[Devel] [PATCH RH7] enable ipproto_icmp inside containers
Vasily Averin
vvs at virtuozzo.com
Thu Jun 23 05:26:35 PDT 2016
iputils-ping 20150815 fails inside containers
because socket(PF_INET, SOCK_DGRAM, IPPROTO_ICMP)
is restricted by vz_security_protocol_check()
The patch enables creation of such sockets inside containers.
By default sys_socket still fails
because default setting of sysctl net.ipv4.ping_group_range,
however it's enough for iputils-ping 20150815.
its fallback handles this situation
and successfully creates RAW socket.
In mainlune it is enabled in MS kernel v3.13+, see:
commit fd2d5356d902 ("ipv4: Allow unprivileged users to use per net sysctls")
in future we're going backport this patch and add its save/restore into criu.
https://bugs.openvz.org/browse/OVZ-6744
Signed-off-by: Vasily Averin <vvs at virtuozzo.com>
-------------- next part --------------
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 53fa12d..ef521cf 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -222,6 +222,7 @@ int vz_security_protocol_check(struct net *net, int protocol)
switch (protocol) {
case IPPROTO_IP:
+ case IPPROTO_ICMP:
case IPPROTO_TCP:
case IPPROTO_UDP:
case IPPROTO_RAW:
More information about the Devel
mailing list