[CRIU] [PATCH v3] net/iptables: check iptables command has wait option

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Thu Jun 16 08:09:19 PDT 2016 

CRIU-3.11 job's environment has iptables version <=v1.4.19. As there
were no xtables locking and no --wait option before v1.4.20 criu fails.

>From dump log:
(00.038399) Error (util.c:665): exited, status=2
(00.038434) Error (netfilter.c:88): Iptables configuration failed: Success

>From docs: "invalid or abused command line parameters cause an exit code of 2"

Tested with:
iptables --version
iptables v1.4.19.1

So add opts.has_xtlocks to mark if iptables has xtlocking.

v2: fix compilation warning for snprintf
v3: check iptables has xtables locks support only once
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 criu/crtools.c            |  2 ++
 criu/include/cr_options.h |  1 +
 criu/include/util.h       |  1 +
 criu/netfilter.c          |  4 +++-
 criu/util.c               | 11 +++++++++++
 5 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/criu/crtools.c b/criu/crtools.c
index 9bef1d8..4e0d15e 100644
--- a/criu/crtools.c
+++ b/criu/crtools.c
@@ -726,6 +726,8 @@ int main(int argc, char *argv[], char *envp[])
 	if (log_init(opts.output))
 		return 1;
 
+	init_has_xtlocks();
+
 	if (!list_empty(&opts.inherit_fds)) {
 		if (strcmp(argv[optind], "restore")) {
 			pr_err("--inherit-fd is restore-only option\n");
diff --git a/criu/include/cr_options.h b/criu/include/cr_options.h
index 1d47909..5830354 100644
--- a/criu/include/cr_options.h
+++ b/criu/include/cr_options.h
@@ -112,6 +112,7 @@ struct cr_options {
 	unsigned int		empty_ns;
 	bool			lazy_pages;
 	bool			tcp_skip_in_flight;
+	unsigned int		has_xtlocks;
 };
 
 extern struct cr_options opts;
diff --git a/criu/include/util.h b/criu/include/util.h
index 72fbd1d..b021548 100644
--- a/criu/include/util.h
+++ b/criu/include/util.h
@@ -169,6 +169,7 @@ extern int is_anon_link_type(char *link, char *type);
 extern int cr_system(int in, int out, int err, char *cmd, char *const argv[], unsigned flags);
 extern int cr_system_userns(int in, int out, int err, char *cmd,
 				char *const argv[], unsigned flags, int userns_pid);
+extern int init_has_xtlocks(void);
 extern int cr_daemon(int nochdir, int noclose, int *keep_fd, int close_fd);
 extern int is_root_user(void);
 
diff --git a/criu/netfilter.c b/criu/netfilter.c
index 2c3acd6..9c40fee 100644
--- a/criu/netfilter.c
+++ b/criu/netfilter.c
@@ -12,6 +12,7 @@
 #include "netfilter.h"
 #include "sockets.h"
 #include "sk-inet.h"
+#include "cr_options.h"
 
 static char buf[512];
 
@@ -20,7 +21,7 @@ static char buf[512];
  * ANy brave soul to write it using xtables-devel?
  */
 
-static const char *nf_conn_cmd = "%s -w -t filter %s %s --protocol tcp "
+static const char *nf_conn_cmd = "%s %s -t filter %s %s --protocol tcp "
 	"--source %s --sport %d --destination %s --dport %d -j DROP";
 
 static char iptable_cmd_ipv4[] = "iptables";
@@ -73,6 +74,7 @@ static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port,
 	}
 
 	snprintf(buf, sizeof(buf), nf_conn_cmd, cmd,
+			opts.has_xtlocks ? "-w" : "",
 			lock ? "-A" : "-D",
 			input ? "INPUT" : "OUTPUT",
 			dip, (int)dst_port, sip, (int)src_port);
diff --git a/criu/util.c b/criu/util.c
index ff5184c..1a9d503 100644
--- a/criu/util.c
+++ b/criu/util.c
@@ -685,6 +685,17 @@ int cr_system_userns(int in, int out, int err, char *cmd,
 	return ret;
 }
 
+int init_has_xtlocks(void) {
+	/* need install LOG_FD_OFF service fd for cr_system() */
+	char *argv[4] = { "sh", "-c", "iptables -w -L", NULL };
+
+	opts.has_xtlocks = 1;
+	if (cr_system(-1, -1, -1, "sh", argv, CRS_CAN_FAIL) == -1)
+		opts.has_xtlocks = 0;
+
+	return 0;
+}
+
 int cr_daemon(int nochdir, int noclose, int *keep_fd, int close_fd)
 {
 	int pid;
-- 
2.5.5

More information about the CRIU mailing list