Introduce NETFILTER option to replace IPTABLES
A way to control which netfilter/iptables modules can be used inside a
container was via --iptables/IPTABLES parameter. Unfortunately, it is
complicated and confusing.
Replace that with a new option --netfilter/NETFILTER which only has
four options:
· disabled
no iptables allowed
· stateless
everything but conntracks and NAT is allowed
(i.e. filter and mangle)
· stateful
everything but NAT is allowed
· full
all netfilter functionality
Unlike most of the other options, NETFILTER is not allowed to be set in
global vz.conf file. This is because it can lead to major problems
during container migration from one host to another. Therefore, vzctl
explicitly ignores NETFILTER set in vz.conf and warns about it.
Now, we need to phase out old IPTABLES. This patch
* removes --iptables from bash_completion script
* removes IPTABLES from global vz.conf
* warns (from init.d/vz) if IPTABLES is used in vz.conf
From vzctl point of view, NETFILTER overrides any value of IPTABLES.
Note that future kernel will have iptables autoload functionality,
so no IPTABLES_MODULES will be required either.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
22 files changed