[Devel] [PATCH rh7] ve/net/core: allow to call setsockopt(SO_SNDBUFFORCE) from Containers
Andrey Ryabinin
aryabinin at virtuozzo.com
Fri Oct 25 12:05:10 MSK 2019
On 10/24/19 7:06 PM, Konstantin Khorenko wrote:
> "nft" util (in CentOS 8 environment) does use setsockopt(SO_SNDBUFFORCE)
> unconditionally, so we have to allow it from inside a Container.
>
> At the same time we don't want to allow a Container to set too much
> memory for a socket, so just threat SO_SNDBUFFORCE like SO_SNDBUF if
> called inside a Container.
>
> Simple rule to test:
> # nft add rule filter INPUT ct state related,established accept
>
> https://jira.sw.ru/browse/PSBM-98794
>
> Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
> ---
Acked-by: Andrey Ryabinin <aryabinin at virtuozzo.com>
More information about the Devel
mailing list