Information
This article describes the mechanism by which iptables modules are loaded in containers on a Parallels Virtuozzo Containers (PVC) for Linux or Parallels Server Bare Metal (PSBM) host.
Some iptables modules, like ipt_conntrack, may produce additional load on the host, which is why a provider may want to prevent particular modules from being loaded inside a container.
The Parallels Virtuozzo Containers for Linux and Parallels Server Bare Metal kernel provides a flexible way to manage iptables modules available on a host and inside a container, both globally and on a per-container basis.
First, all necessary modules should be loaded onto the Hardware Node itself, as specified in /etc/sysconfig/iptables-config. If the file does not contain any modules in the IPTABLES_MODULES variable, then the modules listed in the global PVC configuration file and all dependencies will be loaded upon vz service startup.
The Parallels kernel will then allow modules, listed in the global PVC configuration file /etc/vz/vz.conf, to be loaded in containers. All other iptables modules will be restricted.
Finally, a per-container mask is applied, which restricts modules per-container only. If a container's configuration file contains modules that are prohibited (not listed) in the global configuration file, then they will not be loaded in the container either.
The current version of the Parallels Virtuozzo Containers for Linux kernel effectively restricts the following modules for the sake of density and performance:
ip_tables
ip_filter
ip_mangle
ip_nat
ip6_tables
ip6_filter
ip6_mangle
ip_conntrack (nf_conntrack in RHEL 6.x-based kernels)
For more information about enabling and managing a firewall inside a container, refer to this article:
How do I enable a firewall in a container?
For more information about a stateful firewall on the Hardware Node itself, refer to these articles:
Issues with firewall on HW Node -- Impossible to use ip_nat and ipt_state modules (for PVCfL 4.6 and older)
Issues with firewall on HW Node -- Impossible to use ip_nat and ipt_state modules (for PVCfL 4.7, PSBM 5.0 and PCS 6.0)