[CRIU] [PATCH] dump: preload netfilter modules too

Tycho Andersen tycho.andersen at canonical.com
Fri Feb 26 08:41:32 PST 2016 

As with the socket diag modules, since we might be using the
ip*filter_tables modules, we should preload those as well, in case the host
system hasn't already loaded them. Really, I should implement netlink
buffer dumping so we can get rid of this hack :)

Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
---
 criu/crtools.c           |  2 ++
 criu/include/netfilter.h |  2 ++
 criu/netfilter.c         | 18 ++++++++++++++++++
 3 files changed, 22 insertions(+)

diff --git a/criu/crtools.c b/criu/crtools.c
index a6076b7..a8ddb82 100644
--- a/criu/crtools.c
+++ b/criu/crtools.c
@@ -28,6 +28,7 @@
 #include "files.h"
 #include "sk-inet.h"
 #include "net.h"
+#include "netfilter.h"
 #include "version.h"
 #include "page-xfer.h"
 #include "tty.h"
@@ -643,6 +644,7 @@ int main(int argc, char *argv[], char *envp[])
 
 	if (!strcmp(argv[optind], "dump")) {
 		preload_socket_modules();
+		preload_netfilter_modules();
 
 		if (!tree_id)
 			goto opt_pid_missing;
diff --git a/criu/include/netfilter.h b/criu/include/netfilter.h
index f3667fc..35ef262 100644
--- a/criu/include/netfilter.h
+++ b/criu/include/netfilter.h
@@ -8,4 +8,6 @@ extern int nf_unlock_connection(struct inet_sk_desc *);
 struct inet_sk_info;
 extern int nf_unlock_connection_info(struct inet_sk_info *);
 
+extern void preload_netfilter_modules(void);
+
 #endif /* __CR_NETFILTER_H__ */
diff --git a/criu/netfilter.c b/criu/netfilter.c
index 95e18aa..5c04526 100644
--- a/criu/netfilter.c
+++ b/criu/netfilter.c
@@ -26,6 +26,24 @@ static const char *nf_conn_cmd = "%s -t filter %s %s --protocol tcp "
 static char iptable_cmd_ipv4[] = "iptables";
 static char iptable_cmd_ipv6[] = "ip6tables";
 
+void preload_netfilter_modules(void)
+{
+	int fd;
+
+	/* same as socket modules, ip_tables and ip6_tables will be loaded by
+	 * CRIU, so we should try and preload these as well.
+	 */
+	fd = open("/dev/null", O_RDWR);
+	if (fd < 0) {
+		fd = -1;
+		pr_perror("failed to open /dev/null, using log fd for net module preload");
+	}
+	cr_system(fd, fd, fd, iptable_cmd_ipv4,
+		(char *[]) { iptable_cmd_ipv4, "-L", NULL}, 0);
+	cr_system(fd, fd, fd, iptable_cmd_ipv6,
+		(char *[]) { iptable_cmd_ipv6, "-L", NULL}, 0);
+}
+
 static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port,
 						u32 *dst_addr, u16 dst_port,
 						bool input, bool lock)
-- 
2.7.0

More information about the CRIU mailing list