[CRIU] [PATCH v2] net/iptables: check iptables command has wait option
Pavel Emelyanov
xemul at virtuozzo.com
Wed Jun 15 09:14:20 PDT 2016
On 06/15/2016 07:05 PM, Pavel Tikhomirov wrote:
> CRIU-3.11 job's environment has iptables version <=v1.4.19. As there
> were no xtables locking and no --wait option before v1.4.20 criu fails.
>
>>From dump log:
> (00.038399) Error (util.c:665): exited, status=2
> (00.038434) Error (netfilter.c:88): Iptables configuration failed: Success
>
>>From docs: "invalid or abused command line parameters cause an exit code of 2"
>
> Tested with:
> iptables --version
> iptables v1.4.19.1
>
> v2: fix compilation warning for snprintf
> Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
> ---
> criu/netfilter.c | 11 ++++++++++-
> 1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/criu/netfilter.c b/criu/netfilter.c
> index 2c3acd6..1662da4 100644
> --- a/criu/netfilter.c
> +++ b/criu/netfilter.c
> @@ -20,8 +20,9 @@ static char buf[512];
> * ANy brave soul to write it using xtables-devel?
> */
>
> -static const char *nf_conn_cmd = "%s -w -t filter %s %s --protocol tcp "
> +static const char *nf_conn_cmd = "%s %s -t filter %s %s --protocol tcp "
> "--source %s --sport %d --destination %s --dport %d -j DROP";
> +static const char *nf_check_has_wait_option_cmd = "iptables -w -L";
>
> static char iptable_cmd_ipv4[] = "iptables";
> static char iptable_cmd_ipv6[] = "ip6tables";
> @@ -53,6 +54,7 @@ static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port,
> char *cmd;
> char *argv[4] = { "sh", "-c", buf, NULL };
> int ret;
> + int nowait = 0;
>
> switch (family) {
> case AF_INET:
> @@ -72,7 +74,14 @@ static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port,
> return -1;
> }
>
> + snprintf(buf, sizeof(buf), "%s", nf_check_has_wait_option_cmd);
> +
> + ret = cr_system(-1, -1, -1, "sh", argv, CRS_CAN_FAIL);
> + if (ret == -1)
> + nowait = 1;
Ability for iptables to wait should be checked only once, not on
every connection lock.
> +
> snprintf(buf, sizeof(buf), nf_conn_cmd, cmd,
> + nowait ? "" : "-w",
> lock ? "-A" : "-D",
> input ? "INPUT" : "OUTPUT",
> dip, (int)dst_port, sip, (int)src_port);
>
More information about the CRIU
mailing list