[Devel] [PATCH rh8 00/28] ve/kmod: Kernel modules autoload from CT feature
Konstantin Khorenko
khorenko at virtuozzo.com
Tue Apr 13 11:25:10 MSK 2021
The patchset basically:
1. drops per-CT iptables mask functionality, including
ve::ve.iptables_mask interface.
"NETFILTER=" CT config option to be dropped as well.
Since now all iptables/nftables/netfilter modules
will be always available inside Containers.
2. introduces a whitelist of modules which are allowed to be autoload
upon request from inside a Container.
Note: modprobe's blacklist is HONORED on indirect modules autoload
upon requiest from inside a Container.
When a kernel module is indirectly loaded on Host, the blacklist is
omitted (generic behavior).
3. introduces a tweak to disable modules autoload from inside a CT:
"kernel.ve_allow_module_load" sysctl (enabled by default).
List of modules for autoload from inside a CT:
- iptables/nftables/netfilter modules.
i might miss some of them, but the intention is make them all in the
list.
- subset of netlink modules (for CRIU)
- vxlan, ipvs, nfs, ts_kmp
https://jira.sw.ru/browse/PSBM-127525
https://jira.sw.ru/browse/PSBM-127787
https://jira.sw.ru/browse/PSBM-128388
Andrey Ryabinin (2):
ve/kmod/whitelist: Allow ip6tables_raw modules autoload upon request
from CT
ve/kmod/whitelist: Allow nf_tables module autoloading on request from
CT
Cyrill Gorcunov (1):
ve/kmod/whitelist: Add modules to whitelist for c/r sake
Kirill Tkhai (2):
ve/kmod/whitelist: Allow conntrack nft-helper-* modules autoloading
ve/kmod/whitelist: Allow ts_kmp module autoloading
Konstantin Khorenko (15):
Revert "ve/net: Track netfilter modules per net-namespace"
Revert "ve: Add support of iptables mask"
Revert "ve/netfilter: check per-ve netfilter status on actual
operation"
Revert "ve/net: Add ipt_mask checks into ip6table_nat"
ve/proc/netfilter: Get rid of per-CT iptables mask
Revert "ve/net: Add VE_NF_CONNTRACK check in resolve_normal_ct()"
ve/sysctl/netfilter: Include ve.h header into
net/netfilter/nf_conntrack_standalone.c
ve/sysctl/net: Include ve.h header in net/netfilter/ipvs/ip_vs_ctl.c
ve/sysctl/kmod: Introduce tweak to allow indirect modules load from CT
ve/kmod: Honor modprobe blacklist on indirect modules autoload from CT
ve/kmod/whitelist: Infrustructure for list of modules to autoload from
CT
ve/kmod/whitelist: Allow iptables/netfilter modules for autoload from
CT
ve/kmod/whitelist: List of allowed to autoload in CT modules
(non-netfilters)
ve/kmod/whitelist: Allow nfnetlink_queue module autoload from CT
ve/kmod/whitelist: Allow "nft_compat" module autoload from inside a
Container
Pavel Tikhomirov (6):
ve/kmod/whitelist: Allow dummy module autoloading
ve/kmod/whitelist: Enable vxlan module autoload from inside a
Container
ve/kmod/whitelist: Allow IPVS modules autoload in CT
ve/kmod/whitelist: Allow netfilter/ipset modules autoload from inside
a CT
ve/kmod/whitelist: make nfnetlink_log autoloadable upon request from a
CT
ve/kmod/whitelist: Make fib modules autoloadable from CT
Stanislav Kinsburskiy (1):
ve/kmod/whitelist: Allow NFS modules autoload in Containers
Vasily Averin (1):
ve/kmod/whitelist: Enable autoload for iptables security tables from
inside CT
include/linux/kmod.h | 5 +
include/linux/netfilter.h | 32 ----
include/linux/sysctl.h | 2 +
include/linux/ve.h | 4 -
include/linux/vziptable_defs.h | 22 ---
include/net/net_namespace.h | 3 -
include/uapi/linux/vziptable_defs.h | 80 ----------
kernel/Kconfig.openvz | 8 -
kernel/kmod.c | 196 ++++++++++++++++++++++--
kernel/sysctl.c | 16 ++
kernel/ve/ve.c | 66 --------
net/core/net_namespace.c | 4 -
net/ipv4/ip_sockglue.c | 10 +-
net/ipv6/netfilter/ip6table_nat.c | 4 -
net/netfilter/ipvs/ip_vs_ctl.c | 1 +
net/netfilter/nf_conntrack_core.c | 3 -
net/netfilter/nf_conntrack_standalone.c | 1 +
net/netfilter/x_tables.c | 5 +-
18 files changed, 213 insertions(+), 249 deletions(-)
delete mode 100644 include/linux/vziptable_defs.h
delete mode 100644 include/uapi/linux/vziptable_defs.h
--
2.28.0
More information about the Devel
mailing list