On 22.08.2015 17:51, Vladimir Davydov wrote:
> These modules are required for adding the LOG iptables target.
>
> In PCS6 the LOG target is provided by ipt_LOG (in case of ipv4) or
> ip6t_LOG (in case of ipv6) module. In Vz7 it is split between xt_LOG
> (generic) and nf_log_ipv[46] (ipv[46] specific) with ipt_LOG and
> ip6t_LOG being aliases for xt_LOG.
>
> As in PCS6, in Vz7 we load ip{,6}t_LOG on IP{,6}T_SO_SET_REPLACE
> setsockopt, but in contrast to PCS6, this actually loads xt_LOG
> containing only generic implementation. The ipv[46] part is loaded by
> the xt_target->checkentry virtual method, which is log_tg_check in case
> of xt_LOG. The log_tg_check function loads the modules by name
> "nf-logger-<addr-family>-<type>".
>
> Since the type is 0 for ipv[46] LOG target, we should allow to load the
> following modules from inside a container:
>
> - nf-logger-2-0 for ipv4 (AF_INET)
> - nf-logger-10-0 for ipv6 (AF_INET6)
>
> https://jira.sw.ru/browse/PSBM-38573
>
> Signed-off-by: Vladimir Davydov <vdavy...@parallels.com>
Acked-by: Kirill Tkhai <ktk...@odin.com>
> ---
> kernel/kmod.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/kernel/kmod.c b/kernel/kmod.c
> index e0554f819b2d..7a552617b39f 100644
> --- a/kernel/kmod.c
> +++ b/kernel/kmod.c
> @@ -294,6 +294,8 @@ static struct {
>
> { "nft-expr-2-reject", VE_IP_IPTABLES },
> { "nft-expr-10-reject", VE_IP_IPTABLES6 },
> + { "nf-logger-2-0", VE_IP_IPTABLES },
> + { "nf-logger-10-0", VE_IP_IPTABLES6 },
> };
>
> /*
>
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
