[CRIU] [PATCH] net/iptables: check iptables command has wait option

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Wed Jun 15 07:53:44 PDT 2016


CRIU-3.11 job's environment has iptables version <=v1.4.19. As there
were no xtables locking and no --wait option before v1.4.20 criu fails.

>From dump log:
(00.038399) Error (util.c:665): exited, status=2
(00.038434) Error (netfilter.c:88): Iptables configuration failed: Success

>From docs: "invalid or abused command line parameters cause an exit code of 2"

Tested with:
iptables --version
iptables v1.4.19.1

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 criu/netfilter.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/criu/netfilter.c b/criu/netfilter.c
index 2c3acd6..9288395 100644
--- a/criu/netfilter.c
+++ b/criu/netfilter.c
@@ -20,8 +20,9 @@ static char buf[512];
  * ANy brave soul to write it using xtables-devel?
  */
 
-static const char *nf_conn_cmd = "%s -w -t filter %s %s --protocol tcp "
+static const char *nf_conn_cmd = "%s %s -t filter %s %s --protocol tcp "
 	"--source %s --sport %d --destination %s --dport %d -j DROP";
+static const char *nf_check_has_wait_option_cmd = "iptables -w -L";
 
 static char iptable_cmd_ipv4[] = "iptables";
 static char iptable_cmd_ipv6[] = "ip6tables";
@@ -53,6 +54,7 @@ static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port,
 	char *cmd;
 	char *argv[4] = { "sh", "-c", buf, NULL };
 	int ret;
+	int nowait = 0;
 
 	switch (family) {
 	case AF_INET:
@@ -72,7 +74,14 @@ static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port,
 		return -1;
 	}
 
+	snprintf(buf, sizeof(buf), nf_check_has_wait_option_cmd);
+
+	ret = cr_system(-1, -1, -1, "sh", argv, CRS_CAN_FAIL);
+	if (ret == -1)
+		nowait = 1;
+
 	snprintf(buf, sizeof(buf), nf_conn_cmd, cmd,
+			nowait ? "" : "-w",
 			lock ? "-A" : "-D",
 			input ? "INPUT" : "OUTPUT",
 			dip, (int)dst_port, sip, (int)src_port);
-- 
2.5.5



More information about the CRIU mailing list