On 03.08.2016 17:12, Andrey Ryabinin wrote:
> Currently autoloading of the ip6table_raw module is forbidden
> from container, leading to:
> ip6tables-restore v1.4.21: ip6tables-restore: unable to initialize table
> 'raw'
>
> If use of ip6tables is allowed in container, autoloading of the ip6tables_raw
> has to be permitted as well.
>
> https://jira.sw.ru/browse/PSBM-50548
>
> Signed-off-by: Andrey Ryabinin <aryabi...@virtuozzo.com>
Acked-by: Kirill Tkhai <ktk...@virtuozzo.com>
> ---
> kernel/kmod.c | 1 +
> net/ipv6/netfilter/ip6table_raw.c | 3 +++
> 2 files changed, 4 insertions(+)
>
> diff --git a/kernel/kmod.c b/kernel/kmod.c
> index 5e5c2c6..d2c16a9 100644
> --- a/kernel/kmod.c
> +++ b/kernel/kmod.c
> @@ -213,6 +213,7 @@ static struct {
> { "ip6table_filter", VE_IP_FILTER6 },
> { "ip6table_nat", VE_IP_NAT },
> { "ip6table_mangle", VE_IP_MANGLE6 },
> + { "ip6table_raw", VE_IP_IPTABLES6 },
>
> { "xt_CONNMARK", VE_NF_CONNTRACK|VE_IP_CONNTRACK },
> { "xt_CONNSECMARK", VE_NF_CONNTRACK|VE_IP_CONNTRACK },
> diff --git a/net/ipv6/netfilter/ip6table_raw.c
> b/net/ipv6/netfilter/ip6table_raw.c
> index 8cf2a39..271835d 100644
> --- a/net/ipv6/netfilter/ip6table_raw.c
> +++ b/net/ipv6/netfilter/ip6table_raw.c
> @@ -34,6 +34,9 @@ static int __net_init ip6table_raw_net_init(struct net *net)
> {
> struct ip6t_replace *repl;
>
> + if (!net_ipt_permitted(net, VE_IP_IPTABLES6))
> + return 0;
> +
> repl = ip6t_alloc_initial_table(&packet_raw);
> if (repl == NULL)
> return -ENOMEM;
>
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
