[Devel] [PATCH vz10] ve/sysctl/kmod: fix concatenated "ip_vs" entry in ve0_allowed_mod[]
Vasileios Almpanis
vasileios.almpanis at virtuozzo.com
Fri Jun 5 08:48:04 MSK 2026
Reviewed-by: Vasileios Almpanis <vasileios.almpanis at virtuozzo.com>
On 6/4/26 11:06 AM, Konstantin Khorenko wrote:
> The "ip_vs" entry in ve0_allowed_mod[] was missing its trailing comma:
>
> /* IPVS */
> "ip_vs"
> "ip_vs_ftp",
>
> C adjacent string-literal concatenation merged the two into a single
> array element "ip_vsip_vs_ftp", so neither "ip_vs" nor "ip_vs_ftp"
> existed as an allowlist entry. module_payload_allowed() matches with
> exact strcmp() against ve0_allowed_mod[], so a container requesting the
> ip_vs (or ip_vs_ftp) module was denied - which also defeated the IPVS
> sockopt autoloading that nf_sockopt_request_module() relies on inside a
> CT (request_module("ip_vs") then failed the allowlist check).
>
> Add the missing comma so both module names become separate entries.
>
> Fixes: 6983be649e95 ("ve/netfilter: Add autoloading of sockopt modules")
> https://virtuozzo.atlassian.net/browse/VSTOR-132310
> Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
> ---
> kernel/module/kmod.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/module/kmod.c b/kernel/module/kmod.c
> index cea8ee9c09e2..ed35db21d66e 100644
> --- a/kernel/module/kmod.c
> +++ b/kernel/module/kmod.c
> @@ -295,7 +295,7 @@ static const char * const ve0_allowed_mod[] = {
> "nfsv4",
>
> /* IPVS */
> - "ip_vs"
> + "ip_vs",
> "ip_vs_ftp",
> "ip_vs_nq",
> "ip_vs_wlc",
--
Best regards, Vasileios Almpanis
Software Developer, Virtuozzo.
More information about the Devel
mailing list