ConfigServer Community Forum

We just had automatic update to v5.76 on few VPS servers on OpenVZ nodes that made all VPS's completely inaccesible...

We had to completely stop and disable CSF/LFD on all VE's...

I presume this is realted to your switch to conntrack module, that is probably somehow broken in OpenVZ on CentOS 5.

Here are some details from the VZ node...

# lsmod | grep conntrack
ip_conntrack_ftp 42192 3
ip_conntrack 101396 10 vzrst,vzcpt,xt_connlimit,ip_conntrack_ftp,iptable_nat,ip_nat,xt_state
nfnetlink 40392 2 ip_nat,ip_conntrack

# uname -a
Linux << >> 2.6.18-308.8.2.el5.028stab101.1 #1 SMP Sun Jun 24 20:25:35 MSD 2012 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/redhat-release
CentOS release 5.9 (Final)

csftest in VE shows no problems...

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

---

Do you have any ideas?

We have seen the same for Virtuozzo.

See this thread:
viewtopic.php?f=6&t=6260

I just realised what the problem is. We didn't have ipt_conntrack module loaded on any VZ node.

# modprobe ipt_conntrack

All VE's that use CSF/LFD should also be restarted after that.

This should also be added to /etc/vz/vz.conf module list.

Since all VE's should be restarted for new modules to be loaded in containers, the best way is probably just to add this module to vz.conf and do...

# service vz restart