<p dir="ltr"><br>
On Feb 6, 2016 09:54, "Pavel Emelyanov" <<a href="mailto:xemul@virtuozzo.com">xemul@virtuozzo.com</a>> wrote:<br>
><br>
> On 02/04/2016 10:36 PM, Andrey Vagin wrote:<br>
> > From: Andrew Vagin <<a href="mailto:avagin@virtuozzo.com">avagin@virtuozzo.com</a>><br>
> ><br>
> > We request all contracks via netlink and save netlink messages which<br>
> > describe them in an image file, then we send these netlink messages back on restore.<br>
><br>
> Does it require any non-upstream kernel patch to work?</p>
<p dir="ltr">No, it doesn't</p>
<p dir="ltr">><br>
> > <a href="https://github.com/xemul/criu/issues/54">https://github.com/xemul/criu/issues/54</a><br>
> > Signed-off-by: Andrew Vagin <<a href="mailto:avagin@virtuozzo.com">avagin@virtuozzo.com</a>><br>
> > ---<br>
> > image-desc.c | 2 +<br>
> > include/image-desc.h | 2 +<br>
> > include/magic.h | 2 +<br>
> > net.c | 126 +++++++++++++++++++++++++++++++++++++++++++++++++++<br>
> > 4 files changed, 132 insertions(+)<br>
> ><br>
> > diff --git a/image-desc.c b/image-desc.c<br>
> > index 9fb96c8..6770675 100644<br>
> > --- a/image-desc.c<br>
> > +++ b/image-desc.c<br>
> > @@ -95,6 +95,8 @@ struct cr_fd_desc_tmpl imgset_template[CR_FD_MAX] = {<br>
> > FD_ENTRY(CPUINFO, "cpuinfo"),<br>
> > FD_ENTRY(SECCOMP, "seccomp"),<br>
> > FD_ENTRY(USERNS, "userns-%d"),<br>
> > + FD_ENTRY(NETNF_CT, "netns-ct-%d"),<br>
> > + FD_ENTRY(NETNF_EXP, "netns-exp-%d"),<br>
> ><br>
> > [CR_FD_STATS] = {<br>
> > .fmt = "stats-%s",<br>
> > diff --git a/include/image-desc.h b/include/image-desc.h<br>
> > index 90933e9..532ced8 100644<br>
> > --- a/include/image-desc.h<br>
> > +++ b/include/image-desc.h<br>
> > @@ -44,6 +44,8 @@ enum {<br>
> > CR_FD_IPTABLES,<br>
> > CR_FD_IP6TABLES,<br>
> > CR_FD_NETNS,<br>
> > + CR_FD_NETNF_CT,<br>
> > + CR_FD_NETNF_EXP,<br>
> > _CR_FD_NETNS_TO,<br>
> ><br>
> > CR_FD_PSTREE,<br>
> > diff --git a/include/magic.h b/include/magic.h<br>
> > index 3cb3766..b11a70e 100644<br>
> > --- a/include/magic.h<br>
> > +++ b/include/magic.h<br>
> > @@ -100,6 +100,8 @@<br>
> > #define TMPFS_DEV_MAGIC RAW_IMAGE_MAGIC<br>
> > #define IPTABLES_MAGIC RAW_IMAGE_MAGIC<br>
> > #define IP6TABLES_MAGIC RAW_IMAGE_MAGIC<br>
> > +#define NETNF_CT_MAGIC RAW_IMAGE_MAGIC<br>
> > +#define NETNF_EXP_MAGIC RAW_IMAGE_MAGIC<br>
> ><br>
> > #define PAGES_OLD_MAGIC PAGEMAP_MAGIC<br>
> > #define SHM_PAGES_OLD_MAGIC PAGEMAP_MAGIC<br>
> > diff --git a/net.c b/net.c<br>
> > index 51b3159..c611f61 100644<br>
> > --- a/net.c<br>
> > +++ b/net.c<br>
> > @@ -2,6 +2,9 @@<br>
> > #include <sys/socket.h><br>
> > #include <linux/netlink.h><br>
> > #include <linux/rtnetlink.h><br>
> > +#include <linux/netfilter/nfnetlink.h><br>
> > +#include <linux/netfilter/nfnetlink_conntrack.h><br>
> > +#include <linux/netfilter/nf_conntrack_tcp.h><br>
> > #include <string.h><br>
> > #include <net/if_arp.h><br>
> > #include <sys/wait.h><br>
> > @@ -344,6 +347,121 @@ unk:<br>
> > return ret;<br>
> > }<br>
> ><br>
> > +static int dump_one_nf(struct nlmsghdr *hdr, void *arg)<br>
> > +{<br>
> > + struct cr_img *img = arg;<br>
> > +<br>
> > + if (lazy_image(img) && open_image_lazy(img))<br>
> > + return -1;<br>
> > +<br>
> > + if (write_img_buf(img, hdr, hdr->nlmsg_len))<br>
> > + return -1;<br>
> > +<br>
> > + return 0;<br>
> > +}<br>
> > +<br>
> > +static int restore_nf_ct(int pid, int type)<br>
> > +{<br>
> > + struct nlmsghdr *nlh = NULL;<br>
> > + int exit_code = -1, sk;<br>
> > + struct cr_img *img;<br>
> > +<br>
> > + img = open_image(type, O_RSTR, pid);<br>
> > + if (empty_image(img)) {<br>
> > + close_image(img);<br>
> > + return 0;<br>
> > + }<br>
> > +<br>
> > + sk = socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER);<br>
> > + if (sk < 0) {<br>
> > + pr_perror("Can't open rtnl sock for net dump");<br>
> > + goto out_img;<br>
> > + }<br>
> > +<br>
> > + nlh = xmalloc(sizeof(struct nlmsghdr));<br>
> > + if (nlh == NULL)<br>
> > + goto out;<br>
> > +<br>
> > + while (1) {<br>
> > + struct nlmsghdr *p;<br>
> > + int ret;<br>
> > +<br>
> > + ret = read_img_buf_eof(img, nlh, sizeof(struct nlmsghdr));<br>
> > + if (ret < 0)<br>
> > + goto out;<br>
> > + if (ret == 0)<br>
> > + break;<br>
> > +<br>
> > + p = xrealloc(nlh, nlh->nlmsg_len);<br>
> > + if (p == NULL)<br>
> > + goto out;<br>
> > + nlh = p;<br>
> > +<br>
> > + ret = read_img_buf_eof(img, nlh + 1, nlh->nlmsg_len - sizeof(struct nlmsghdr));<br>
> > + if (ret < 0)<br>
> > + goto out;<br>
> > + if (ret == 0) {<br>
> > + pr_err("The image file was truncated\n");<br>
> > + goto out;<br>
> > + }<br>
> > +<br>
> > + nlh->nlmsg_flags = NLM_F_REQUEST|NLM_F_ACK|NLM_F_CREATE;<br>
> > + ret = do_rtnl_req(sk, nlh, nlh->nlmsg_len, NULL, NULL, NULL);<br>
> > + if (ret)<br>
> > + goto out;<br>
> > + }<br>
> > +<br>
> > + exit_code = 0;<br>
> > +out:<br>
> > + xfree(nlh);<br>
> > + close(sk);<br>
> > +out_img:<br>
> > + close_image(img);<br>
> > + return exit_code;<br>
> > +}<br>
> > +<br>
> > +static int dump_nf_ct(struct cr_imgset *fds, int type)<br>
> > +{<br>
> > + struct cr_img *img;<br>
> > + struct {<br>
> > + struct nlmsghdr nlh;<br>
> > + struct nfgenmsg g;<br>
> > + } req;<br>
> > + int sk, ret;<br>
> > +<br>
> > + pr_info("Dumping netns links\n");<br>
> > +<br>
> > + ret = sk = socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER);<br>
> > + if (sk < 0) {<br>
> > + pr_perror("Can't open rtnl sock for net dump");<br>
> > + goto out;<br>
> > + }<br>
> > +<br>
> > + memset(&req, 0, sizeof(req));<br>
> > + req.nlh.nlmsg_len = sizeof(req);<br>
> > + req.nlh.nlmsg_type = (NFNL_SUBSYS_CTNETLINK << 8);<br>
> > +<br>
> > + if (type == CR_FD_NETNF_CT)<br>
> > + req.nlh.nlmsg_type |= IPCTNL_MSG_CT_GET;<br>
> > + else if (type == CR_FD_NETNF_EXP)<br>
> > + req.nlh.nlmsg_type |= IPCTNL_MSG_EXP_GET;<br>
> > + else<br>
> > + BUG();<br>
> > +<br>
> > + req.nlh.nlmsg_flags = NLM_F_DUMP | NLM_F_REQUEST;<br>
> > + req.nlh.nlmsg_pid = 0;<br>
> > + req.nlh.nlmsg_seq = CR_NLMSG_SEQ;<br>
> > + req.g.nfgen_family = AF_UNSPEC;<br>
> > +<br>
> > + img = img_from_set(fds, type);<br>
> > +<br>
> > + ret = do_rtnl_req(sk, &req, sizeof(req), dump_one_nf, NULL, img);<br>
> > + close(sk);<br>
> > +out:<br>
> > + return ret;<br>
> > +<br>
> > +}<br>
> > +<br>
> > static int dump_links(struct cr_imgset *fds)<br>
> > {<br>
> > int sk, ret;<br>
> > @@ -904,6 +1022,10 @@ int dump_net_ns(int ns_id)<br>
> > ret = dump_rule(fds);<br>
> > if (!ret)<br>
> > ret = dump_iptables(fds);<br>
> > + if (!ret)<br>
> > + ret = dump_nf_ct(fds, CR_FD_NETNF_CT);<br>
> > + if (!ret)<br>
> > + ret = dump_nf_ct(fds, CR_FD_NETNF_EXP);<br>
> ><br>
> > close(ns_sysfs_fd);<br>
> > ns_sysfs_fd = -1;<br>
> > @@ -931,6 +1053,10 @@ int prepare_net_ns(int pid)<br>
> > ret = restore_rule(pid);<br>
> > if (!ret)<br>
> > ret = restore_iptables(pid);<br>
> > + if (!ret)<br>
> > + ret = restore_nf_ct(pid, CR_FD_NETNF_CT);<br>
> > + if (!ret)<br>
> > + ret = restore_nf_ct(pid, CR_FD_NETNF_EXP);<br>
> ><br>
> > close_service_fd(NS_FD_OFF);<br>
> ><br>
> ><br>
><br>
</p>