[CRIU] [PATCH] netfilter: add -n to iptables and ip6tables calls
Saied Kazemi
saied at google.com
Fri Mar 11 16:11:50 PST 2016
Good question. A machine that I was testing on had a few hundred entries
which made it look like criu was hung. With the -n it's obviously a LOT
faster but it'd be best to use a command that would load the modules much
more quickly. This is not an area that I've had much experience.
--Saied
On Fri, Mar 11, 2016 at 4:05 PM, Tycho Andersen <
tycho.andersen at canonical.com> wrote:
> On Fri, Mar 11, 2016 at 04:02:00PM -0800, Saied Kazemi wrote:
> > To preload netfilter modules, criu runs "iptables -L" and "ip6tables -L"
> > before starting to dump or restore a process tree.
> >
> > On systems with many entries, the above commands without the -n option
> > take a long time because of lengthy DNS lookups.
>
> Is there some command we can run that would take less time all
> together? Like trying to load an invalid rule or something?
>
> > Signed-off-by: Saied Kazemi <saied at google.com>
> > ---
> > criu/netfilter.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/criu/netfilter.c b/criu/netfilter.c
> > index 865a12f..312b4aa 100644
> > --- a/criu/netfilter.c
> > +++ b/criu/netfilter.c
> > @@ -39,9 +39,9 @@ void preload_netfilter_modules(void)
> > pr_perror("failed to open /dev/null, using log fd for net
> module preload");
> > }
> > cr_system(fd, fd, fd, iptable_cmd_ipv4,
> > - (char *[]) { iptable_cmd_ipv4, "-L", NULL}, 0);
> > + (char *[]) { iptable_cmd_ipv4, "-L", "-n", NULL}, 0);
> > cr_system(fd, fd, fd, iptable_cmd_ipv6,
> > - (char *[]) { iptable_cmd_ipv6, "-L", NULL}, 0);
> > + (char *[]) { iptable_cmd_ipv6, "-L", "-n", NULL}, 0);
> > close_safe(&fd);
> > }
> >
> > --
> > 2.7.0.rc3.207.g0ac5344
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/criu/attachments/20160311/3697194b/attachment-0001.html>
More information about the CRIU
mailing list