[CRIU] [PATCH] net/iptables: check iptables command has wait option

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Thu Jun 16 07:58:27 PDT 2016


sorry, drop it will resend the right version

On 06/16/2016 05:53 PM, Pavel Tikhomirov wrote:
> CRIU-3.11 job's environment has iptables version <=v1.4.19. As there
> were no xtables locking and no --wait option before v1.4.20 criu fails.
>
> From dump log:
> (00.038399) Error (util.c:665): exited, status=2
> (00.038434) Error (netfilter.c:88): Iptables configuration failed: Success
>
> From docs: "invalid or abused command line parameters cause an exit code of 2"
>
> Tested with:
> iptables --version
> iptables v1.4.19.1
>
> So add opts.has_xtlocks option which indicates if current iptables utility
> has xtables locks and "-w" flag.
>
> v2: fix compilation warning for snprintf
> v3: check iptables has xtables locks support once
> Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
> ---
>  criu/crtools.c            |  2 ++
>  criu/include/cr_options.h |  1 +
>  criu/include/util.h       |  1 +
>  criu/netfilter.c          |  4 +++-
>  criu/util.c               | 10 ++++++++++
>  5 files changed, 17 insertions(+), 1 deletion(-)
>
> diff --git a/criu/crtools.c b/criu/crtools.c
> index 9bef1d8..ef891f8 100644
> --- a/criu/crtools.c
> +++ b/criu/crtools.c
> @@ -72,6 +72,8 @@ void init_opts(void)
>  	opts.ghost_limit = DEFAULT_GHOST_LIMIT;
>  	opts.timeout = DEFAULT_TIMEOUT;
>  	opts.empty_ns = 0;
> +
> +	init_has_xtlocks();
>  }
>
>  static int parse_join_ns(const char *ptr)
> diff --git a/criu/include/cr_options.h b/criu/include/cr_options.h
> index 1d47909..5830354 100644
> --- a/criu/include/cr_options.h
> +++ b/criu/include/cr_options.h
> @@ -112,6 +112,7 @@ struct cr_options {
>  	unsigned int		empty_ns;
>  	bool			lazy_pages;
>  	bool			tcp_skip_in_flight;
> +	unsigned int		has_xtlocks;
>  };
>
>  extern struct cr_options opts;
> diff --git a/criu/include/util.h b/criu/include/util.h
> index 72fbd1d..b021548 100644
> --- a/criu/include/util.h
> +++ b/criu/include/util.h
> @@ -169,6 +169,7 @@ extern int is_anon_link_type(char *link, char *type);
>  extern int cr_system(int in, int out, int err, char *cmd, char *const argv[], unsigned flags);
>  extern int cr_system_userns(int in, int out, int err, char *cmd,
>  				char *const argv[], unsigned flags, int userns_pid);
> +extern int init_has_xtlocks(void);
>  extern int cr_daemon(int nochdir, int noclose, int *keep_fd, int close_fd);
>  extern int is_root_user(void);
>
> diff --git a/criu/netfilter.c b/criu/netfilter.c
> index 2c3acd6..9c40fee 100644
> --- a/criu/netfilter.c
> +++ b/criu/netfilter.c
> @@ -12,6 +12,7 @@
>  #include "netfilter.h"
>  #include "sockets.h"
>  #include "sk-inet.h"
> +#include "cr_options.h"
>
>  static char buf[512];
>
> @@ -20,7 +21,7 @@ static char buf[512];
>   * ANy brave soul to write it using xtables-devel?
>   */
>
> -static const char *nf_conn_cmd = "%s -w -t filter %s %s --protocol tcp "
> +static const char *nf_conn_cmd = "%s %s -t filter %s %s --protocol tcp "
>  	"--source %s --sport %d --destination %s --dport %d -j DROP";
>
>  static char iptable_cmd_ipv4[] = "iptables";
> @@ -73,6 +74,7 @@ static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port,
>  	}
>
>  	snprintf(buf, sizeof(buf), nf_conn_cmd, cmd,
> +			opts.has_xtlocks ? "-w" : "",
>  			lock ? "-A" : "-D",
>  			input ? "INPUT" : "OUTPUT",
>  			dip, (int)dst_port, sip, (int)src_port);
> diff --git a/criu/util.c b/criu/util.c
> index ff5184c..05e8780 100644
> --- a/criu/util.c
> +++ b/criu/util.c
> @@ -685,6 +685,16 @@ int cr_system_userns(int in, int out, int err, char *cmd,
>  	return ret;
>  }
>
> +int init_has_xtlocks(void) {
> +	char *argv[4] = { "sh", "-c", "iptables -w -L", NULL };
> +
> +	opts.has_xtlocks = 1;
> +	if (cr_system(-1, -1, -1, "sh", argv, CRS_CAN_FAIL) == -1)
> +		opts.has_xtlocks = 0;
> +
> +	return 0;
> +}
> +
>  int cr_daemon(int nochdir, int noclose, int *keep_fd, int close_fd)
>  {
>  	int pid;
>

-- 
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.


More information about the CRIU mailing list