[Devel] [PATCH 3/3] net: do iptables restore in ve0

[Stanislav Kinsburskiy]

This is needed to be able to restore container vwith disabled netfilter.
When netfilter is disabled, its denties and operations are forbiddedn in CTs
VE.
Thus we need to switch to VE#0. This is done by forking a child, which
switches to VE#0, does the task and exits.

https://jira.sw.ru/browse/PSBM-58574

Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
---
 criu/net.c |   25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/criu/net.c b/criu/net.c
index 9986310..6b2385c 100644
--- a/criu/net.c
+++ b/criu/net.c
@@ -34,6 +34,7 @@
 #include "kerndat.h"
 #include "util.h"
 #include "external.h"
+#include "crtools.h"
 
 #include "protobuf.h"
 #include "images/netdev.pb-c.h"
@@ -1301,11 +1302,33 @@ static int run_iptables_tool(char *def_cmd, int fdin, int fdout)
 	return ret;
 }
 
-static int iptables_tool_restore(char *def_cmd, int fdin)
+static int __iptables_tool_restore(char *def_cmd, int fdin)
 {
+	if (join_ve(root_item->pid->real, false))
+		return -1;
+
 	return run_iptables_tool(def_cmd, fdin, -1);
 }
 
+static int iptables_tool_restore(char *def_cmd, int fdin)
+{
+	int child, status;
+
+	child = fork();
+	if (child < 0) {
+		pr_perror("failed to fork");
+		return -1;
+	} else if (!child)
+		_exit(__iptables_tool_restore(def_cmd, fdin));
+
+	if (waitpid(child, &status, 0) != child) {
+		pr_err("failed to collect child %d\n", child);
+		return -1;
+	}
+	return WIFEXITED(status) ? WEXITSTATUS(status) : -1;
+
+}
+
 static int iptables_tool_dump(char *def_cmd, int fdout)
 {
 	return run_iptables_tool(def_cmd, -1, fdout);