<div dir="ltr">As I won't have time to work on this any time soon, can we apply the patch that I sent adding "-n" to "ip[6]tables" commands for now? It doesn't break anything and saves about a minute to do c/r on my one of my machines with lots of entries.<div><br></div><div>Thanks,</div><div><br></div><div>--Saied</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Mar 14, 2016 at 3:29 PM, Pavel Emelyanov <span dir="ltr"><<a href="mailto:xemul@virtuozzo.com" target="_blank">xemul@virtuozzo.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 03/14/2016 08:53 PM, Tycho Andersen wrote:<br>
> On Mon, Mar 14, 2016 at 10:41:03AM -0700, Saied Kazemi wrote:<br>
>> Any further thoughts on this?<br>
><br>
> Not really, other than that modprobe seems like the best bet. I think<br>
> the modules needed are "ip6table_filter" and "iptable_filter".<br>
<br>
</span>Maybe we can scan though /proc/modules before doing fork + exec? Presumably<br>
modprobe does the same, so we save one fork and exec in the common case.<br>
<span class="HOEnZb"><font color="#888888"><br>
-- Pavel<br>
</font></span><span class=""><br>
> Tycho<br>
><br>
>> --Saied<br>
>><br>
>><br>
>> On Fri, Mar 11, 2016 at 4:19 PM, Tycho Andersen <<br>
>> <a href="mailto:tycho.andersen@canonical.com">tycho.andersen@canonical.com</a>> wrote:<br>
>><br>
>>> On Fri, Mar 11, 2016 at 04:11:50PM -0800, Saied Kazemi wrote:<br>
>>>> Good question. A machine that I was testing on had a few hundred entries<br>
>>>> which made it look like criu was hung. With the -n it's obviously a LOT<br>
>>>> faster but it'd be best to use a command that would load the modules much<br>
>>>> more quickly. This is not an area that I've had much experience.<br>
>>><br>
>>> I guess we could modprobe. I think we dropped the modprobe from the<br>
>>> _diag modules because there was an easy netlink way to get the modules<br>
>>> to load which didn't cost us an exec. since we're doing an exec here<br>
>>> anyway to run the iptables binaries, modprobe might be simpler.<br>
>>><br>
>>> The other option is to figure out some netlink way to specify an<br>
>>> invalid rule. I'm not sure what that would look like off the top of my<br>
>>> head, though :)<br>
>>><br>
>>> Tycho<br>
>>><br>
</span>> .<br>
><br>
<br>
</blockquote></div><br></div>