[Devel] [PATCH RHEL7 COMMIT] ve/kmod: Allow netfilter conntrack inside VE
Konstantin Khorenko
khorenko at virtuozzo.com
Mon May 23 01:30:54 PDT 2016
The commit is pushed to "branch-rh7-3.10.0-327.18.2.vz7.14.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.18.2.vz7.14.5
------>
commit a8ef72a3c2ea4be45efd3acff5dca260097d7d2b
Author: Cyrill Gorcunov <gorcunov at virtuozzo.com>
Date: Mon May 23 12:30:53 2016 +0400
ve/kmod: Allow netfilter conntrack inside VE
Netfilter conntrack module is used during checkpoint (which
is done on node) so the modules get autoloaded but in case
of migration the restore starts inside veX so we need to allow
the conntrack to be requested from ve context. Thus add them
into whitelist.
Initially missed them in ebc70d73717f592c89ad992f77587d9e118bbee6.
https://jira.sw.ru/browse/PSBM-47359
CC: Vladimir Davydov <vdavydov at virtuozzo.com>
CC: Konstantin Khorenko <khorenko at virtuozzo.com>
CC: Andrey Vagin <avagin at openvz.org>
CC: Pavel Emelyanov <xemul at virtuozzo.com>
Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>
---
kernel/kmod.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/kmod.c b/kernel/kmod.c
index be5fbbf..14879c5 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -392,6 +392,8 @@ static const char * const ve0_allowed_mod[] = {
/* nfnetlink */
"net-pf-16-proto-12", /* PF_NETLINK, NETLINK_NETFILTER */
+ "nfnetlink-subsys-1", /* NFNL_SUBSYS_CTNETLINK */
+ "nfnetlink-subsys-2", /* NFNL_SUBSYS_CTNETLINK_EXP */
/* unix_diag */
"net-pf-16-proto-4-type-1", /* PF_NETLINK, NETLINK_SOCK_DIAG, AF_LOCAL */
More information about the Devel
mailing list