[CRIU] [PATCH v4] net/iptables: check iptables command has wait option
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Tue Jun 28 00:07:11 PDT 2016
First, I've somehow lost part of the commit message:
"""
CRIU-3.11 job's environment has iptables version <=v1.4.19. As there
were no xtables locking and no --wait option before v1.4.20 criu fails.
From dump log:
(00.038399) Error (util.c:665): exited, status=2
(00.038434) Error (netfilter.c:88): Iptables configuration failed: Success
From docs: "invalid or abused command line parameters cause an exit
code of 2"
Tested with:
iptables --version
iptables v1.4.19.1
So add kdat.has_xtlocks to mark if iptables has xtlocking.
"""
On 06/27/2016 10:22 PM, Cyrill Gorcunov wrote:
> On Sat, Jun 25, 2016 at 01:09:07PM +0300, Pavel Tikhomirov wrote:
>>
>> diff --git a/criu/netfilter.c b/criu/netfilter.c
>> index 2c3acd6..6d7b340 100644
>> --- a/criu/netfilter.c
>> +++ b/criu/netfilter.c
>> @@ -12,6 +12,7 @@
>> #include "netfilter.h"
>> #include "sockets.h"
>> #include "sk-inet.h"
>> +#include "kerndat.h"
>>
>> static char buf[512];
>>
>> @@ -20,7 +21,7 @@ static char buf[512];
>> * ANy brave soul to write it using xtables-devel?
>> */
>>
>> -static const char *nf_conn_cmd = "%s -w -t filter %s %s --protocol tcp "
>> +static const char *nf_conn_cmd = "%s %s -t filter %s %s --protocol tcp "
>> "--source %s --sport %d --destination %s --dport %d -j DROP";
>
> Huh? How this correlate with exclusive lock idea?
Second, iptables v1.4.20 commit 93587a04d0f2 ("ip[6]tables: Add locking
to prevent concurrent instances") says that "There have been numerous
complaints and bug reports over the years when admins attempt to run
more than one instance of iptables simultaneously" so they added
per-netns lock on abstract socket bind to "xtables" name. So we might
have problems using iptables v.1.4.19 or older, but what we left to do?
>
--
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.
More information about the CRIU
mailing list