[Devel] [PATCH RH7] enable ipproto_icmp inside containers
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Thu Jun 23 05:36:24 PDT 2016
On 06/23/2016 03:26 PM, Vasily Averin wrote:
> iputils-ping 20150815 fails inside containers
> because socket(PF_INET, SOCK_DGRAM, IPPROTO_ICMP)
> is restricted by vz_security_protocol_check()
>
> The patch enables creation of such sockets inside containers.
> By default sys_socket still fails
> because default setting of sysctl net.ipv4.ping_group_range,
> however it's enough for iputils-ping 20150815.
> its fallback handles this situation
> and successfully creates RAW socket.
>
> In mainlune it is enabled in MS kernel v3.13+, see:
> commit fd2d5356d902 ("ipv4: Allow unprivileged users to use per net sysctls")
> in future we're going backport this patch and add its save/restore into criu.
>
> https://bugs.openvz.org/browse/OVZ-6744
>
> Signed-off-by: Vasily Averin <vvs at virtuozzo.com>
Acked-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
>
>
> diff-vz7-enable-ipproto_icmp-inside-containers
>
>
> diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
> index 53fa12d..ef521cf 100644
> --- a/kernel/ve/ve.c
> +++ b/kernel/ve/ve.c
> @@ -222,6 +222,7 @@ int vz_security_protocol_check(struct net *net, int protocol)
>
> switch (protocol) {
> case IPPROTO_IP:
> + case IPPROTO_ICMP:
> case IPPROTO_TCP:
> case IPPROTO_UDP:
> case IPPROTO_RAW:
>
--
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.
More information about the Devel
mailing list