Package: linux-image-2.6.32-5-openvz-amd64 Version: 2.6.32-35 Severity: normal
When using OpenVZ the iptables "raw" table gets leaked to containers. This is problematic when using OpenVZs checkpointing feature since every restore of a container invokes iptables-restore in the container with the set of rules which existed during the checkpoint process. If a container was checkpointed with the "raw" table visible and the kernel of the hardware node/CT0 doesn't have iptable_raw loaded anymore the iptables-restore in the container will fail, causing the restore to abort. This will manifest in the dreaded and non-descript error: Error: undump failed: Invalid argument Restoring failed: Error: iptables-restore exited with 2 Error: Most probably some iptables modules are not loaded Error: rst_restore_net: -22 You can find a demonstration of this behavior at http://nopaste.narf.at/show/778/. The "raw" table should be completely hidden in containers to prevent such problems, even more so because it's not even allowed within containers; OpenVZ only allows the "filter" and "mangle" tables to be used within containers. -- System Information: Debian Release: 6.0.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-openvz-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
