From: Konstantin Khorenko <khore...@virtuozzo.com> ve/kmod/whitelist: Allow iptables/netfilter modules for autoload from CT
For now following modules are allowed by default to be autoloaded upon indirect request from inside a Container: * iptables/ip6tables core modules * netfilters core modules (including nf_tables_inet) https://jira.sw.ru/browse/PSBM-99406 * xt_*, ipt_*, ip6t_*, arpt_*, nft-chain-*, nft-expr-*, nf-logger-* modules * ebt* modules: previously we allowed to autoload ebt_* modules only upon request from inside a Container but there are several ebtables_* modules to be allowed as well, thus allow all ebt* modules for that. (Default CentOS7.3 firewalld service inside a CT complains on that) https://jira.sw.ru/browse/PSBM-66435 * all nf_* and nft_* modules https://jira.sw.ru/browse/PSBM-99536 https://jira.sw.ru/browse/PSBM-127787 Signed-off-by: Konstantin Khorenko <khore...@virtuozzo.com> It's a port of following vz7 commits: * 3a4142e ("ve/kmod: Port autoloading from CT") (partially) * f9422b8 ("ve/kmod: Add rules for autoloading (new) nf_tables") * ccd1a1d ("ve/kmod: Add rules for new {ip, ip6, x}table modules") * fe6a9073 ("ve/kmod: allow to autoload nf_log_ipv[46]") * b221ce6 ("ve/kmod/ebtable: allow to autoload ebtable_* modules from inside a CT") * 24f61ddc955f ("ve/kmod: enable autoload for nf_tables_inet module from inside a CT") * 0995da4719da ("ve/kmod: make all nf_* and nft_* autoloadable upon request from a CT")) Signed-off-by: Konstantin Khorenko <khore...@virtuozzo.com> --- kernel/kmod.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/kernel/kmod.c b/kernel/kmod.c index 7915397fcf46..7472184200f2 100644 --- a/kernel/kmod.c +++ b/kernel/kmod.c @@ -202,6 +202,35 @@ EXPORT_SYMBOL(__request_module); /* ve0 allowed modules */ static const char * const ve0_allowed_mod[] = { + "ip_tables", + "ip6_tables", + "iptable_filter", + "iptable_raw", + "iptable_nat", + "iptable_mangle", + "ip6table_filter", + "ip6table_nat", + "ip6table_mangle", + + "nf-nat", + "nf_conncount", + "nf_defrag_ipv4", + "nf_defrag_ipv6", + "nf_dup_ipv4", + "nf_dup_ipv6", + "nf_dup_netdev", + "nf_flow_table", + "nf-flowtable-1", + "nf_flow_table_inet", + "nf_osf", + "nf_reject_ipv6", + "nf_socket_ipv4", + "nf_socket_ipv6", + "nf_synproxy_core", + + "nft-set", + "nf_tproxy_ipv4", + "nf_tproxy_ipv6", }; /* @@ -223,6 +252,23 @@ bool module_payload_allowed(const char *module) return true; } + /* modules allowed by name/alias masks */ + if (!strncmp("xt_", module, 3) || + !strncmp("ip_conntrack", module, 12) || + !strncmp("ip_nat_", module, 7) || + !strncmp("ipt_", module, 4) || + !strncmp("ip6t_", module, 5) || + !strncmp("arpt_", module, 5) || + !strncmp("ebt", module, 4) || + !strncmp("nft-chain-", module, 10) || + !strncmp("nft-expr-", module, 9) || + !strncmp("nf_nat", module, 6) || + !strncmp("nf_log_", module, 7) || + !strncmp("nf-logger-", module, 10) || + !strncmp("nf_conntrack", module, 12) || + !strncmp("nfct-helper-", module, 12)) + return true; + return false; } #endif /* CONFIG_VE */ _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
