[Devel,rh7] ve/net/sctp: allow using SCTP inside Containers

Submitted by Konstantin Khorenko on Sept. 12, 2016, 2 p.m.

Details

Message ID 1473688821-14775-1-git-send-email-khorenko@virtuozzo.com
State New
Series "ve/net/sctp: allow using SCTP inside Containers"
Headers show

Commit Message

Konstantin Khorenko Sept. 12, 2016, 2 p.m.
SCTP support of network namespaces appeared in 3.7 kernel =>
all we need is to enable it inside Containers.

Note 1: sctp module is NOT included into the autoload modules list
=> hoster needs to preload the "sctp" module on the host before
CT owners are able to use it. This is done on purpose and not going
to be changed in a while. Reason: too many security issues found in sctp
protocol implementation last year.

Note 2: CRIU does not support SCTP => online migration is known to fail
in case SCTP sockets are used.

https://lwn.net/Articles/509992/

https://jira.sw.ru/browse/PSBM-51186
https://bugs.openvz.org/browse/OVZ-3547

Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
---
 kernel/ve/ve.c | 1 +
 1 file changed, 1 insertion(+)

Patch hide | download patch | download mbox

diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 0461790..8afff3d 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -216,6 +216,7 @@  int vz_security_protocol_check(struct net *net, int protocol)
 	case  IPPROTO_GRE:
 	case  IPPROTO_ESP:
 	case  IPPROTO_AH:
+	case  IPPROTO_SCTP:
 		return 0;
 	default:
 		return -EAFNOSUPPORT;