[CRIU] [PATCH] netfilter: add -n to iptables and ip6tables calls

Pavel Emelyanov xemul at virtuozzo.com
Mon Mar 14 15:29:22 PDT 2016


On 03/14/2016 08:53 PM, Tycho Andersen wrote:
> On Mon, Mar 14, 2016 at 10:41:03AM -0700, Saied Kazemi wrote:
>> Any further thoughts on this?
> 
> Not really, other than that modprobe seems like the best bet. I think
> the modules needed are "ip6table_filter" and "iptable_filter".

Maybe we can scan though /proc/modules before doing fork + exec? Presumably
modprobe does the same, so we save one fork and exec in the common case.

-- Pavel

> Tycho
> 
>> --Saied
>>
>>
>> On Fri, Mar 11, 2016 at 4:19 PM, Tycho Andersen <
>> tycho.andersen at canonical.com> wrote:
>>
>>> On Fri, Mar 11, 2016 at 04:11:50PM -0800, Saied Kazemi wrote:
>>>> Good question.  A machine that I was testing on had a few hundred entries
>>>> which made it look like criu was hung.  With the -n it's obviously a LOT
>>>> faster but it'd be best to use a command that would load the modules much
>>>> more quickly.  This is not an area that I've had much experience.
>>>
>>> I guess we could modprobe. I think we dropped the modprobe from the
>>> _diag modules because there was an easy netlink way to get the modules
>>> to load which didn't cost us an exec. since we're doing an exec here
>>> anyway to run the iptables binaries, modprobe might be simpler.
>>>
>>> The other option is to figure out some netlink way to specify an
>>> invalid rule. I'm not sure what that would look like off the top of my
>>> head, though :)
>>>
>>> Tycho
>>>
> .
> 



More information about the CRIU mailing list