
+${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport 
$port -j ACCEPT &&
+${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport 
$port -j ACCEPT &&
+${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport 
$port -j ACCEPT &&
+${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server 
--dport $port -j ACCEPT
   }
 function iptables_allow_nfs_ports {
@@ -63,10 +63,10 @@ function allow_portmapper_port {
   local server=$1
   local port=111
   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport 
$port -j ACCEPT &&
-${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport 
$port -j ACCEPT &&
-${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport 
$port -j ACCEPT &&
-${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server 
--dport $port -j ACCEPT
+${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport 
$port -j ACCEPT &&
+${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport 
$port -j ACCEPT &&
+${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport 
$port -j ACCEPT &&
+${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server 
--dport $port -j ACCEPT
   }
 for s in $servers; do

___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel




___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel


___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel


___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel



--
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.
___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Re: [Devel] [PATCH] scripts: add "-w" to iptables command

[Kirill Tkhai]

The oldest version from VZ7, I suppose. I don't know which it is.

On 28.09.2017 13:58, Stanislav Kinsburskiy wrote:
> How old should it be?
> I checked with v1.4.21
> 
> 28.09.2017 12:55, Kirill Tkhai пишет:
>> Could you please to say will it work on old iptables?
>>
>> On 28.09.2017 13:03, Stanislav Kinsburskiy wrote:
>>> What a brilliant idea it was to ignore unknown keys.
>>> Should take it into account.
>>>
>>> 28.09.2017 10:26, Vasily Averin пишет:
 kthai@ explained that old version of iptables ignores unknown keys, so 
 adding -w is safe.

 On 2017-09-28 10:40, Pavel Tikhomirov wrote:
> Can we have these script running with older iptables version which does 
> not have "-w"?
>
> On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:
>> Neede to support new versions of iptables.
>>
>> https://jira.sw.ru/browse/PSBM-73153
>>
>> Signed-off-by: Stanislav Kinsburskiy 
>> ---
>>   scripts/nfs-ports-allow.sh |   16 
>>   1 file changed, 8 insertions(+), 8 deletions(-)
>>
>> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
>> index 97541dc..ac5cf5f 100644
>> --- a/scripts/nfs-ports-allow.sh
>> +++ b/scripts/nfs-ports-allow.sh
>> @@ -36,10 +36,10 @@ function add_accept_rules {
>>   local server=$1
>>   local port=$2
>>   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
>> $server --sport $port -j ACCEPT &&
>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
>> $server --dport $port -j ACCEPT &&
>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
>> $server --sport $port -j ACCEPT &&
>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
>> $server --dport $port -j ACCEPT
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
>> $server --sport $port -j ACCEPT &&
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
>> $server --dport $port -j ACCEPT &&
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
>> $server --sport $port -j ACCEPT &&
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
>> $server --dport $port -j ACCEPT
>>   }
>> function iptables_allow_nfs_ports {
>> @@ -63,10 +63,10 @@ function allow_portmapper_port {
>>   local server=$1
>>   local port=111
>>   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
>> $server --sport $port -j ACCEPT &&
>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
>> $server --dport $port -j ACCEPT &&
>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
>> $server --sport $port -j ACCEPT &&
>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
>> $server --dport $port -j ACCEPT
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
>> $server --sport $port -j ACCEPT &&
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
>> $server --dport $port -j ACCEPT &&
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
>> $server --sport $port -j ACCEPT &&
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
>> $server --dport $port -j ACCEPT
>>   }
>> for s in $servers; do
>>
>> ___
>> Devel mailing list
>> Devel@openvz.org
>> https://lists.openvz.org/mailman/listinfo/devel
>>
>
 ___
 Devel mailing list
 Devel@openvz.org
 https://lists.openvz.org/mailman/listinfo/devel

>>> ___
>>> Devel mailing list
>>> Devel@openvz.org
>>> https://lists.openvz.org/mailman/listinfo/devel
>>>
___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Re: [Devel] [PATCH] scripts: add "-w" to iptables command

[Stanislav Kinsburskiy]

How old should it be?
I checked with v1.4.21

28.09.2017 12:55, Kirill Tkhai пишет:
> Could you please to say will it work on old iptables?
> 
> On 28.09.2017 13:03, Stanislav Kinsburskiy wrote:
>> What a brilliant idea it was to ignore unknown keys.
>> Should take it into account.
>>
>> 28.09.2017 10:26, Vasily Averin пишет:
>>> kthai@ explained that old version of iptables ignores unknown keys, so 
>>> adding -w is safe.
>>>
>>> On 2017-09-28 10:40, Pavel Tikhomirov wrote:
 Can we have these script running with older iptables version which does 
 not have "-w"?

 On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:
> Neede to support new versions of iptables.
>
> https://jira.sw.ru/browse/PSBM-73153
>
> Signed-off-by: Stanislav Kinsburskiy 
> ---
>   scripts/nfs-ports-allow.sh |   16 
>   1 file changed, 8 insertions(+), 8 deletions(-)
>
> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
> index 97541dc..ac5cf5f 100644
> --- a/scripts/nfs-ports-allow.sh
> +++ b/scripts/nfs-ports-allow.sh
> @@ -36,10 +36,10 @@ function add_accept_rules {
>   local server=$1
>   local port=$2
>   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
> $server --sport $port -j ACCEPT &&
> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
> $server --dport $port -j ACCEPT &&
> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
> $server --sport $port -j ACCEPT &&
> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
> $server --dport $port -j ACCEPT
> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
> $server --sport $port -j ACCEPT &&
> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
> $server --dport $port -j ACCEPT &&
> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
> $server --sport $port -j ACCEPT &&
> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
> $server --dport $port -j ACCEPT
>   }
> function iptables_allow_nfs_ports {
> @@ -63,10 +63,10 @@ function allow_portmapper_port {
>   local server=$1
>   local port=111
>   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
> $server --sport $port -j ACCEPT &&
> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
> $server --dport $port -j ACCEPT &&
> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
> $server --sport $port -j ACCEPT &&
> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
> $server --dport $port -j ACCEPT
> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
> $server --sport $port -j ACCEPT &&
> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
> $server --dport $port -j ACCEPT &&
> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
> $server --sport $port -j ACCEPT &&
> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
> $server --dport $port -j ACCEPT
>   }
> for s in $servers; do
>
> ___
> Devel mailing list
> Devel@openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
>

>>> ___
>>> Devel mailing list
>>> Devel@openvz.org
>>> https://lists.openvz.org/mailman/listinfo/devel
>>>
>> ___
>> Devel mailing list
>> Devel@openvz.org
>> https://lists.openvz.org/mailman/listinfo/devel
>>
___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Re: [Devel] [PATCH] scripts: add "-w" to iptables command

[Kirill Tkhai]

Could you please to say will it work on old iptables?

On 28.09.2017 13:03, Stanislav Kinsburskiy wrote:
> What a brilliant idea it was to ignore unknown keys.
> Should take it into account.
> 
> 28.09.2017 10:26, Vasily Averin пишет:
>> kthai@ explained that old version of iptables ignores unknown keys, so 
>> adding -w is safe.
>>
>> On 2017-09-28 10:40, Pavel Tikhomirov wrote:
>>> Can we have these script running with older iptables version which does not 
>>> have "-w"?
>>>
>>> On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:
 Neede to support new versions of iptables.

 https://jira.sw.ru/browse/PSBM-73153

 Signed-off-by: Stanislav Kinsburskiy 
 ---
   scripts/nfs-ports-allow.sh |   16 
   1 file changed, 8 insertions(+), 8 deletions(-)

 diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
 index 97541dc..ac5cf5f 100644
 --- a/scripts/nfs-ports-allow.sh
 +++ b/scripts/nfs-ports-allow.sh
 @@ -36,10 +36,10 @@ function add_accept_rules {
   local server=$1
   local port=$2
   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
 $server --sport $port -j ACCEPT &&
 -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server 
 --dport $port -j ACCEPT &&
 -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server 
 --sport $port -j ACCEPT &&
 -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server 
 --dport $port -j ACCEPT
 +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
 $server --sport $port -j ACCEPT &&
 +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
 $server --dport $port -j ACCEPT &&
 +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
 $server --sport $port -j ACCEPT &&
 +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
 $server --dport $port -j ACCEPT
   }
 function iptables_allow_nfs_ports {
 @@ -63,10 +63,10 @@ function allow_portmapper_port {
   local server=$1
   local port=111
   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
 $server --sport $port -j ACCEPT &&
 -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server 
 --dport $port -j ACCEPT &&
 -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server 
 --sport $port -j ACCEPT &&
 -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server 
 --dport $port -j ACCEPT
 +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
 $server --sport $port -j ACCEPT &&
 +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
 $server --dport $port -j ACCEPT &&
 +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
 $server --sport $port -j ACCEPT &&
 +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
 $server --dport $port -j ACCEPT
   }
 for s in $servers; do

 ___
 Devel mailing list
 Devel@openvz.org
 https://lists.openvz.org/mailman/listinfo/devel

>>>
>> ___
>> Devel mailing list
>> Devel@openvz.org
>> https://lists.openvz.org/mailman/listinfo/devel
>>
> ___
> Devel mailing list
> Devel@openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
> 
___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Re: [Devel] [PATCH] scripts: add "-w" to iptables command

[Kirill Tkhai]

iptables-restore does ignore them.

On 28.09.2017 11:26, Vasily Averin wrote:
> kthai@ explained that old version of iptables ignores unknown keys, so adding 
> -w is safe.
> 
> On 2017-09-28 10:40, Pavel Tikhomirov wrote:
>> Can we have these script running with older iptables version which does not 
>> have "-w"?
>>
>> On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:
>>> Neede to support new versions of iptables.
>>>
>>> https://jira.sw.ru/browse/PSBM-73153
>>>
>>> Signed-off-by: Stanislav Kinsburskiy 
>>> ---
>>>   scripts/nfs-ports-allow.sh |   16 
>>>   1 file changed, 8 insertions(+), 8 deletions(-)
>>>
>>> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
>>> index 97541dc..ac5cf5f 100644
>>> --- a/scripts/nfs-ports-allow.sh
>>> +++ b/scripts/nfs-ports-allow.sh
>>> @@ -36,10 +36,10 @@ function add_accept_rules {
>>>   local server=$1
>>>   local port=$2
>>>   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
>>> $server --sport $port -j ACCEPT &&
>>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server 
>>> --dport $port -j ACCEPT &&
>>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server 
>>> --sport $port -j ACCEPT &&
>>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server 
>>> --dport $port -j ACCEPT
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
>>> $server --sport $port -j ACCEPT &&
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
>>> $server --dport $port -j ACCEPT &&
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
>>> $server --sport $port -j ACCEPT &&
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
>>> $server --dport $port -j ACCEPT
>>>   }
>>> function iptables_allow_nfs_ports {
>>> @@ -63,10 +63,10 @@ function allow_portmapper_port {
>>>   local server=$1
>>>   local port=111
>>>   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
>>> $server --sport $port -j ACCEPT &&
>>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server 
>>> --dport $port -j ACCEPT &&
>>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server 
>>> --sport $port -j ACCEPT &&
>>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server 
>>> --dport $port -j ACCEPT
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
>>> $server --sport $port -j ACCEPT &&
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
>>> $server --dport $port -j ACCEPT &&
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
>>> $server --sport $port -j ACCEPT &&
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
>>> $server --dport $port -j ACCEPT
>>>   }
>>> for s in $servers; do
>>>
>>> ___
>>> Devel mailing list
>>> Devel@openvz.org
>>> https://lists.openvz.org/mailman/listinfo/devel
>>>
>>
> ___
> Devel mailing list
> Devel@openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
> 
___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Re: [Devel] [PATCH] scripts: add "-w" to iptables command

[Stanislav Kinsburskiy]

What a brilliant idea it was to ignore unknown keys.
Should take it into account.

28.09.2017 10:26, Vasily Averin пишет:
> kthai@ explained that old version of iptables ignores unknown keys, so adding 
> -w is safe.
> 
> On 2017-09-28 10:40, Pavel Tikhomirov wrote:
>> Can we have these script running with older iptables version which does not 
>> have "-w"?
>>
>> On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:
>>> Neede to support new versions of iptables.
>>>
>>> https://jira.sw.ru/browse/PSBM-73153
>>>
>>> Signed-off-by: Stanislav Kinsburskiy 
>>> ---
>>>   scripts/nfs-ports-allow.sh |   16 
>>>   1 file changed, 8 insertions(+), 8 deletions(-)
>>>
>>> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
>>> index 97541dc..ac5cf5f 100644
>>> --- a/scripts/nfs-ports-allow.sh
>>> +++ b/scripts/nfs-ports-allow.sh
>>> @@ -36,10 +36,10 @@ function add_accept_rules {
>>>   local server=$1
>>>   local port=$2
>>>   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
>>> $server --sport $port -j ACCEPT &&
>>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server 
>>> --dport $port -j ACCEPT &&
>>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server 
>>> --sport $port -j ACCEPT &&
>>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server 
>>> --dport $port -j ACCEPT
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
>>> $server --sport $port -j ACCEPT &&
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
>>> $server --dport $port -j ACCEPT &&
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
>>> $server --sport $port -j ACCEPT &&
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
>>> $server --dport $port -j ACCEPT
>>>   }
>>> function iptables_allow_nfs_ports {
>>> @@ -63,10 +63,10 @@ function allow_portmapper_port {
>>>   local server=$1
>>>   local port=111
>>>   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
>>> $server --sport $port -j ACCEPT &&
>>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server 
>>> --dport $port -j ACCEPT &&
>>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server 
>>> --sport $port -j ACCEPT &&
>>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server 
>>> --dport $port -j ACCEPT
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
>>> $server --sport $port -j ACCEPT &&
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
>>> $server --dport $port -j ACCEPT &&
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
>>> $server --sport $port -j ACCEPT &&
>>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
>>> $server --dport $port -j ACCEPT
>>>   }
>>> for s in $servers; do
>>>
>>> ___
>>> Devel mailing list
>>> Devel@openvz.org
>>> https://lists.openvz.org/mailman/listinfo/devel
>>>
>>
> ___
> Devel mailing list
> Devel@openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
> 
___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Re: [Devel] [PATCH] scripts: add "-w" to iptables command

[Vasily Averin]

kthai@ explained that old version of iptables ignores unknown keys, so adding 
-w is safe.

On 2017-09-28 10:40, Pavel Tikhomirov wrote:
> Can we have these script running with older iptables version which does not 
> have "-w"?
> 
> On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:
>> Neede to support new versions of iptables.
>>
>> https://jira.sw.ru/browse/PSBM-73153
>>
>> Signed-off-by: Stanislav Kinsburskiy 
>> ---
>>   scripts/nfs-ports-allow.sh |   16 
>>   1 file changed, 8 insertions(+), 8 deletions(-)
>>
>> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
>> index 97541dc..ac5cf5f 100644
>> --- a/scripts/nfs-ports-allow.sh
>> +++ b/scripts/nfs-ports-allow.sh
>> @@ -36,10 +36,10 @@ function add_accept_rules {
>>   local server=$1
>>   local port=$2
>>   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server 
>> --sport $port -j ACCEPT &&
>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server 
>> --dport $port -j ACCEPT &&
>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server 
>> --sport $port -j ACCEPT &&
>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server 
>> --dport $port -j ACCEPT
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
>> $server --sport $port -j ACCEPT &&
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
>> $server --dport $port -j ACCEPT &&
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
>> $server --sport $port -j ACCEPT &&
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
>> $server --dport $port -j ACCEPT
>>   }
>> function iptables_allow_nfs_ports {
>> @@ -63,10 +63,10 @@ function allow_portmapper_port {
>>   local server=$1
>>   local port=111
>>   -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server 
>> --sport $port -j ACCEPT &&
>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server 
>> --dport $port -j ACCEPT &&
>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server 
>> --sport $port -j ACCEPT &&
>> -${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server 
>> --dport $port -j ACCEPT
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
>> $server --sport $port -j ACCEPT &&
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
>> $server --dport $port -j ACCEPT &&
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
>> $server --sport $port -j ACCEPT &&
>> +${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
>> $server --dport $port -j ACCEPT
>>   }
>> for s in $servers; do
>>
>> ___
>> Devel mailing list
>> Devel@openvz.org
>> https://lists.openvz.org/mailman/listinfo/devel
>>
> 
___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Re: [Devel] [PATCH] scripts: add "-w" to iptables command

[Pavel Tikhomirov]

Can we have these script running with older iptables version which does 
not have "-w"?


On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:

Neede to support new versions of iptables.

https://jira.sw.ru/browse/PSBM-73153

Signed-off-by: Stanislav Kinsburskiy 
---
  scripts/nfs-ports-allow.sh |   16 
  1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
index 97541dc..ac5cf5f 100644
--- a/scripts/nfs-ports-allow.sh
+++ b/scripts/nfs-ports-allow.sh
@@ -36,10 +36,10 @@ function add_accept_rules {
local server=$1
local port=$2
  
-	${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&

-   ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport 
$port -j ACCEPT &&
-   ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport 
$port -j ACCEPT &&
-   ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server 
--dport $port -j ACCEPT
+   ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server 
--sport $port -j ACCEPT &&
+   ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server 
--dport $port -j ACCEPT &&
+   ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server 
--sport $port -j ACCEPT &&
+   ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
$server --dport $port -j ACCEPT
  }
  
  function iptables_allow_nfs_ports {

@@ -63,10 +63,10 @@ function allow_portmapper_port {
local server=$1
local port=111
  
-	${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&

-   ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport 
$port -j ACCEPT &&
-   ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport 
$port -j ACCEPT &&
-   ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server 
--dport $port -j ACCEPT
+   ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server 
--sport $port -j ACCEPT &&
+   ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server 
--dport $port -j ACCEPT &&
+   ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server 
--sport $port -j ACCEPT &&
+   ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
$server --dport $port -j ACCEPT
  }
  
  for s in $servers; do


___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel



--
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.
___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

[Devel] [PATCH] scripts: add "-w" to iptables command

[Stanislav Kinsburskiy]

Neede to support new versions of iptables.

https://jira.sw.ru/browse/PSBM-73153

Signed-off-by: Stanislav Kinsburskiy 
---
 scripts/nfs-ports-allow.sh |   16 
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
index 97541dc..ac5cf5f 100644
--- a/scripts/nfs-ports-allow.sh
+++ b/scripts/nfs-ports-allow.sh
@@ -36,10 +36,10 @@ function add_accept_rules {
local server=$1
local port=$2
 
-   ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server 
--sport $port -j ACCEPT &&
-   ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server 
--dport $port -j ACCEPT &&
-   ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server 
--sport $port -j ACCEPT &&
-   ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server 
--dport $port -j ACCEPT 
+   ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
$server --sport $port -j ACCEPT &&
+   ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
$server --dport $port -j ACCEPT &&
+   ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
$server --sport $port -j ACCEPT &&
+   ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
$server --dport $port -j ACCEPT 
 }
 
 function iptables_allow_nfs_ports {
@@ -63,10 +63,10 @@ function allow_portmapper_port {
local server=$1
local port=111
 
-   ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server 
--sport $port -j ACCEPT &&
-   ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server 
--dport $port -j ACCEPT &&
-   ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server 
--sport $port -j ACCEPT &&
-   ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server 
--dport $port -j ACCEPT 
+   ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s 
$server --sport $port -j ACCEPT &&
+   ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d 
$server --dport $port -j ACCEPT &&
+   ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s 
$server --sport $port -j ACCEPT &&
+   ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d 
$server --dport $port -j ACCEPT 
 }
 
 for s in $servers; do

___
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel