Dear Jehan,

OpenVZ container does  not require to enable additional capabilities,
default settings allows to use iptables inside container.

However by default netfilter is restricted,
most likely you need to change it by using "prlctl set --netfilter"

       --netfilter <disabled|stateless|stateful|full>
           Restrict access to iptable modules inside the Container.  The  fol-
           lowing modes are available:
           disabled  -- no modules are allowed.
           stateless  --  (default)  all modules except NAT and conntracks are
           stateful  -- all modules except NAT are allowed.
           full      -- all modules are allowed.

btw. prlctl works as "vzctl --save" in any cases, it saves the setting in 

Thank you,
        Vasily Averin

On 10.10.2016 22:42, Jehan Procaccia wrote:
> hello
> by default firewalld doesn't work on a fresh install container (centos7-x64)
> docs says:
> I guess I need to enable net_admin
> net_admin     Allows the administration of IP firewalls and accounting.     
> off
> as it it by default set to off
> but the command is deprecated
> # vzctl set MyCT11 --capability net_admin --save
> Warning: The --capability option is deprecated
> So I used prlctl (not proposed in the doc above !?)
> # prlctl set MyCT11 --capability net_admin:on
> Set capabilities: NET_ADMIN:on
> The CT has been successfully configured.
> but still in the CT
> /# firewall-cmd --get-active-zones
> nothing
> /# firewall-cmd --reload
> Error: '/sbin/iptables -w2 -t filter -I INPUT 1 -m conntrack --ctstate 
> RELATED,ESTABLISHED -j ACCEPT' failed: iptables: No chain/target/match by 
> that name.
> as if NET_ADMIN capability is not save permanently in the CT definition
> what is the equivalent of vzctl --save with prlctl ?
> or I mess somewhere else ?
> Regards .
> _______________________________________________
> Users mailing list
Users mailing list

Reply via email to