Bug#607041: linux-image-2.6.32-5-openvz-amd64: amd64 ip6tables broken in OpenVZ VE

To: submit@bugs.debian.org
Subject: Bug#607041: linux-image-2.6.32-5-openvz-amd64: amd64 ip6tables broken in OpenVZ VE
From: Steven Chamberlain <steven@pyro.eu.org>
Date: Tue, 14 Dec 2010 08:23:22 +0000
Message-id: <[🔎] 4D07297A.7070305@pyro.eu.org>
Reply-to: Steven Chamberlain <steven@pyro.eu.org>, 607041@bugs.debian.org

Package: linux-image-2.6.32-5-openvz-amd64
Version: 2.6.32-29

Hi,

I noticed that on kernel 2.6.32-5-openvz-amd64 (Debian 2.6.32-29), theamd64 build of ip6tables does not work at all in an OpenVZ VE, but thei386 build does. Within the OpenVZ host itself though (VE0), bothversions work. So I'm inclined to say this is more likely akernel/OpenVZ bug than a bug in ip6tables.


IPv4 iptables works fine in all cases.

I tested this within a OpenVZ VE, which is an amd64 Debian lennyinstall, with an i386 chroot inside of it:



# dpkg-query -Wf '${Package}-${Version}_${Architecture}\n' iptables
iptables-1.4.2-6_amd64

# ip6tables -L

FATAL: Could not load /lib/modules/2.6.32-5-openvz-amd64/modules.dep: Nosuch file or directoryip6tables v1.4.2: can't initialize ip6tables table `filter': Permissiondenied (you must be root)

Perhaps ip6tables or your kernel needs to be upgraded.

# chroot lenny-i386/ dpkg-query -Wf'${Package}-${Version}_${Architecture}\n' iptables

iptables-1.4.2-6_i386

# chroot lenny-i386/ ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
...


I believe this strace of the amd64 version shows where the problem occurs:

socket(PF_INET6, SOCK_RAW, IPPROTO_RAW) = 3
getsockopt(3, SOL_IPV6, 0x40 /* IPV6_??? */, 0x7fff508e34d0, 0x7fff508e3538) = -1 EPERM (Operation not permitted)

After that, ip6tables seems to think some kernel modules must bemissing, so it tries to load them, except that's not correct for OpenVZand that leads to the errors visible on stderr.


The same getsockopt() call succeeds in the i386 version:

socket(PF_INET6, SOCK_RAW, IPPROTO_RAW) = 3
getsockopt(3, SOL_IPV6, 0x40 /* IPV6_??? */, "filter\0\377\241\372\3\201\377\377\377\377\6\0\0\0\0\0\0\0Q\367\0\201\377\377\377\377\16"..., [84]) = 0

After an exhaustive search of kernel source I think maybe this is thesource of that -1 EPERM return value:

static int
compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
{
        int ret;

        if (!capable(CAP_VE_NET_ADMIN))
                return -EPERM;

static int
do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
{
        int ret;

        if (!capable(CAP_NET_ADMIN))
                return -EPERM;

It looks like the OpenVZ patch changed CAP_NET_ADMIN to CAP_VE_NET_ADMINfor compat_do_ip6t_{get,set}_ctl but not for the native functionsip6t_{get,set}_ctl.

However, the equivalent IPv4 functions have something slightlydifferent, for all four functions (get and set, compat and native):

if (capable(CAP_NET_ADMIN) && !capable(CAP_VE_NET_ADMIN))

In all honesty I don't know what this means -- I don't know if there aresecurity implications if I changed this. Or maybe it would breakip6tables in the host system (VE0). I may try fiddling with thissometime if I get the chance to reboot the machine (a production system,unfortunately, such is the way of things...).


Thanks,
Regards,
--
Steven Chamberlain
steven@pyro.eu.org

Reply to:

Follow-Ups:
- Bug#607041: linux-image-2.6.32-5-openvz-amd64: amd64 ip6tables broken in OpenVZ VE
  - From: Ola Lundqvist <opal@debian.org>

Prev by Date: Bug#606994: DMA error with b43 on HP Mini 1115NR under Debian Testing (Squeeze)
Next by Date: Bug#604049: linux-image-2.6.32-5-amd64: data corruption with promise stex driver and use of device-mapper layers (lvm/dm-crypt/..)
Previous by thread: Bug#512546: marked as done (installation-reports: Ethernet card not found)
Next by thread: Bug#607041: linux-image-2.6.32-5-openvz-amd64: amd64 ip6tables broken in OpenVZ VE
Index(es):
- Date
- Thread