The commit is pushed to "branch-rh7-3.10.0-327.22.2.vz7.16.x-ovz" and will
appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.22.2.vz7.16.2
------>
commit c53d38b8c89d9f47f4ed365e5941c7a1d1fa4004
Author: Andrey Ryabinin <aryabi...@virtuozzo.com>
Date: Fri Aug 5 19:21:05 2016 +0400
ve/net/ip6tables: fix autoloading of the ip6table_raw module from CT
Currently autoloading of the ip6table_raw module is forbidden
from container, leading to:
ip6tables-restore v1.4.21: ip6tables-restore: unable to initialize
table 'raw'
If use of ip6tables is allowed in container, autoloading of the
ip6tables_raw
has to be permitted as well.
https://jira.sw.ru/browse/PSBM-50548
Signed-off-by: Andrey Ryabinin <aryabi...@virtuozzo.com>
Acked-by: Kirill Tkhai <ktk...@virtuozzo.com>
---
kernel/kmod.c | 1 +
net/ipv6/netfilter/ip6table_raw.c | 3 +++
2 files changed, 4 insertions(+)
diff --git a/kernel/kmod.c b/kernel/kmod.c
index 5e5c2c6..d2c16a9 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -213,6 +213,7 @@ static struct {
{ "ip6table_filter", VE_IP_FILTER6 },
{ "ip6table_nat", VE_IP_NAT },
{ "ip6table_mangle", VE_IP_MANGLE6 },
+ { "ip6table_raw", VE_IP_IPTABLES6 },
{ "xt_CONNMARK", VE_NF_CONNTRACK|VE_IP_CONNTRACK },
{ "xt_CONNSECMARK", VE_NF_CONNTRACK|VE_IP_CONNTRACK },
diff --git a/net/ipv6/netfilter/ip6table_raw.c
b/net/ipv6/netfilter/ip6table_raw.c
index 8cf2a39..271835d 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -34,6 +34,9 @@ static int __net_init ip6table_raw_net_init(struct net *net)
{
struct ip6t_replace *repl;
+ if (!net_ipt_permitted(net, VE_IP_IPTABLES6))
+ return 0;
+
repl = ip6t_alloc_initial_table(&packet_raw);
if (repl == NULL)
return -ENOMEM;
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
