The commit is pushed to "branch-rh7-3.10.0-327.18.2.vz7.14.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh7-3.10.0-327.18.2.vz7.14.19 ------> commit a387508fcb761c893c0e70bf20356f5bd879a8dd Author: Vasily Averin <v...@virtuozzo.com> Date: Fri Jun 24 14:22:24 2016 +0400
ve/net: enable IPPROTO_ICMP inside Containers iputils-ping 20150815 fails inside containers because socket(PF_INET, SOCK_DGRAM, IPPROTO_ICMP) is restricted by vz_security_protocol_check() The patch enables creation of such sockets inside containers. By default sys_socket still fails because default setting of sysctl net.ipv4.ping_group_range, however it's enough for iputils-ping 20150815. Its fallback handles this situation and successfully creates RAW socket. In mainlune it is enabled in MS kernel v3.13+, see: commit fd2d5356d902 ("ipv4: Allow unprivileged users to use per net sysctls") in future we're going backport this patch and add its save/restore into criu. https://bugs.openvz.org/browse/OVZ-6744 https://jira.sw.ru/browse/PSBM-47413 Signed-off-by: Vasily Averin <v...@virtuozzo.com> Acked-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com> --- kernel/ve/ve.c | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c index d196e3e..b5399e1 100644 --- a/kernel/ve/ve.c +++ b/kernel/ve/ve.c @@ -227,6 +227,7 @@ int vz_security_protocol_check(struct net *net, int protocol) switch (protocol) { case IPPROTO_IP: + case IPPROTO_ICMP: case IPPROTO_TCP: case IPPROTO_UDP: case IPPROTO_RAW: _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel