scripts: add "-w" to iptables command

Submitted by Stanislav Kinsburskiy on Sept. 27, 2017, 11:11 a.m.

Details

Message ID 20170927111149.133033.2933.stgit@skinsbursky-vz7.qa.sw.ru
State New
Series "scripts: add "-w" to iptables command"
Headers show

Commit Message

Stanislav Kinsburskiy Sept. 27, 2017, 11:11 a.m.
Neede to support new versions of iptables.

https://jira.sw.ru/browse/PSBM-73153

Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
---
 scripts/nfs-ports-allow.sh |   16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

Patch hide | download patch | download mbox

diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
index 97541dc..ac5cf5f 100644
--- a/scripts/nfs-ports-allow.sh
+++ b/scripts/nfs-ports-allow.sh
@@ -36,10 +36,10 @@  function add_accept_rules {
 	local server=$1
 	local port=$2
 
-	${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
-	${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT &&
-	${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
-	${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT 
+	${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
+	${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT &&
+	${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
+	${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT 
 }
 
 function iptables_allow_nfs_ports {
@@ -63,10 +63,10 @@  function allow_portmapper_port {
 	local server=$1
 	local port=111
 
-	${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
-	${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT &&
-	${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
-	${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT 
+	${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
+	${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT &&
+	${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
+	${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT 
 }
 
 for s in $servers; do

Comments

Pavel Tikhomirov Sept. 28, 2017, 7:40 a.m.
Can we have these script running with older iptables version which does 
not have "-w"?

On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:
> Neede to support new versions of iptables.
> 
> https://jira.sw.ru/browse/PSBM-73153
> 
> Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
> ---
>   scripts/nfs-ports-allow.sh |   16 ++++++++--------
>   1 file changed, 8 insertions(+), 8 deletions(-)
> 
> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
> index 97541dc..ac5cf5f 100644
> --- a/scripts/nfs-ports-allow.sh
> +++ b/scripts/nfs-ports-allow.sh
> @@ -36,10 +36,10 @@ function add_accept_rules {
>   	local server=$1
>   	local port=$2
>   
> -	${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
> -	${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT &&
> -	${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
> -	${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT
> +	${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
> +	${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT &&
> +	${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
> +	${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT
>   }
>   
>   function iptables_allow_nfs_ports {
> @@ -63,10 +63,10 @@ function allow_portmapper_port {
>   	local server=$1
>   	local port=111
>   
> -	${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
> -	${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT &&
> -	${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
> -	${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT
> +	${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
> +	${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT &&
> +	${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
> +	${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT
>   }
>   
>   for s in $servers; do
> 
> _______________________________________________
> Devel mailing list
> Devel@openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
>
Vasily Averin Sept. 28, 2017, 8:26 a.m.
kthai@ explained that old version of iptables ignores unknown keys, so adding -w is safe.

On 2017-09-28 10:40, Pavel Tikhomirov wrote:
> Can we have these script running with older iptables version which does not have "-w"?
> 
> On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:
>> Neede to support new versions of iptables.
>>
>> https://jira.sw.ru/browse/PSBM-73153
>>
>> Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
>> ---
>>   scripts/nfs-ports-allow.sh |   16 ++++++++--------
>>   1 file changed, 8 insertions(+), 8 deletions(-)
>>
>> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
>> index 97541dc..ac5cf5f 100644
>> --- a/scripts/nfs-ports-allow.sh
>> +++ b/scripts/nfs-ports-allow.sh
>> @@ -36,10 +36,10 @@ function add_accept_rules {
>>       local server=$1
>>       local port=$2
>>   -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT &&
>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT
>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT &&
>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT
>>   }
>>     function iptables_allow_nfs_ports {
>> @@ -63,10 +63,10 @@ function allow_portmapper_port {
>>       local server=$1
>>       local port=111
>>   -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT &&
>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT
>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT &&
>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT
>>   }
>>     for s in $servers; do
>>
>> _______________________________________________
>> Devel mailing list
>> Devel@openvz.org
>> https://lists.openvz.org/mailman/listinfo/devel
>>
>
Stanislav Kinsburskiy Sept. 28, 2017, 10:03 a.m.
What a brilliant idea it was to ignore unknown keys.
Should take it into account.

28.09.2017 10:26, Vasily Averin пишет:
> kthai@ explained that old version of iptables ignores unknown keys, so adding -w is safe.
> 
> On 2017-09-28 10:40, Pavel Tikhomirov wrote:
>> Can we have these script running with older iptables version which does not have "-w"?
>>
>> On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:
>>> Neede to support new versions of iptables.
>>>
>>> https://jira.sw.ru/browse/PSBM-73153
>>>
>>> Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
>>> ---
>>>   scripts/nfs-ports-allow.sh |   16 ++++++++--------
>>>   1 file changed, 8 insertions(+), 8 deletions(-)
>>>
>>> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
>>> index 97541dc..ac5cf5f 100644
>>> --- a/scripts/nfs-ports-allow.sh
>>> +++ b/scripts/nfs-ports-allow.sh
>>> @@ -36,10 +36,10 @@ function add_accept_rules {
>>>       local server=$1
>>>       local port=$2
>>>   -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT &&
>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT
>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT &&
>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT
>>>   }
>>>     function iptables_allow_nfs_ports {
>>> @@ -63,10 +63,10 @@ function allow_portmapper_port {
>>>       local server=$1
>>>       local port=111
>>>   -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT &&
>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT
>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT &&
>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT
>>>   }
>>>     for s in $servers; do
>>>
>>> _______________________________________________
>>> Devel mailing list
>>> Devel@openvz.org
>>> https://lists.openvz.org/mailman/listinfo/devel
>>>
>>
> _______________________________________________
> Devel mailing list
> Devel@openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
>
Kirill Tkhai Sept. 28, 2017, 10:39 a.m.
iptables-restore does ignore them.

On 28.09.2017 11:26, Vasily Averin wrote:
> kthai@ explained that old version of iptables ignores unknown keys, so adding -w is safe.
> 
> On 2017-09-28 10:40, Pavel Tikhomirov wrote:
>> Can we have these script running with older iptables version which does not have "-w"?
>>
>> On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:
>>> Neede to support new versions of iptables.
>>>
>>> https://jira.sw.ru/browse/PSBM-73153
>>>
>>> Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
>>> ---
>>>   scripts/nfs-ports-allow.sh |   16 ++++++++--------
>>>   1 file changed, 8 insertions(+), 8 deletions(-)
>>>
>>> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
>>> index 97541dc..ac5cf5f 100644
>>> --- a/scripts/nfs-ports-allow.sh
>>> +++ b/scripts/nfs-ports-allow.sh
>>> @@ -36,10 +36,10 @@ function add_accept_rules {
>>>       local server=$1
>>>       local port=$2
>>>   -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT &&
>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT
>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT &&
>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT
>>>   }
>>>     function iptables_allow_nfs_ports {
>>> @@ -63,10 +63,10 @@ function allow_portmapper_port {
>>>       local server=$1
>>>       local port=111
>>>   -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT &&
>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT
>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT &&
>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT
>>>   }
>>>     for s in $servers; do
>>>
>>> _______________________________________________
>>> Devel mailing list
>>> Devel@openvz.org
>>> https://lists.openvz.org/mailman/listinfo/devel
>>>
>>
> _______________________________________________
> Devel mailing list
> Devel@openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
>
Kirill Tkhai Sept. 28, 2017, 10:55 a.m.
Could you please to say will it work on old iptables?

On 28.09.2017 13:03, Stanislav Kinsburskiy wrote:
> What a brilliant idea it was to ignore unknown keys.
> Should take it into account.
> 
> 28.09.2017 10:26, Vasily Averin пишет:
>> kthai@ explained that old version of iptables ignores unknown keys, so adding -w is safe.
>>
>> On 2017-09-28 10:40, Pavel Tikhomirov wrote:
>>> Can we have these script running with older iptables version which does not have "-w"?
>>>
>>> On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:
>>>> Neede to support new versions of iptables.
>>>>
>>>> https://jira.sw.ru/browse/PSBM-73153
>>>>
>>>> Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
>>>> ---
>>>>   scripts/nfs-ports-allow.sh |   16 ++++++++--------
>>>>   1 file changed, 8 insertions(+), 8 deletions(-)
>>>>
>>>> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
>>>> index 97541dc..ac5cf5f 100644
>>>> --- a/scripts/nfs-ports-allow.sh
>>>> +++ b/scripts/nfs-ports-allow.sh
>>>> @@ -36,10 +36,10 @@ function add_accept_rules {
>>>>       local server=$1
>>>>       local port=$2
>>>>   -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT &&
>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT
>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT &&
>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT
>>>>   }
>>>>     function iptables_allow_nfs_ports {
>>>> @@ -63,10 +63,10 @@ function allow_portmapper_port {
>>>>       local server=$1
>>>>       local port=111
>>>>   -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT &&
>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT
>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT &&
>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT
>>>>   }
>>>>     for s in $servers; do
>>>>
>>>> _______________________________________________
>>>> Devel mailing list
>>>> Devel@openvz.org
>>>> https://lists.openvz.org/mailman/listinfo/devel
>>>>
>>>
>> _______________________________________________
>> Devel mailing list
>> Devel@openvz.org
>> https://lists.openvz.org/mailman/listinfo/devel
>>
> _______________________________________________
> Devel mailing list
> Devel@openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
>
Stanislav Kinsburskiy Sept. 28, 2017, 10:58 a.m.
How old should it be?
I checked with v1.4.21

28.09.2017 12:55, Kirill Tkhai пишет:
> Could you please to say will it work on old iptables?
> 
> On 28.09.2017 13:03, Stanislav Kinsburskiy wrote:
>> What a brilliant idea it was to ignore unknown keys.
>> Should take it into account.
>>
>> 28.09.2017 10:26, Vasily Averin пишет:
>>> kthai@ explained that old version of iptables ignores unknown keys, so adding -w is safe.
>>>
>>> On 2017-09-28 10:40, Pavel Tikhomirov wrote:
>>>> Can we have these script running with older iptables version which does not have "-w"?
>>>>
>>>> On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:
>>>>> Neede to support new versions of iptables.
>>>>>
>>>>> https://jira.sw.ru/browse/PSBM-73153
>>>>>
>>>>> Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
>>>>> ---
>>>>>   scripts/nfs-ports-allow.sh |   16 ++++++++--------
>>>>>   1 file changed, 8 insertions(+), 8 deletions(-)
>>>>>
>>>>> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
>>>>> index 97541dc..ac5cf5f 100644
>>>>> --- a/scripts/nfs-ports-allow.sh
>>>>> +++ b/scripts/nfs-ports-allow.sh
>>>>> @@ -36,10 +36,10 @@ function add_accept_rules {
>>>>>       local server=$1
>>>>>       local port=$2
>>>>>   -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT &&
>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT
>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT &&
>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT
>>>>>   }
>>>>>     function iptables_allow_nfs_ports {
>>>>> @@ -63,10 +63,10 @@ function allow_portmapper_port {
>>>>>       local server=$1
>>>>>       local port=111
>>>>>   -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT &&
>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT
>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT &&
>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT
>>>>>   }
>>>>>     for s in $servers; do
>>>>>
>>>>> _______________________________________________
>>>>> Devel mailing list
>>>>> Devel@openvz.org
>>>>> https://lists.openvz.org/mailman/listinfo/devel
>>>>>
>>>>
>>> _______________________________________________
>>> Devel mailing list
>>> Devel@openvz.org
>>> https://lists.openvz.org/mailman/listinfo/devel
>>>
>> _______________________________________________
>> Devel mailing list
>> Devel@openvz.org
>> https://lists.openvz.org/mailman/listinfo/devel
>>
Kirill Tkhai Sept. 28, 2017, 10:59 a.m.
The oldest version from VZ7, I suppose. I don't know which it is.

On 28.09.2017 13:58, Stanislav Kinsburskiy wrote:
> How old should it be?
> I checked with v1.4.21
> 
> 28.09.2017 12:55, Kirill Tkhai пишет:
>> Could you please to say will it work on old iptables?
>>
>> On 28.09.2017 13:03, Stanislav Kinsburskiy wrote:
>>> What a brilliant idea it was to ignore unknown keys.
>>> Should take it into account.
>>>
>>> 28.09.2017 10:26, Vasily Averin пишет:
>>>> kthai@ explained that old version of iptables ignores unknown keys, so adding -w is safe.
>>>>
>>>> On 2017-09-28 10:40, Pavel Tikhomirov wrote:
>>>>> Can we have these script running with older iptables version which does not have "-w"?
>>>>>
>>>>> On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:
>>>>>> Neede to support new versions of iptables.
>>>>>>
>>>>>> https://jira.sw.ru/browse/PSBM-73153
>>>>>>
>>>>>> Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
>>>>>> ---
>>>>>>   scripts/nfs-ports-allow.sh |   16 ++++++++--------
>>>>>>   1 file changed, 8 insertions(+), 8 deletions(-)
>>>>>>
>>>>>> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
>>>>>> index 97541dc..ac5cf5f 100644
>>>>>> --- a/scripts/nfs-ports-allow.sh
>>>>>> +++ b/scripts/nfs-ports-allow.sh
>>>>>> @@ -36,10 +36,10 @@ function add_accept_rules {
>>>>>>       local server=$1
>>>>>>       local port=$2
>>>>>>   -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT &&
>>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT
>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT &&
>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT
>>>>>>   }
>>>>>>     function iptables_allow_nfs_ports {
>>>>>> @@ -63,10 +63,10 @@ function allow_portmapper_port {
>>>>>>       local server=$1
>>>>>>       local port=111
>>>>>>   -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT &&
>>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT
>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT &&
>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT
>>>>>>   }
>>>>>>     for s in $servers; do
>>>>>>
>>>>>> _______________________________________________
>>>>>> Devel mailing list
>>>>>> Devel@openvz.org
>>>>>> https://lists.openvz.org/mailman/listinfo/devel
>>>>>>
>>>>>
>>>> _______________________________________________
>>>> Devel mailing list
>>>> Devel@openvz.org
>>>> https://lists.openvz.org/mailman/listinfo/devel
>>>>
>>> _______________________________________________
>>> Devel mailing list
>>> Devel@openvz.org
>>> https://lists.openvz.org/mailman/listinfo/devel
>>>
Pavel Tikhomirov Sept. 29, 2017, 12:30 p.m.
It seem my comment missed the list, sorry...

[root@cat ~]# iptables -w -L || echo ERROR
iptables v1.4.7: option `-w' requires an argument
Try `iptables -h' or 'iptables --help' for more information.
ERROR

on 1.4.7 -w option is not ignored but asks for an argument with error 
for me. Checked on cat.qa.sw.ru

On 09/28/2017 01:59 PM, Kirill Tkhai wrote:
> The oldest version from VZ7, I suppose. I don't know which it is.
> 
> On 28.09.2017 13:58, Stanislav Kinsburskiy wrote:
>> How old should it be?
>> I checked with v1.4.21
>>
>> 28.09.2017 12:55, Kirill Tkhai пишет:
>>> Could you please to say will it work on old iptables?
>>>
>>> On 28.09.2017 13:03, Stanislav Kinsburskiy wrote:
>>>> What a brilliant idea it was to ignore unknown keys.
>>>> Should take it into account.
>>>>
>>>> 28.09.2017 10:26, Vasily Averin пишет:
>>>>> kthai@ explained that old version of iptables ignores unknown keys, so adding -w is safe.
>>>>>
>>>>> On 2017-09-28 10:40, Pavel Tikhomirov wrote:
>>>>>> Can we have these script running with older iptables version which does not have "-w"?
>>>>>>
>>>>>> On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:
>>>>>>> Neede to support new versions of iptables.
>>>>>>>
>>>>>>> https://jira.sw.ru/browse/PSBM-73153
>>>>>>>
>>>>>>> Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
>>>>>>> ---
>>>>>>>    scripts/nfs-ports-allow.sh |   16 ++++++++--------
>>>>>>>    1 file changed, 8 insertions(+), 8 deletions(-)
>>>>>>>
>>>>>>> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
>>>>>>> index 97541dc..ac5cf5f 100644
>>>>>>> --- a/scripts/nfs-ports-allow.sh
>>>>>>> +++ b/scripts/nfs-ports-allow.sh
>>>>>>> @@ -36,10 +36,10 @@ function add_accept_rules {
>>>>>>>        local server=$1
>>>>>>>        local port=$2
>>>>>>>    -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT &&
>>>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT
>>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT &&
>>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT
>>>>>>>    }
>>>>>>>      function iptables_allow_nfs_ports {
>>>>>>> @@ -63,10 +63,10 @@ function allow_portmapper_port {
>>>>>>>        local server=$1
>>>>>>>        local port=111
>>>>>>>    -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT &&
>>>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT
>>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT &&
>>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT
>>>>>>>    }
>>>>>>>      for s in $servers; do
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Devel mailing list
>>>>>>> Devel@openvz.org
>>>>>>> https://lists.openvz.org/mailman/listinfo/devel
>>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> Devel mailing list
>>>>> Devel@openvz.org
>>>>> https://lists.openvz.org/mailman/listinfo/devel
>>>>>
>>>> _______________________________________________
>>>> Devel mailing list
>>>> Devel@openvz.org
>>>> https://lists.openvz.org/mailman/listinfo/devel
>>>>
> _______________________________________________
> Devel mailing list
> Devel@openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
>
Vasily Averin Sept. 29, 2017, 12:36 p.m.
Pavel,
this particular case executed on vz7 host only.
RHEL7 had  started from iptables 1.4.21,
so it is safe for us.

Anyway thank you for your report, it was very useful!

On 2017-09-29 15:30, Pavel Tikhomirov wrote:
> It seem my comment missed the list, sorry...
> 
> [root@cat ~]# iptables -w -L || echo ERROR
> iptables v1.4.7: option `-w' requires an argument
> Try `iptables -h' or 'iptables --help' for more information.
> ERROR
> 
> on 1.4.7 -w option is not ignored but asks for an argument with error for me. Checked on cat.qa.sw.ru
> 
> On 09/28/2017 01:59 PM, Kirill Tkhai wrote:
>> The oldest version from VZ7, I suppose. I don't know which it is.
>>
>> On 28.09.2017 13:58, Stanislav Kinsburskiy wrote:
>>> How old should it be?
>>> I checked with v1.4.21
>>>
>>> 28.09.2017 12:55, Kirill Tkhai пишет:
>>>> Could you please to say will it work on old iptables?
>>>>
>>>> On 28.09.2017 13:03, Stanislav Kinsburskiy wrote:
>>>>> What a brilliant idea it was to ignore unknown keys.
>>>>> Should take it into account.
>>>>>
>>>>> 28.09.2017 10:26, Vasily Averin пишет:
>>>>>> kthai@ explained that old version of iptables ignores unknown keys, so adding -w is safe.
>>>>>>
>>>>>> On 2017-09-28 10:40, Pavel Tikhomirov wrote:
>>>>>>> Can we have these script running with older iptables version which does not have "-w"?
>>>>>>>
>>>>>>> On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:
>>>>>>>> Neede to support new versions of iptables.
>>>>>>>>
>>>>>>>> https://jira.sw.ru/browse/PSBM-73153
>>>>>>>>
>>>>>>>> Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
>>>>>>>> ---
>>>>>>>>    scripts/nfs-ports-allow.sh |   16 ++++++++--------
>>>>>>>>    1 file changed, 8 insertions(+), 8 deletions(-)
>>>>>>>>
>>>>>>>> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
>>>>>>>> index 97541dc..ac5cf5f 100644
>>>>>>>> --- a/scripts/nfs-ports-allow.sh
>>>>>>>> +++ b/scripts/nfs-ports-allow.sh
>>>>>>>> @@ -36,10 +36,10 @@ function add_accept_rules {
>>>>>>>>        local server=$1
>>>>>>>>        local port=$2
>>>>>>>>    -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT &&
>>>>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT
>>>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT &&
>>>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT
>>>>>>>>    }
>>>>>>>>      function iptables_allow_nfs_ports {
>>>>>>>> @@ -63,10 +63,10 @@ function allow_portmapper_port {
>>>>>>>>        local server=$1
>>>>>>>>        local port=111
>>>>>>>>    -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT &&
>>>>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>>>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT
>>>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT &&
>>>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>>>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT
>>>>>>>>    }
>>>>>>>>      for s in $servers; do
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Devel mailing list
>>>>>>>> Devel@openvz.org
>>>>>>>> https://lists.openvz.org/mailman/listinfo/devel
>>>>>>>>
>>>>>>>
>>>>>> _______________________________________________
>>>>>> Devel mailing list
>>>>>> Devel@openvz.org
>>>>>> https://lists.openvz.org/mailman/listinfo/devel
>>>>>>
>>>>> _______________________________________________
>>>>> Devel mailing list
>>>>> Devel@openvz.org
>>>>> https://lists.openvz.org/mailman/listinfo/devel
>>>>>
>> _______________________________________________
>> Devel mailing list
>> Devel@openvz.org
>> https://lists.openvz.org/mailman/listinfo/devel
>>
>