[Devel] [PATCH RH9 04/20] commit 04248b3ff00d

Kirill Tkhai ktkhai at virtuozzo.com
Fri Oct 8 12:50:52 MSK 2021 

From: Konstantin Khorenko <khorenko at virtuozzo.com>

ve/kmod/whitelist: Allow iptables/netfilter modules for autoload from CT

For now following modules are allowed by default to be autoloaded
upon indirect request from inside a Container:

* iptables/ip6tables core modules
* netfilters core modules (including nf_tables_inet)
  https://jira.sw.ru/browse/PSBM-99406

* xt_*, ipt_*, ip6t_*, arpt_*,
  nft-chain-*, nft-expr-*, nf-logger-* modules

* ebt* modules: previously we allowed to autoload ebt_* modules only
  upon request from inside a Container but there are several ebtables_*
  modules to be allowed as well, thus allow all ebt* modules for that.
  (Default CentOS7.3 firewalld service inside a CT complains on that)
  https://jira.sw.ru/browse/PSBM-66435

* all nf_* and nft_* modules
  https://jira.sw.ru/browse/PSBM-99536

https://jira.sw.ru/browse/PSBM-127787

Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>

It's a port of following vz7 commits:
 * 3a4142e      ("ve/kmod: Port autoloading from CT") (partially)
 * f9422b8      ("ve/kmod: Add rules for autoloading (new) nf_tables")
 * ccd1a1d      ("ve/kmod: Add rules for new {ip, ip6, x}table modules")
 * fe6a9073     ("ve/kmod: allow to autoload nf_log_ipv[46]")
 * b221ce6      ("ve/kmod/ebtable: allow to autoload ebtable_* modules
                 from inside a CT")
 * 24f61ddc955f ("ve/kmod: enable autoload for nf_tables_inet module
                 from inside a CT")
 * 0995da4719da ("ve/kmod: make all nf_* and nft_* autoloadable upon
                 request from a CT"))

Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 kernel/kmod.c |   46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/kernel/kmod.c b/kernel/kmod.c
index 7915397fcf46..7472184200f2 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -202,6 +202,35 @@ EXPORT_SYMBOL(__request_module);
 
 /* ve0 allowed modules */
 static const char * const ve0_allowed_mod[] = {
+	"ip_tables",
+	"ip6_tables",
+	"iptable_filter",
+	"iptable_raw",
+	"iptable_nat",
+	"iptable_mangle",
+	"ip6table_filter",
+	"ip6table_nat",
+	"ip6table_mangle",
+
+	"nf-nat",
+	"nf_conncount",
+	"nf_defrag_ipv4",
+	"nf_defrag_ipv6",
+	"nf_dup_ipv4",
+	"nf_dup_ipv6",
+	"nf_dup_netdev",
+	"nf_flow_table",
+	"nf-flowtable-1",
+	"nf_flow_table_inet",
+	"nf_osf",
+	"nf_reject_ipv6",
+	"nf_socket_ipv4",
+	"nf_socket_ipv6",
+	"nf_synproxy_core",
+
+	"nft-set",
+	"nf_tproxy_ipv4",
+	"nf_tproxy_ipv6",
 };
 
 /*
@@ -223,6 +252,23 @@ bool module_payload_allowed(const char *module)
 			return true;
 	}
 
+	/* modules allowed by name/alias masks */
+	if (!strncmp("xt_",		module,  3) ||
+	    !strncmp("ip_conntrack",	module, 12) ||
+	    !strncmp("ip_nat_",		module,  7) ||
+	    !strncmp("ipt_",		module,  4) ||
+	    !strncmp("ip6t_",		module,  5) ||
+	    !strncmp("arpt_",		module,  5) ||
+	    !strncmp("ebt",		module,  4) ||
+	    !strncmp("nft-chain-",	module, 10) ||
+	    !strncmp("nft-expr-",	module,  9) ||
+	    !strncmp("nf_nat",		module,  6) ||
+	    !strncmp("nf_log_",		module,  7) ||
+	    !strncmp("nf-logger-",	module, 10) ||
+	    !strncmp("nf_conntrack",	module, 12) ||
+	    !strncmp("nfct-helper-",	module, 12))
+		return true;
+
 	return false;
 }
 #endif /* CONFIG_VE */

More information about the Devel mailing list