[Devel] [PATCH 1/3] ve/sysctl/net: allow net.ipv4.vs.* in CT init userns
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Tue Apr 25 08:59:52 PDT 2017
Swarm uses ipvs to route and balanse external traffic to cluster nodes.
Swarm wants to enable /proc/sys/net/ipv4/vs/conntrack in CT for it's
packets being SNATed by ipvs.
https://jira.sw.ru/browse/PSBM-63883
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
net/netfilter/ipvs/ip_vs_ctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 0d8330f..db4563d 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -3723,7 +3723,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
return -ENOMEM;
/* Don't export sysctls to unprivileged users */
- if (net->user_ns != &init_user_ns)
+ if (ve_net_hide_sysctl(net))
tbl[0].procname = NULL;
} else
tbl = vs_vars;
--
2.9.3
More information about the Devel
mailing list