206 lines
5.2 KiB
Diff
206 lines
5.2 KiB
Diff
diff -ur ../criu-3.19/criu/cr-dump.c criu-3.19/criu/cr-dump.c
|
|
--- ../criu-3.19/criu/cr-dump.c 2023-11-28 01:47:16.000000000 +0100
|
|
+++ criu-3.19/criu/cr-dump.c 2024-12-17 09:53:58.545908685 +0100
|
|
@@ -2182,7 +2182,7 @@
|
|
if (collect_pstree_ids())
|
|
goto err;
|
|
|
|
- if (network_lock())
|
|
+ if (network_lock(&he))
|
|
goto err;
|
|
|
|
if (rpc_query_external_files())
|
|
diff -ur ../criu-3.19/criu/cr-restore.c criu-3.19/criu/cr-restore.c
|
|
--- ../criu-3.19/criu/cr-restore.c 2023-11-28 01:47:16.000000000 +0100
|
|
+++ criu-3.19/criu/cr-restore.c 2024-12-17 09:29:47.771542239 +0100
|
|
@@ -2359,7 +2359,7 @@
|
|
* the '--empty-ns net' mode no iptables C/R is done and we
|
|
* need to return these rules by hands.
|
|
*/
|
|
- ret = network_lock_internal();
|
|
+ ret = network_lock_internal(NULL);
|
|
if (ret)
|
|
goto out_kill;
|
|
}
|
|
diff -ur ../criu-3.19/criu/image.c criu-3.19/criu/image.c
|
|
--- ../criu-3.19/criu/image.c 2023-11-28 01:47:16.000000000 +0100
|
|
+++ criu-3.19/criu/image.c 2024-12-17 09:56:13.751949657 +0100
|
|
@@ -25,6 +25,7 @@
|
|
TaskKobjIdsEntry *root_ids;
|
|
u32 root_cg_set;
|
|
Lsmtype image_lsm;
|
|
+char nft_lock_table[32];
|
|
|
|
int check_img_inventory(bool restore)
|
|
{
|
|
@@ -99,6 +100,9 @@
|
|
} else {
|
|
opts.network_lock_method = he->network_lock_method;
|
|
}
|
|
+
|
|
+ if (he->nft_lock_table)
|
|
+ strncpy(nft_lock_table, he->nft_lock_table, sizeof(nft_lock_table) - 1);
|
|
}
|
|
|
|
ret = 0;
|
|
diff -ur ../criu-3.19/criu/include/net.h criu-3.19/criu/include/net.h
|
|
--- ../criu-3.19/criu/include/net.h 2023-11-28 01:47:16.000000000 +0100
|
|
+++ criu-3.19/criu/include/net.h 2024-12-17 09:27:40.578168778 +0100
|
|
@@ -29,9 +29,10 @@
|
|
|
|
extern int collect_net_namespaces(bool for_dump);
|
|
|
|
-extern int network_lock(void);
|
|
+#include "images/inventory.pb-c.h"
|
|
+extern int network_lock(InventoryEntry *he);
|
|
extern void network_unlock(void);
|
|
-extern int network_lock_internal(void);
|
|
+extern int network_lock_internal(InventoryEntry *he);
|
|
|
|
extern struct ns_desc net_ns_desc;
|
|
|
|
diff -ur ../criu-3.19/criu/net.c criu-3.19/criu/net.c
|
|
--- ../criu-3.19/criu/net.c 2023-11-28 01:47:16.000000000 +0100
|
|
+++ criu-3.19/criu/net.c 2024-12-17 09:53:25.370199544 +0100
|
|
@@ -229,6 +229,8 @@
|
|
"max_dgram_qlen",
|
|
};
|
|
|
|
+extern char nft_lock_table[32];
|
|
+
|
|
/*
|
|
* MAX_CONF_UNIX_PATH = (sizeof(CONF_UNIX_FMT) - strlen("%s"))
|
|
* + MAX_CONF_UNIX_OPT_PATH
|
|
@@ -3053,21 +3055,34 @@
|
|
return ret;
|
|
}
|
|
|
|
-static inline int nftables_lock_network_internal(void)
|
|
+static inline int nftables_lock_network_internal(InventoryEntry *he)
|
|
{
|
|
#if defined(CONFIG_HAS_NFTABLES_LIB_API_0) || defined(CONFIG_HAS_NFTABLES_LIB_API_1)
|
|
struct nft_ctx *nft;
|
|
int ret = 0;
|
|
char table[32];
|
|
char buf[128];
|
|
+ FILE *fp;
|
|
|
|
if (nftables_get_table(table, sizeof(table)))
|
|
return -1;
|
|
|
|
+ if (he) {
|
|
+ he->nft_lock_table = strdup(table);
|
|
+ }
|
|
+
|
|
nft = nft_ctx_new(NFT_CTX_DEFAULT);
|
|
if (!nft)
|
|
return -1;
|
|
|
|
+ fp = fdopen(log_get_fd(), "w");
|
|
+ if (!fp) {
|
|
+ pr_perror("fdopen() failed");
|
|
+ goto err3;
|
|
+ }
|
|
+ nft_ctx_set_output(nft, fp);
|
|
+ nft_ctx_set_error(nft, fp);
|
|
+
|
|
snprintf(buf, sizeof(buf), "create table %s", table);
|
|
if (NFT_RUN_CMD(nft, buf))
|
|
goto err2;
|
|
@@ -3094,6 +3109,9 @@
|
|
snprintf(buf, sizeof(buf), "delete table %s", table);
|
|
NFT_RUN_CMD(nft, buf);
|
|
err2:
|
|
+ fflush(fp);
|
|
+ fclose(fp);
|
|
+err3:
|
|
ret = -1;
|
|
pr_err("Locking network failed using nftables\n");
|
|
out:
|
|
@@ -3130,7 +3148,7 @@
|
|
return ret;
|
|
}
|
|
|
|
-int network_lock_internal(void)
|
|
+int network_lock_internal(InventoryEntry *he)
|
|
{
|
|
int ret = 0, nsret;
|
|
|
|
@@ -3143,7 +3161,7 @@
|
|
if (opts.network_lock_method == NETWORK_LOCK_IPTABLES)
|
|
ret = iptables_network_lock_internal();
|
|
else if (opts.network_lock_method == NETWORK_LOCK_NFTABLES)
|
|
- ret = nftables_lock_network_internal();
|
|
+ ret = nftables_lock_network_internal(he);
|
|
|
|
if (restore_ns(nsret, &net_ns_desc))
|
|
ret = -1;
|
|
@@ -3158,18 +3176,34 @@
|
|
struct nft_ctx *nft;
|
|
char table[32];
|
|
char buf[128];
|
|
+ FILE *fp;
|
|
|
|
- if (nftables_get_table(table, sizeof(table)))
|
|
- return -1;
|
|
+ if (nft_lock_table[0] != 0) {
|
|
+ strncpy(table, nft_lock_table, sizeof(table));
|
|
+ } else {
|
|
+ if (nftables_get_table(table, sizeof(table)))
|
|
+ return -1;
|
|
+ }
|
|
|
|
nft = nft_ctx_new(NFT_CTX_DEFAULT);
|
|
if (!nft)
|
|
return -1;
|
|
|
|
+ fp = fdopen(log_get_fd(), "w");
|
|
+ if (!fp) {
|
|
+ pr_perror("fdopen() failed");
|
|
+ nft_ctx_free(nft);
|
|
+ return -1;
|
|
+ }
|
|
+ nft_ctx_set_output(nft, fp);
|
|
+ nft_ctx_set_error(nft, fp);
|
|
+
|
|
snprintf(buf, sizeof(buf), "delete table %s", table);
|
|
if (NFT_RUN_CMD(nft, buf))
|
|
ret = -1;
|
|
|
|
+ fflush(fp);
|
|
+ fclose(fp);
|
|
nft_ctx_free(nft);
|
|
return ret;
|
|
#else
|
|
@@ -3216,7 +3250,7 @@
|
|
return ret;
|
|
}
|
|
|
|
-int network_lock(void)
|
|
+int network_lock(InventoryEntry *he)
|
|
{
|
|
pr_info("Lock network\n");
|
|
|
|
@@ -3230,10 +3264,10 @@
|
|
if (run_scripts(ACT_NET_LOCK))
|
|
return -1;
|
|
|
|
- return network_lock_internal();
|
|
+ return network_lock_internal(he);
|
|
}
|
|
|
|
-void network_unlock(void)
|
|
+void network_unlock()
|
|
{
|
|
pr_info("Unlock network\n");
|
|
|
|
diff -ur ../criu-3.19/images/inventory.proto criu-3.19/images/inventory.proto
|
|
--- ../criu-3.19/images/inventory.proto 2023-11-28 01:47:16.000000000 +0100
|
|
+++ criu-3.19/images/inventory.proto 2024-12-17 09:21:55.378011178 +0100
|
|
@@ -21,4 +21,5 @@
|
|
optional uint32 pre_dump_mode = 9;
|
|
optional bool tcp_close = 10;
|
|
optional uint32 network_lock_method = 11;
|
|
+ optional string nft_lock_table = 13;
|
|
}
|