[Devel] [PATCH vz10] ve/sysctl/kmod: fix concatenated "ip_vs" entry in ve0_allowed_mod[]

Vasileios Almpanis vasileios.almpanis at virtuozzo.com
Fri Jun 5 08:48:04 MSK 2026


Reviewed-by: Vasileios Almpanis <vasileios.almpanis at virtuozzo.com>

On 6/4/26 11:06 AM, Konstantin Khorenko wrote:
> The "ip_vs" entry in ve0_allowed_mod[] was missing its trailing comma:
>
> 	/* IPVS */
> 	"ip_vs"
> 	"ip_vs_ftp",
>
> C adjacent string-literal concatenation merged the two into a single
> array element "ip_vsip_vs_ftp", so neither "ip_vs" nor "ip_vs_ftp"
> existed as an allowlist entry. module_payload_allowed() matches with
> exact strcmp() against ve0_allowed_mod[], so a container requesting the
> ip_vs (or ip_vs_ftp) module was denied - which also defeated the IPVS
> sockopt autoloading that nf_sockopt_request_module() relies on inside a
> CT (request_module("ip_vs") then failed the allowlist check).
>
> Add the missing comma so both module names become separate entries.
>
> Fixes: 6983be649e95 ("ve/netfilter: Add autoloading of sockopt modules")
> https://virtuozzo.atlassian.net/browse/VSTOR-132310
> Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
> ---
>   kernel/module/kmod.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/module/kmod.c b/kernel/module/kmod.c
> index cea8ee9c09e2..ed35db21d66e 100644
> --- a/kernel/module/kmod.c
> +++ b/kernel/module/kmod.c
> @@ -295,7 +295,7 @@ static const char * const ve0_allowed_mod[] = {
>   	"nfsv4",
>   
>   	/* IPVS */
> -	"ip_vs"
> +	"ip_vs",
>   	"ip_vs_ftp",
>   	"ip_vs_nq",
>   	"ip_vs_wlc",

-- 
Best regards, Vasileios Almpanis
Software Developer, Virtuozzo.



More information about the Devel mailing list