[Devel] [PATCH 3/3] net: do iptables restore in ve0

Andrei Vagin avagin at virtuozzo.com
Mon Jul 24 18:34:52 MSK 2017 

On Fri, Jul 21, 2017 at 10:42:03AM +0300, Stanislav Kinsburskiy wrote:
> This is needed to be able to restore container vwith disabled netfilter.
> When netfilter is disabled, its denties and operations are forbiddedn in CTs
> VE.
> Thus we need to switch to VE#0. This is done by forking a child, which
> switches to VE#0, does the task and exits.
> 
> https://jira.sw.ru/browse/PSBM-58574
> 
> Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
> ---
>  criu/net.c |   25 ++++++++++++++++++++++++-
>  1 file changed, 24 insertions(+), 1 deletion(-)
> 
> diff --git a/criu/net.c b/criu/net.c
> index 9986310..6b2385c 100644
> --- a/criu/net.c
> +++ b/criu/net.c
> @@ -34,6 +34,7 @@
>  #include "kerndat.h"
>  #include "util.h"
>  #include "external.h"
> +#include "crtools.h"
>  
>  #include "protobuf.h"
>  #include "images/netdev.pb-c.h"
> @@ -1301,11 +1302,33 @@ static int run_iptables_tool(char *def_cmd, int fdin, int fdout)
>  	return ret;
>  }
>  
> -static int iptables_tool_restore(char *def_cmd, int fdin)
> +static int __iptables_tool_restore(char *def_cmd, int fdin)
>  {
> +	if (join_ve(root_item->pid->real, false))

Do you switch here into VE0? Could you add a comment? It is not obvious
that root_item in VE0 at this moment.
> +		return -1;
> +
>  	return run_iptables_tool(def_cmd, fdin, -1);
>  }
>  
> +static int iptables_tool_restore(char *def_cmd, int fdin)
> +{
> +	int child, status;
> +
> +	child = fork();
> +	if (child < 0) {
> +		pr_perror("failed to fork");
> +		return -1;
> +	} else if (!child)
> +		_exit(__iptables_tool_restore(def_cmd, fdin));
> +
> +	if (waitpid(child, &status, 0) != child) {
> +		pr_err("failed to collect child %d\n", child);
> +		return -1;
> +	}
> +	return WIFEXITED(status) ? WEXITSTATUS(status) : -1;
> +
> +}
> +
>  static int iptables_tool_dump(char *def_cmd, int fdout)
>  {
>  	return run_iptables_tool(def_cmd, -1, fdout);
> 
> _______________________________________________
> Devel mailing list
> Devel at openvz.org
> https://lists.openvz.org/mailman/listinfo/devel

More information about the Devel mailing list