[Devel] [PATCH rh7] kmod: Allow netfilter conntrack inside VE
Cyrill Gorcunov
gorcunov at virtuozzo.com
Fri May 20 11:00:15 PDT 2016
Netfilter conntrack module is used during checkpoint (which
is done on node) so the modules get autoloaded but in case
of migration the restore starts inside veX so we need to allow
the conntrack to be requested from ve context. Thus add them
into whitelist.
Initially missed them in ebc70d73717f592c89ad992f77587d9e118bbee6.
https://jira.sw.ru/browse/PSBM-47359
CC: Vladimir Davydov <vdavydov at virtuozzo.com>
CC: Konstantin Khorenko <khorenko at virtuozzo.com>
CC: Andrey Vagin <avagin at openvz.org>
CC: Pavel Emelyanov <xemul at virtuozzo.com>
Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>
---
kernel/kmod.c | 2 ++
1 file changed, 2 insertions(+)
Index: linux-pcs7.git/kernel/kmod.c
===================================================================
--- linux-pcs7.git.orig/kernel/kmod.c
+++ linux-pcs7.git/kernel/kmod.c
@@ -392,6 +392,8 @@ static const char * const ve0_allowed_mo
/* nfnetlink */
"net-pf-16-proto-12", /* PF_NETLINK, NETLINK_NETFILTER */
+ "nfnetlink-subsys-1", /* NFNL_SUBSYS_CTNETLINK */
+ "nfnetlink-subsys-2", /* NFNL_SUBSYS_CTNETLINK_EXP */
/* unix_diag */
"net-pf-16-proto-4-type-1", /* PF_NETLINK, NETLINK_SOCK_DIAG, AF_LOCAL */
More information about the Devel
mailing list