[Devel] [PATCH RHEL10 COMMIT] ve/sysctl/kmod: fix concatenated "ip_vs" entry in ve0_allowed_mod[]
Konstantin Khorenko
khorenko at virtuozzo.com
Mon Jun 15 13:52:48 MSK 2026
The commit is pushed to "branch-rh10-6.12.0-211.16.1.12.x.vz10-ovz" and will appear at git at bitbucket.org:openvz/vzkernel.git
after rh10-6.12.0-211.16.1.el10
------>
commit e8425e2b2c25bb44cb981534ee67329f3f06e72a
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date: Wed Jun 3 23:53:21 2026 +0200
ve/sysctl/kmod: fix concatenated "ip_vs" entry in ve0_allowed_mod[]
The "ip_vs" entry in ve0_allowed_mod[] was missing its trailing comma:
/* IPVS */
"ip_vs"
"ip_vs_ftp",
C adjacent string-literal concatenation merged the two into a single
array element "ip_vsip_vs_ftp", so neither "ip_vs" nor "ip_vs_ftp"
existed as an allowlist entry. module_payload_allowed() matches with
exact strcmp() against ve0_allowed_mod[], so a container requesting the
ip_vs (or ip_vs_ftp) module was denied - which also defeated the IPVS
sockopt autoloading that nf_sockopt_request_module() relies on inside a
CT (request_module("ip_vs") then failed the allowlist check).
Add the missing comma so both module names become separate entries.
Fixes: 32b28b600df8 ("ve/netfilter: Add autoloading of sockopt modules")
https://virtuozzo.atlassian.net/browse/VSTOR-132310
Feature: kmod: whitelist of kernel modules able to autoload upon CT request
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
kernel/module/kmod.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/module/kmod.c b/kernel/module/kmod.c
index cea8ee9c09e2..ed35db21d66e 100644
--- a/kernel/module/kmod.c
+++ b/kernel/module/kmod.c
@@ -295,7 +295,7 @@ static const char * const ve0_allowed_mod[] = {
"nfsv4",
/* IPVS */
- "ip_vs"
+ "ip_vs",
"ip_vs_ftp",
"ip_vs_nq",
"ip_vs_wlc",
More information about the Devel
mailing list