[Devel] [PATCH 2/3] net: iptables_tool_{dump, restore} helpers introduced

Andrei Vagin avagin at virtuozzo.com
Mon Jul 24 22:13:54 MSK 2017 

On Fri, Jul 21, 2017 at 10:41:58AM +0300, Stanislav Kinsburskiy wrote:
> A couple of simple helpers to destinguish between iptables dump and restore.
> Will be useful later, when iptables restore will happen in VE#0.
> 
> Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
> ---
>  criu/net.c |   19 +++++++++++++++----
>  1 file changed, 15 insertions(+), 4 deletions(-)
> 
> diff --git a/criu/net.c b/criu/net.c
> index abf15c6..9986310 100644
> --- a/criu/net.c
> +++ b/criu/net.c
> @@ -1301,6 +1301,16 @@ static int run_iptables_tool(char *def_cmd, int fdin, int fdout)
>  	return ret;
>  }
>  
> +static int iptables_tool_restore(char *def_cmd, int fdin)
> +{
> +	return run_iptables_tool(def_cmd, fdin, -1);
> +}
> +
> +static int iptables_tool_dump(char *def_cmd, int fdout)
> +{
> +	return run_iptables_tool(def_cmd, -1, fdout);
> +}
> +
>  static inline int dump_ifaddr(struct cr_imgset *fds)
>  {
>  	struct cr_img *img = img_from_set(fds, CR_FD_IFADDR);
> @@ -1352,12 +1362,12 @@ static inline int dump_iptables(struct cr_imgset *fds)
>  	struct cr_img *img;
>  
>  	img = img_from_set(fds, CR_FD_IPTABLES);
> -	if (run_iptables_tool("iptables-save", -1, img_raw_fd(img)))
> +	if (iptables_tool_dump("iptables-save", img_raw_fd(img)))
>  		return -1;
>  
>  	if (kdat.ipv6) {
>  		img = img_from_set(fds, CR_FD_IP6TABLES);
> -		if (run_iptables_tool("ip6tables-save", -1, img_raw_fd(img)))
> +		if (iptables_tool_dump("ip6tables-save", img_raw_fd(img)))
>  			return -1;
>  	}
>  
> @@ -1528,7 +1538,7 @@ static inline int restore_iptables(int pid)
>  
>  	img = open_image(CR_FD_IPTABLES, O_RSTR, pid);
>  	if (img) {
> -		ret = run_iptables_tool("iptables-restore", img_raw_fd(img), -1);
> +		ret = iptables_tool_restore("iptables-restore", img_raw_fd(img));
>  		close_image(img);
>  	}
>  	if (ret)
> @@ -1540,7 +1550,8 @@ static inline int restore_iptables(int pid)
>  	if (empty_image(img))
>  		goto out;
>  
> -	ret = run_iptables_tool("ip6tables-restore", img_raw_fd(img), -1);
> +	ret = iptables_tool_restore("ip6tables-restore", img_raw_fd(img));

There are two other places, which probably have to be fixed too.

network_lock_internal
network_unlock_internal

I'm not sure about network_lock_internal(), but
network_unlock_internal() is called from ve

> +
>  out:
>  	close_image(img);
>  
> 
> _______________________________________________
> Devel mailing list
> Devel at openvz.org
> https://lists.openvz.org/mailman/listinfo/devel

More information about the Devel mailing list