[CRIU] [PATCH] netfilter: add -n to iptables and ip6tables calls

Tycho Andersen tycho.andersen at canonical.com
Thu Mar 17 10:25:33 PDT 2016 

On Thu, Mar 17, 2016 at 10:11:30AM -0700, Saied Kazemi wrote:
> As I won't have time to work on this any time soon, can we apply the patch
> that I sent adding "-n" to "ip[6]tables" commands for now?  It doesn't
> break anything and saves about a minute to do c/r on my one of my machines
> with lots of entries.

Sure,

Acked-by: Tycho Andersen <tycho.andersen at canonical.com>

I'll try and come up with something better, but probably not until
after 16.04 is released :)

Tycho

> Thanks,
> 
> --Saied
> 
> 
> On Mon, Mar 14, 2016 at 3:29 PM, Pavel Emelyanov <xemul at virtuozzo.com>
> wrote:
> 
> > On 03/14/2016 08:53 PM, Tycho Andersen wrote:
> > > On Mon, Mar 14, 2016 at 10:41:03AM -0700, Saied Kazemi wrote:
> > >> Any further thoughts on this?
> > >
> > > Not really, other than that modprobe seems like the best bet. I think
> > > the modules needed are "ip6table_filter" and "iptable_filter".
> >
> > Maybe we can scan though /proc/modules before doing fork + exec? Presumably
> > modprobe does the same, so we save one fork and exec in the common case.
> >
> > -- Pavel
> >
> > > Tycho
> > >
> > >> --Saied
> > >>
> > >>
> > >> On Fri, Mar 11, 2016 at 4:19 PM, Tycho Andersen <
> > >> tycho.andersen at canonical.com> wrote:
> > >>
> > >>> On Fri, Mar 11, 2016 at 04:11:50PM -0800, Saied Kazemi wrote:
> > >>>> Good question.  A machine that I was testing on had a few hundred
> > entries
> > >>>> which made it look like criu was hung.  With the -n it's obviously a
> > LOT
> > >>>> faster but it'd be best to use a command that would load the modules
> > much
> > >>>> more quickly.  This is not an area that I've had much experience.
> > >>>
> > >>> I guess we could modprobe. I think we dropped the modprobe from the
> > >>> _diag modules because there was an easy netlink way to get the modules
> > >>> to load which didn't cost us an exec. since we're doing an exec here
> > >>> anyway to run the iptables binaries, modprobe might be simpler.
> > >>>
> > >>> The other option is to figure out some netlink way to specify an
> > >>> invalid rule. I'm not sure what that would look like off the top of my
> > >>> head, though :)
> > >>>
> > >>> Tycho
> > >>>
> > > .
> > >
> >
> >

More information about the CRIU mailing list