net: Save and restore iptables in net namespace

By default just use the iptables-save and iptables-restore commands. User may define CR_IPTABLES variable, in this case the "sh -c $CR_IPTABLES" would be called. Signed-off-by: Pavel Emelyanov <xemul@parallels.com>

net: Save and restore iptables in net namespace
By default just use the iptables-save and iptables-restore commands. User may define CR_IPTABLES variable, in this case the "sh -c $CR_IPTABLES" would be called. Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
28014d7e · Pavel Emelyanov · 80b1da7f · 28014d7e · 28014d7e · 28014d7e
Commit 28014d7e authored Oct 03, 2013 by Pavel Emelyanov
Hide whitespace changes
Inline Side-by-side

Showing with 41 additions and 0 deletions

image-desc.c image-desc.c +1 -0

image-desc.h include/image-desc.h +1 -0

magic.h include/magic.h +1 -0

net.c net.c +38 -0

No files found.
--- a/image-desc.c
+++ b/image-desc.c
@@ -63,6 +63,7 @@ struct cr_fd_desc_tmpl fdset_template[CR_FD_MAX] = {
 	FD_ENTRY(NETDEV,	"netdev-%d"),
 	FD_ENTRY(IFADDR,	"ifaddr-%d"),
 	FD_ENTRY(ROUTE,		"route-%d"),
+	FD_ENTRY(IPTABLES,	"iptables-%d"),
 	FD_ENTRY(TMPFS,		"tmpfs-%d.tar.gz"),
 	FD_ENTRY(TTY_FILES,	"tty"),
 	FD_ENTRY(TTY_INFO,	"tty-info"),

--- a/include/image-desc.h
+++ b/include/image-desc.h
@@ -44,6 +44,7 @@ enum {
 	CR_FD_NETDEV,
 	CR_FD_IFADDR,
 	CR_FD_ROUTE,
+	CR_FD_IPTABLES,
 	_CR_FD_NETNS_TO,

 	CR_FD_PSTREE,

--- a/include/magic.h
+++ b/include/magic.h
@@ -75,6 +75,7 @@
 #define IFADDR_MAGIC		RAW_IMAGE_MAGIC
 #define ROUTE_MAGIC		RAW_IMAGE_MAGIC
 #define TMPFS_MAGIC		RAW_IMAGE_MAGIC
+#define IPTABLES_MAGIC		RAW_IMAGE_MAGIC

 #define PAGES_OLD_MAGIC		PAGEMAP_MAGIC
 #define SHM_PAGES_OLD_MAGIC	PAGEMAP_MAGIC

--- a/net.c
+++ b/net.c
@@ -390,6 +390,22 @@ static int run_ip_tool(char *arg1, char *arg2, int fdin, int fdout)
 	return 0;
 }

+static int run_iptables_tool(char *def_cmd, int fdin, int fdout)
+{
+	int ret;
+	char *cmd;
+
+	cmd = getenv("CR_IPTABLES");
+	if (!cmd)
+		cmd = def_cmd;
+	pr_debug("\tRunning %s for %s\n", cmd, def_cmd);
+	ret = cr_system(fdin, fdout, -1, "sh", (char *[]) { "sh", "-c", cmd, NULL });
+	if (ret)
+		pr_err("%s failed\n", def_cmd);
+
+	return ret;
+}
+
 static inline int dump_ifaddr(struct cr_fdset *fds)
 {
 	return run_ip_tool("addr", "save", -1, fdset_fd(fds, CR_FD_IFADDR));
@@ -400,6 +416,11 @@ static inline int dump_route(struct cr_fdset *fds)
 	return run_ip_tool("route", "save", -1, fdset_fd(fds, CR_FD_ROUTE));
 }

+static inline int dump_iptables(struct cr_fdset *fds)
+{
+	return run_iptables_tool("iptables-save", -1, fdset_fd(fds, CR_FD_IPTABLES));
+}
+
 static int restore_ip_dump(int type, int pid, char *cmd)
 {
 	int fd, ret;
@@ -423,6 +444,19 @@ static inline int restore_route(int pid)
 	return restore_ip_dump(CR_FD_ROUTE, pid, "route");
 }

+static inline int restore_iptables(int pid)
+{
+	int ret, fd;
+
+	ret = fd = open_image(CR_FD_IPTABLES, O_RSTR, pid);
+	if (fd >= 0) {
+		ret = run_iptables_tool("iptables-restore", fd, -1);
+		close(fd);
+	}
+
+	return ret;
+}
+
 static int mount_ns_sysfs(void)
 {
 	char sys_mount[] = "crtools-sys.XXXXXX";
@@ -481,6 +515,8 @@ int dump_net_ns(int pid, int ns_id)
 		ret = dump_ifaddr(fds);
 	if (!ret)
 		ret = dump_route(fds);
+	if (!ret)
+		ret = dump_iptables(fds);

 	close(ns_sysfs_fd);
 	ns_sysfs_fd = -1;
@@ -498,6 +534,8 @@ int prepare_net_ns(int pid)
 		ret = restore_ifaddr(pid);
 	if (!ret)
 		ret = restore_route(pid);
+	if (!ret)
+		ret = restore_iptables(pid);

 	close(ns_fd);