[CRIU] [PATCH v4] net/iptables: check iptables command has wait option

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Tue Jun 28 00:07:11 PDT 2016


First, I've somehow lost part of the commit message:
"""
CRIU-3.11 job's environment has iptables version <=v1.4.19. As there
were no xtables locking and no --wait option before v1.4.20 criu fails.

 From dump log:
(00.038399) Error (util.c:665): exited, status=2
(00.038434) Error (netfilter.c:88): Iptables configuration failed: Success

 From docs: "invalid or abused command line parameters cause an exit 
code of 2"

Tested with:
iptables --version
iptables v1.4.19.1

So add kdat.has_xtlocks to mark if iptables has xtlocking.
"""

On 06/27/2016 10:22 PM, Cyrill Gorcunov wrote:
> On Sat, Jun 25, 2016 at 01:09:07PM +0300, Pavel Tikhomirov wrote:
>>
>> diff --git a/criu/netfilter.c b/criu/netfilter.c
>> index 2c3acd6..6d7b340 100644
>> --- a/criu/netfilter.c
>> +++ b/criu/netfilter.c
>> @@ -12,6 +12,7 @@
>>  #include "netfilter.h"
>>  #include "sockets.h"
>>  #include "sk-inet.h"
>> +#include "kerndat.h"
>>
>>  static char buf[512];
>>
>> @@ -20,7 +21,7 @@ static char buf[512];
>>   * ANy brave soul to write it using xtables-devel?
>>   */
>>
>> -static const char *nf_conn_cmd = "%s -w -t filter %s %s --protocol tcp "
>> +static const char *nf_conn_cmd = "%s %s -t filter %s %s --protocol tcp "
>>  	"--source %s --sport %d --destination %s --dport %d -j DROP";
>
> Huh? How this correlate with exclusive lock idea?

Second, iptables v1.4.20 commit 93587a04d0f2 ("ip[6]tables: Add locking 
to prevent concurrent instances") says that "There have been numerous 
complaints and bug reports over the years when admins attempt to run 
more than one instance of iptables simultaneously" so they added 
per-netns lock on abstract socket bind to "xtables" name. So we might 
have problems using iptables v.1.4.19 or older, but what we left to do?

>

-- 
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.


More information about the CRIU mailing list