[Devel] [PATCH vz10] ve/sysctl/kmod: fix concatenated "ip_vs" entry in ve0_allowed_mod[]
Konstantin Khorenko
khorenko at virtuozzo.com
Thu Jun 4 12:06:08 MSK 2026
The "ip_vs" entry in ve0_allowed_mod[] was missing its trailing comma:
/* IPVS */
"ip_vs"
"ip_vs_ftp",
C adjacent string-literal concatenation merged the two into a single
array element "ip_vsip_vs_ftp", so neither "ip_vs" nor "ip_vs_ftp"
existed as an allowlist entry. module_payload_allowed() matches with
exact strcmp() against ve0_allowed_mod[], so a container requesting the
ip_vs (or ip_vs_ftp) module was denied - which also defeated the IPVS
sockopt autoloading that nf_sockopt_request_module() relies on inside a
CT (request_module("ip_vs") then failed the allowlist check).
Add the missing comma so both module names become separate entries.
Fixes: 6983be649e95 ("ve/netfilter: Add autoloading of sockopt modules")
https://virtuozzo.atlassian.net/browse/VSTOR-132310
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
kernel/module/kmod.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/module/kmod.c b/kernel/module/kmod.c
index cea8ee9c09e2..ed35db21d66e 100644
--- a/kernel/module/kmod.c
+++ b/kernel/module/kmod.c
@@ -295,7 +295,7 @@ static const char * const ve0_allowed_mod[] = {
"nfsv4",
/* IPVS */
- "ip_vs"
+ "ip_vs",
"ip_vs_ftp",
"ip_vs_nq",
"ip_vs_wlc",
--
2.47.1
More information about the Devel
mailing list