[Devel] [PATCH vz10] ve/sysctl/kmod: fix concatenated "ip_vs" entry in ve0_allowed_mod[]

Konstantin Khorenko khorenko at virtuozzo.com
Thu Jun 4 12:06:08 MSK 2026


The "ip_vs" entry in ve0_allowed_mod[] was missing its trailing comma:

	/* IPVS */
	"ip_vs"
	"ip_vs_ftp",

C adjacent string-literal concatenation merged the two into a single
array element "ip_vsip_vs_ftp", so neither "ip_vs" nor "ip_vs_ftp"
existed as an allowlist entry. module_payload_allowed() matches with
exact strcmp() against ve0_allowed_mod[], so a container requesting the
ip_vs (or ip_vs_ftp) module was denied - which also defeated the IPVS
sockopt autoloading that nf_sockopt_request_module() relies on inside a
CT (request_module("ip_vs") then failed the allowlist check).

Add the missing comma so both module names become separate entries.

Fixes: 6983be649e95 ("ve/netfilter: Add autoloading of sockopt modules")
https://virtuozzo.atlassian.net/browse/VSTOR-132310
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 kernel/module/kmod.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/module/kmod.c b/kernel/module/kmod.c
index cea8ee9c09e2..ed35db21d66e 100644
--- a/kernel/module/kmod.c
+++ b/kernel/module/kmod.c
@@ -295,7 +295,7 @@ static const char * const ve0_allowed_mod[] = {
 	"nfsv4",
 
 	/* IPVS */
-	"ip_vs"
+	"ip_vs",
 	"ip_vs_ftp",
 	"ip_vs_nq",
 	"ip_vs_wlc",
-- 
2.47.1



More information about the Devel mailing list