[Devel] [PATCH RHEL7 COMMIT] ve/net: enable IPPROTO_ICMP inside Containers
Konstantin Khorenko
khorenko at virtuozzo.com
Fri Jun 24 03:22:24 PDT 2016
The commit is pushed to "branch-rh7-3.10.0-327.18.2.vz7.14.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.18.2.vz7.14.19
------>
commit a387508fcb761c893c0e70bf20356f5bd879a8dd
Author: Vasily Averin <vvs at virtuozzo.com>
Date: Fri Jun 24 14:22:24 2016 +0400
ve/net: enable IPPROTO_ICMP inside Containers
iputils-ping 20150815 fails inside containers because socket(PF_INET,
SOCK_DGRAM, IPPROTO_ICMP) is restricted by vz_security_protocol_check()
The patch enables creation of such sockets inside containers.
By default sys_socket still fails because default setting of sysctl
net.ipv4.ping_group_range, however it's enough for iputils-ping 20150815.
Its fallback handles this situation and successfully creates RAW socket.
In mainlune it is enabled in MS kernel v3.13+, see:
commit fd2d5356d902 ("ipv4: Allow unprivileged users to use per net sysctls")
in future we're going backport this patch and add its save/restore into criu.
https://bugs.openvz.org/browse/OVZ-6744
https://jira.sw.ru/browse/PSBM-47413
Signed-off-by: Vasily Averin <vvs at virtuozzo.com>
Acked-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
kernel/ve/ve.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index d196e3e..b5399e1 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -227,6 +227,7 @@ int vz_security_protocol_check(struct net *net, int protocol)
switch (protocol) {
case IPPROTO_IP:
+ case IPPROTO_ICMP:
case IPPROTO_TCP:
case IPPROTO_UDP:
case IPPROTO_RAW:
More information about the Devel
mailing list