[Devel] [PATCH RHEL10 COMMIT] ve/sysctl/kmod: fix concatenated "ip_vs" entry in ve0_allowed_mod[]

Konstantin Khorenko khorenko at virtuozzo.com
Mon Jun 15 13:52:48 MSK 2026


The commit is pushed to "branch-rh10-6.12.0-211.16.1.12.x.vz10-ovz" and will appear at git at bitbucket.org:openvz/vzkernel.git
after rh10-6.12.0-211.16.1.el10
------>
commit e8425e2b2c25bb44cb981534ee67329f3f06e72a
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date:   Wed Jun 3 23:53:21 2026 +0200

    ve/sysctl/kmod: fix concatenated "ip_vs" entry in ve0_allowed_mod[]
    
    The "ip_vs" entry in ve0_allowed_mod[] was missing its trailing comma:
    
            /* IPVS */
            "ip_vs"
            "ip_vs_ftp",
    
    C adjacent string-literal concatenation merged the two into a single
    array element "ip_vsip_vs_ftp", so neither "ip_vs" nor "ip_vs_ftp"
    existed as an allowlist entry. module_payload_allowed() matches with
    exact strcmp() against ve0_allowed_mod[], so a container requesting the
    ip_vs (or ip_vs_ftp) module was denied - which also defeated the IPVS
    sockopt autoloading that nf_sockopt_request_module() relies on inside a
    CT (request_module("ip_vs") then failed the allowlist check).
    
    Add the missing comma so both module names become separate entries.
    
    Fixes: 32b28b600df8 ("ve/netfilter: Add autoloading of sockopt modules")
    https://virtuozzo.atlassian.net/browse/VSTOR-132310
    Feature: kmod: whitelist of kernel modules able to autoload upon CT request
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 kernel/module/kmod.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/module/kmod.c b/kernel/module/kmod.c
index cea8ee9c09e2..ed35db21d66e 100644
--- a/kernel/module/kmod.c
+++ b/kernel/module/kmod.c
@@ -295,7 +295,7 @@ static const char * const ve0_allowed_mod[] = {
 	"nfsv4",
 
 	/* IPVS */
-	"ip_vs"
+	"ip_vs",
 	"ip_vs_ftp",
 	"ip_vs_nq",
 	"ip_vs_wlc",


More information about the Devel mailing list