[CRIU] [PATCH v4] net: Add ip rule save/restore

Fri Oct 23 10:06:05 PDT 2015

Add support for save and restore of ip rules. It uses new
functionality of iproute which is already in iproute git:

http://git.kernel.org/cgit/linux/kernel/git/shemminger/iproute2.git/commit/?id=2f4e171f7df22107b38fddcffa56c1ecb5e73359

v2: Use xstrdup() instead of strdup().
v3: Use open/close instead of helper.
v4: Return -1 on empty dump.

Signed-off-by: Kirill Tkhai <ktkhai at odin.com>
---
 image-desc.c         |    1 +
 include/image-desc.h |    1 +
 include/magic.h      |    1 +
 net.c                |   53 ++++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 56 insertions(+)

diff --git a/image-desc.c b/image-desc.c
index 6d9f38c..d5cc132 100644
--- a/image-desc.c
+++ b/image-desc.c
@@ -74,6 +74,7 @@ struct cr_fd_desc_tmpl imgset_template[CR_FD_MAX] = {
 	FD_ENTRY_F(IFADDR,	"ifaddr-%d", O_NOBUF),
 	FD_ENTRY_F(ROUTE,	"route-%d", O_NOBUF),
 	FD_ENTRY_F(ROUTE6,	"route6-%d", O_NOBUF),
+	FD_ENTRY_F(RULE,	"rule-%d", O_NOBUF),
 	FD_ENTRY_F(IPTABLES,	"iptables-%d", O_NOBUF),
 	FD_ENTRY_F(TMPFS_IMG,	"tmpfs-%d.tar.gz", O_NOBUF),
 	FD_ENTRY_F(TMPFS_DEV,	"tmpfs-dev-%d.tar.gz", O_NOBUF),
diff --git a/include/image-desc.h b/include/image-desc.h
index a76b48f..cb45b20 100644
--- a/include/image-desc.h
+++ b/include/image-desc.h
@@ -40,6 +40,7 @@ enum {
 	CR_FD_IFADDR,
 	CR_FD_ROUTE,
 	CR_FD_ROUTE6,
+	CR_FD_RULE,
 	CR_FD_IPTABLES,
 	CR_FD_NETNS,
 	_CR_FD_NETNS_TO,
diff --git a/include/magic.h b/include/magic.h
index e7826d1..2af614b 100644
--- a/include/magic.h
+++ b/include/magic.h
@@ -93,6 +93,7 @@
 #define IFADDR_MAGIC		RAW_IMAGE_MAGIC
 #define ROUTE_MAGIC		RAW_IMAGE_MAGIC
 #define ROUTE6_MAGIC		RAW_IMAGE_MAGIC
+#define RULE_MAGIC		RAW_IMAGE_MAGIC
 #define TMPFS_IMG_MAGIC		RAW_IMAGE_MAGIC
 #define TMPFS_DEV_MAGIC		RAW_IMAGE_MAGIC
 #define IPTABLES_MAGIC		RAW_IMAGE_MAGIC
diff --git a/net.c b/net.c
index 8473742..2949521 100644
--- a/net.c
+++ b/net.c
@@ -588,6 +588,27 @@ static inline int dump_route(struct cr_imgset *fds)
 	return 0;
 }
 
+static inline int dump_rule(struct cr_imgset *fds)
+{
+	struct cr_img *img;
+	char *path;
+
+	img = img_from_set(fds, CR_FD_RULE);
+	path = xstrdup(img->path);
+
+	if (!path)
+		return -1;
+
+	if (run_ip_tool("rule", "save", NULL, -1, img_raw_fd(img))) {
+		pr_err("Check if \"ip rule save\" is supported!\n");
+		unlinkat(get_service_fd(IMG_FD_OFF), path, 0);
+	}
+
+	free(path);
+
+	return 0;
+}
+
 static inline int dump_iptables(struct cr_imgset *fds)
 {
 	struct cr_img *img = img_from_set(fds, CR_FD_IPTABLES);
@@ -657,6 +678,34 @@ static inline int restore_route(int pid)
 	return 0;
 }
 
+static inline int restore_rule(int pid)
+{
+	struct cr_img *img;
+	int ret = 0;
+
+	img = open_image(CR_FD_RULE, O_RSTR, pid);
+	if (!img)
+		goto out;
+	if (empty_image(img)) {
+		ret = -1;
+		goto close;
+	}
+	/*
+	 * Delete 3 default rules to prevent duplicates. See kernel's
+	 * function fib_default_rules_init() for the details.
+	 */
+	run_ip_tool("rule", "delete", NULL, -1, -1);
+	run_ip_tool("rule", "delete", NULL, -1, -1);
+	run_ip_tool("rule", "delete", NULL, -1, -1);
+
+	if (restore_ip_dump(CR_FD_RULE, pid, "rule"))
+		ret = -1;
+close:
+	close_image(img);
+out:
+	return ret;
+}
+
 static inline int restore_iptables(int pid)
 {
 	int ret = -1;
@@ -759,6 +808,8 @@ int dump_net_ns(int ns_id)
 	if (!ret)
 		ret = dump_route(fds);
 	if (!ret)
+		ret = dump_rule(fds);
+	if (!ret)
 		ret = dump_iptables(fds);
 
 	close(ns_sysfs_fd);
@@ -784,6 +835,8 @@ int prepare_net_ns(int pid)
 	if (!ret)
 		ret = restore_route(pid);
 	if (!ret)
+		ret = restore_rule(pid);
+	if (!ret)
 		ret = restore_iptables(pid);
 
 	close(ns_fd);

