iptables: use cr_system instead of system

We are going to detect parasite crashes. For that we are goint to check all unwaited processes in SIGCHLD handler. cr_system blocks SIGCHLD and unblocks it after waiting a target process. Signed-off-by: Andrey Vagin <avagin@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>

iptables: use cr_system instead of system
We are going to detect parasite crashes. For that we are goint to check all unwaited processes in SIGCHLD handler. cr_system blocks SIGCHLD and unblocks it after waiting a target process. Signed-off-by: Andrey Vagin <avagin@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
1009c8bb · Andrey Vagin · Pavel Emelyanov · 29c3e842 · 1009c8bb
Commit 1009c8bb authored Oct 02, 2013 by Andrey Vagin Committed by Pavel Emelyanov Oct 02, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 1 deletion

netfilter.c netfilter.c +7 -1

No files found.
--- a/netfilter.c
+++ b/netfilter.c
@@ -32,6 +32,7 @@ static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port,
 {
 	char sip[INET_ADDR_LEN], dip[INET_ADDR_LEN];
 	char *cmd;
+	char *argv[4] = { "sh", "-c", buf, NULL };
 	int ret;
 	switch (family) {
@@ -58,7 +59,12 @@ static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port,
 			dip, (int)dst_port, sip, (int)src_port);
 	pr_debug("\tRunning iptables [%s]\n", buf);
-	ret = system(buf);
+	/*
+	 * cr_system is used here, because it blocks SIGCHLD before waiting
+	 * a child and the child can't be waited from SIGCHLD handler.
+	 */
+	ret = cr_system(-1, -1, -1, "sh", argv);
 	if (ret < 0 || !WIFEXITED(ret) || WEXITSTATUS(ret)) {
 		pr_perror("Iptables configuration failed");
 		return -1;