[Devel] [PATCH rh8 12/28] ve/kmod/whitelist: Allow iptables/netfilter modules for autoload from CT
Konstantin Khorenko
khorenko at virtuozzo.com
Tue Apr 13 11:25:22 MSK 2021
For now following modules are allowed by default to be autoloaded
upon indirect request from inside a Container:
* iptables/ip6tables core modules
* netfilters core modules (including nf_tables_inet)
https://jira.sw.ru/browse/PSBM-99406
* xt_*, ipt_*, ip6t_*, arpt_*,
nft-chain-*, nft-expr-*, nf-logger-* modules
* ebt* modules: previously we allowed to autoload ebt_* modules only
upon request from inside a Container but there are several ebtables_*
modules to be allowed as well, thus allow all ebt* modules for that.
(Default CentOS7.3 firewalld service inside a CT complains on that)
https://jira.sw.ru/browse/PSBM-66435
* all nf_* and nft_* modules
https://jira.sw.ru/browse/PSBM-99536
https://jira.sw.ru/browse/PSBM-127787
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
It's a port of following vz7 commits:
* 3a4142e ("ve/kmod: Port autoloading from CT") (partially)
* f9422b8 ("ve/kmod: Add rules for autoloading (new) nf_tables")
* ccd1a1d ("ve/kmod: Add rules for new {ip, ip6, x}table modules")
* fe6a9073 ("ve/kmod: allow to autoload nf_log_ipv[46]")
* b221ce6 ("ve/kmod/ebtable: allow to autoload ebtable_* modules
from inside a CT")
* 24f61ddc955f ("ve/kmod: enable autoload for nf_tables_inet module
from inside a CT")
* 0995da4719da ("ve/kmod: make all nf_* and nft_* autoloadable upon
request from a CT"))
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
kernel/kmod.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 46 insertions(+)
diff --git a/kernel/kmod.c b/kernel/kmod.c
index 7d343ec8d145..b414c6dcd6f4 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -204,6 +204,35 @@ EXPORT_SYMBOL(__request_module);
/* ve0 allowed modules */
static const char * const ve0_allowed_mod[] = {
+ "ip_tables",
+ "ip6_tables",
+ "iptable_filter",
+ "iptable_raw",
+ "iptable_nat",
+ "iptable_mangle",
+ "ip6table_filter",
+ "ip6table_nat",
+ "ip6table_mangle",
+
+ "nf-nat",
+ "nf_conncount",
+ "nf_defrag_ipv4",
+ "nf_defrag_ipv6",
+ "nf_dup_ipv4",
+ "nf_dup_ipv6",
+ "nf_dup_netdev",
+ "nf_flow_table",
+ "nf-flowtable-1",
+ "nf_flow_table_inet",
+ "nf_osf",
+ "nf_reject_ipv6",
+ "nf_socket_ipv4",
+ "nf_socket_ipv6",
+ "nf_synproxy_core",
+
+ "nft-set",
+ "nf_tproxy_ipv4",
+ "nf_tproxy_ipv6",
};
/*
@@ -225,6 +254,23 @@ bool module_payload_allowed(const char *module)
return true;
}
+ /* modules allowed by name/alias masks */
+ if (!strncmp("xt_", module, 3) ||
+ !strncmp("ip_conntrack", module, 12) ||
+ !strncmp("ip_nat_", module, 7) ||
+ !strncmp("ipt_", module, 4) ||
+ !strncmp("ip6t_", module, 5) ||
+ !strncmp("arpt_", module, 5) ||
+ !strncmp("ebt", module, 4) ||
+ !strncmp("nft-chain-", module, 10) ||
+ !strncmp("nft-expr-", module, 9) ||
+ !strncmp("nf_nat", module, 6) ||
+ !strncmp("nf_log_", module, 7) ||
+ !strncmp("nf-logger-", module, 10) ||
+ !strncmp("nf_conntrack", module, 12) ||
+ !strncmp("nfct-helper-", module, 12))
+ return true;
+
return false;
}
#endif /* CONFIG_VE */
--
2.28.0
More information about the Devel
mailing list