net: add criu iptables rules at the head of the chain

CRIU uses iptables rules to block tcp connections and if rules are added at the tail of the chain, other rules can accept packets which have to be blocked. travis-ci: success for series starting with [01/21] build: install libnet-dev Signed-off-by: Andrei Vagin <avagin@virtuozzo.com> Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>

net: add criu iptables rules at the head of the chain
CRIU uses iptables rules to block tcp connections and if rules are added at the tail of the chain, other rules can accept packets which have to be blocked. travis-ci: success for series starting with [01/21] build: install libnet-dev Signed-off-by: Andrei Vagin <avagin@virtuozzo.com> Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
70cdf43a · Andrei Vagin · Pavel Emelyanov · 3ead6f0c · 70cdf43a
Commit 70cdf43a authored Dec 01, 2016 by Andrei Vagin Committed by Pavel Emelyanov Dec 05, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

netfilter.c criu/netfilter.c +1 -1

No files found.
--- a/criu/netfilter.c
+++ b/criu/netfilter.c
@@ -74,7 +74,7 @@ static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port,

 	snprintf(buf, sizeof(buf), NF_CONN_CMD, cmd,
 			kdat.has_xtlocks ? "-w" : "",
-			lock ? "-A" : "-D",
+			lock ? "-I" : "-D",
 			input ? "INPUT" : "OUTPUT",
 			dip, (int)dst_port, sip, (int)src_port);