[Devel] [PATCH RHEL7 COMMIT] ve/kmod: Add rules for new {ip, ip6, x}table modules

Konstantin Khorenko khorenko at virtuozzo.com
Fri May 29 01:02:00 PDT 2015 

The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.7
------>
commit d2e9d1ba7e3acc37c18ae91a11df1fb5bba2972c
Author: Kirill Tkhai <ktkhai at odin.com>
Date:   Fri May 29 12:02:00 2015 +0400

    ve/kmod: Add rules for new {ip, ip6, x}table modules
    
    Here are the modules, which need extended permissions
    (see module_payload_allowed() for details).
    
    https://jira.sw.ru/browse/PSBM-33631
    
    Signed-off-by: Kirill Tkhai <ktkhai at odin.com>
    Reviewed-by: Cyrill Gorcunov <gorcunov at odin.com>
---
 kernel/kmod.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/kernel/kmod.c b/kernel/kmod.c
index 2daabea..04948ee 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -211,6 +211,7 @@ static struct {
 	{ "iptable_nat",	VE_IP_NAT	},
 	{ "iptable_mangle",	VE_IP_MANGLE	},
 	{ "ip6table_filter",	VE_IP_FILTER6	},
+	{ "ip6table_nat",	VE_IP_NAT	},
 	{ "ip6table_mangle",	VE_IP_MANGLE6	},
 
 	{ "xt_CONNMARK",	VE_NF_CONNTRACK|VE_IP_CONNTRACK },
@@ -225,6 +226,8 @@ static struct {
 	{ "xt_state",		VE_NF_CONNTRACK|VE_IP_CONNTRACK },
 	{ "xt_socket",		VE_NF_CONNTRACK|VE_IP_CONNTRACK|
 				VE_IP_IPTABLES6			},
+	{ "xt_connlabel",	VE_NF_CONNTRACK|VE_IP_CONNTRACK|
+				VE_IP_IPTABLES6			},
 
 	{ "ipt_CLUSTERIP",	VE_NF_CONNTRACK|VE_IP_CONNTRACK },
 	{ "ipt_CONNMARK",	VE_NF_CONNTRACK|VE_IP_CONNTRACK },
@@ -245,6 +248,9 @@ static struct {
 				VE_IP_NAT			},
 	{ "ipt_REDIRECT",	VE_NF_CONNTRACK|VE_IP_CONNTRACK|
 				VE_IP_NAT			},
+	{ "ipt_connlabel",	VE_NF_CONNTRACK|VE_IP_CONNTRACK|
+				VE_IP_IPTABLES6			},
+	{ "ipt_SYNPROXY",	VE_NF_CONNTRACK|VE_IP_CONNTRACK },
 
 	{ "ip6t_CONNMARK",	VE_NF_CONNTRACK|VE_IP_CONNTRACK },
 	{ "ip6t_CONNSECMARK",	VE_NF_CONNTRACK|VE_IP_CONNTRACK },
@@ -258,6 +264,13 @@ static struct {
 	{ "ip6t_state",		VE_NF_CONNTRACK|VE_IP_CONNTRACK },
 	{ "ip6t_socket",	VE_NF_CONNTRACK|VE_IP_CONNTRACK|
 				VE_IP_IPTABLES6			},
+	{ "ip6t_MASQUERADE",	VE_NF_CONNTRACK|VE_IP_CONNTRACK|
+				VE_IP_NAT|VE_IP_IPTABLES6	},
+	{ "ip6t_connlabel",	VE_NF_CONNTRACK|VE_IP_CONNTRACK|
+				VE_IP_IPTABLES6			},
+	{ "ip6t_SYNPROXY",	VE_NF_CONNTRACK|VE_IP_CONNTRACK|
+				VE_IP_IPTABLES6			},
+
 	{ "nf-nat-ipv4",	VE_NF_CONNTRACK|VE_IP_CONNTRACK|
 				VE_IP_NAT			},
 	{ "nf-nat",		VE_NF_CONNTRACK|VE_IP_CONNTRACK|

More information about the Devel mailing list