dump: preload netfilter modules too

As with the socket diag modules, since we might be using the
ip*filter_tables modules, we should preload those as well, in case the host
system hasn't already loaded them. Really, I should implement netlink
buffer dumping so we can get rid of this hack :)

v2: remember to close /dev/null fd after using it
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>

criu/crtools.c

@@ -28,6 +28,7 @@
 #include "files.h"
 #include "sk-inet.h"
 #include "net.h"
+#include "netfilter.h"
 #include "version.h"
 #include "page-xfer.h"
 #include "tty.h"
@@ -643,6 +644,7 @@ int main(int argc, char *argv[], char *envp[])
 
 	if (!strcmp(argv[optind], "dump")) {
 		preload_socket_modules();
+		preload_netfilter_modules();
 
 		if (!tree_id)
 			goto opt_pid_missing;

criu/include/netfilter.h

@@ -8,4 +8,6 @@ extern int nf_unlock_connection(struct inet_sk_desc *);
 struct inet_sk_info;
 extern int nf_unlock_connection_info(struct inet_sk_info *);
 
+extern void preload_netfilter_modules(void);
+
 #endif /* __CR_NETFILTER_H__ */

criu/netfilter.c

@@ -26,6 +26,25 @@ static const char *nf_conn_cmd = "%s -t filter %s %s --protocol tcp "
 static char iptable_cmd_ipv4[] = "iptables";
 static char iptable_cmd_ipv6[] = "ip6tables";
 
+void preload_netfilter_modules(void)
+{
+	int fd = -1;
+
+	/* same as socket modules, ip_tables and ip6_tables will be loaded by
+	 * CRIU, so we should try and preload these as well.
+	 */
+	fd = open("/dev/null", O_RDWR);
+	if (fd < 0) {
+		fd = -1;
+		pr_perror("failed to open /dev/null, using log fd for net module preload");
+	}
+	cr_system(fd, fd, fd, iptable_cmd_ipv4,
+		(char *[]) { iptable_cmd_ipv4, "-L", NULL}, 0);
+	cr_system(fd, fd, fd, iptable_cmd_ipv6,
+		(char *[]) { iptable_cmd_ipv6, "-L", NULL}, 0);
+	close_safe(&fd);
+}
+
 static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port,
 						u32 *dst_addr, u16 dst_port,
 						bool input, bool lock)