[Devel] [PATCH criu] net: execute iptables-restore in a target network namespace
Andrei Vagin
avagin at openvz.org
Thu Oct 19 08:44:35 MSK 2017
otherwise the kernel can return an error, one of these checks
is in xt_owner.c:owner_check():
...
if ((info->match & (XT_OWNER_UID|XT_OWNER_GID)) &&
(current_user_ns() != net->user_ns))
return -EINVAL;
...
https://jira.sw.ru/browse/PSBM-75531
---
criu/net.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/criu/net.c b/criu/net.c
index b90a730..e3f083b 100644
--- a/criu/net.c
+++ b/criu/net.c
@@ -1807,7 +1807,12 @@ static int do_iptables_restore(bool ipv6, char *buf, int size)
}
close_safe(&pfd[1]);
- ret = cr_system(pfd[0], -1, -1, cmd[0], cmd, 0);
+ /*
+ * iptables-restore has to be executed in a network userns,
+ * otherwise the kernel can return an error. One of these checks
+ * is in xt_owner.c:owner_check().
+ */
+ ret = cr_system_userns(pfd[0], -1, -1, cmd[0], cmd, 0, root_item->pid->real);
err:
close_safe(&pfd[1]);
close_safe(&pfd[0]);
--
1.8.3.1
More information about the Devel
mailing list