[CRIU,v3,1/2] dump/restore: Support ipsets

Submitted by Valeriy Vdovin on Feb. 17, 2020, 3:57 p.m.

Details

Message ID 1581955076-116148-2-git-send-email-valeriy.vdovin@virtuozzo.com
State New
Series "dump/restore: Support ipsets"
Headers show

Commit Message

Valeriy Vdovin Feb. 17, 2020, 3:57 p.m.
https://jira.sw.ru/browse/PSBM-100083

Added ipset dump/restore functionality. At dump operation it calls
'ipset save' and stores result into raw text image. At restore
it restores ipset by calling 'ipset restore'. This is done prior
to restoring iptables.

Signed-off-by: Valeriy Vdovin <valeriy.vdovin@virtuozzo.com>
---
 criu/image-desc.c         |  1 +
 criu/include/image-desc.h |  1 +
 criu/include/magic.h      |  1 +
 criu/net.c                | 48 +++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 51 insertions(+)

Patch hide | download patch | download mbox

diff --git a/criu/image-desc.c b/criu/image-desc.c
index 04e827d..475d176 100644
--- a/criu/image-desc.c
+++ b/criu/image-desc.c
@@ -74,6 +74,7 @@  struct cr_fd_desc_tmpl imgset_template[CR_FD_MAX] = {
 	FD_ENTRY_F(ROUTE,	"route-%u", O_NOBUF),
 	FD_ENTRY_F(ROUTE6,	"route6-%u", O_NOBUF),
 	FD_ENTRY_F(RULE,	"rule-%u", O_NOBUF),
+	FD_ENTRY_F(IPSET,	"ipset-%u", O_NOBUF),
 	FD_ENTRY_F(IPTABLES,	"iptables-%u", O_NOBUF),
 	FD_ENTRY_F(IP6TABLES,	"ip6tables-%u", O_NOBUF),
 	FD_ENTRY_F(NFTABLES,	"nftables-%u", O_NOBUF),
diff --git a/criu/include/image-desc.h b/criu/include/image-desc.h
index 1015191..d875722 100644
--- a/criu/include/image-desc.h
+++ b/criu/include/image-desc.h
@@ -40,6 +40,7 @@  enum {
 	CR_FD_ROUTE,
 	CR_FD_ROUTE6,
 	CR_FD_RULE,
+	CR_FD_IPSET,
 	CR_FD_IPTABLES,
 	CR_FD_IP6TABLES,
 	CR_FD_NFTABLES,
diff --git a/criu/include/magic.h b/criu/include/magic.h
index 1a583f4..32421ed 100644
--- a/criu/include/magic.h
+++ b/criu/include/magic.h
@@ -101,6 +101,7 @@ 
 #define RULE_MAGIC		RAW_IMAGE_MAGIC
 #define TMPFS_IMG_MAGIC		RAW_IMAGE_MAGIC
 #define TMPFS_DEV_MAGIC		RAW_IMAGE_MAGIC
+#define IPSET_MAGIC		RAW_IMAGE_MAGIC
 #define IPTABLES_MAGIC		RAW_IMAGE_MAGIC
 #define IP6TABLES_MAGIC		RAW_IMAGE_MAGIC
 #define NFTABLES_MAGIC		RAW_IMAGE_MAGIC
diff --git a/criu/net.c b/criu/net.c
index 8ee560c..36719e1 100644
--- a/criu/net.c
+++ b/criu/net.c
@@ -1775,6 +1775,24 @@  static int restore_links()
 	return 0;
 }
 
+static int run_ipset_tool(char *sub_cmd, int fdin, int fdout)
+{
+	char *cmd;
+	int ret;
+
+	cmd = getenv("CR_IPSET_TOOL");
+	if (!cmd)
+		cmd = "ipset";
+
+	ret = cr_system(fdin, fdout, -1, cmd,
+				(char *[]) { cmd, sub_cmd, NULL }, 0);
+	if (ret) {
+		pr_err("ipset tool failed on %s\n", sub_cmd);
+		return -1;
+	}
+
+	return 0;
+}
 
 static int run_ip_tool(char *arg1, char *arg2, char *arg3, char *arg4, int fdin, int fdout, unsigned flags)
 {
@@ -1891,6 +1909,15 @@  static inline int dump_rule(struct cr_imgset *fds)
 	return 0;
 }
 
+static inline int dump_ipset(struct cr_imgset *fds)
+{
+	int ret;
+	struct cr_img *img;
+	img = img_from_set(fds, CR_FD_IPSET);
+	ret = run_ipset_tool("save", -1, img_raw_fd(img));
+	return ret;
+}
+
 static inline int dump_iptables(struct cr_imgset *fds)
 {
 	struct cr_img *img;
@@ -2129,6 +2156,23 @@  static int prepare_xtable_lock()
 	return 0;
 }
 
+static inline int restore_ipset(int pid)
+{
+	int ret;
+	struct cr_img *img;
+	img = open_image(CR_FD_IPSET, O_RSTR, pid);
+	if (img == NULL)
+		return -1;
+	if (empty_image(img)) {
+		ret = 0;
+		goto out;
+	}
+	ret = run_ipset_tool("restore", img_raw_fd(img), -1);
+out:
+	close_image(img);
+	return ret;
+}
+
 static inline int restore_iptables(int pid)
 {
 	int ret = -1;
@@ -2446,6 +2490,8 @@  int dump_net_ns(struct ns_id *ns)
 		if (!ret)
 			ret = dump_rule(fds);
 		if (!ret)
+			ret = dump_ipset(fds);
+		if (!ret)
 			ret = dump_iptables(fds);
 		if (!ret)
 			ret = dump_nftables(fds);
@@ -2541,6 +2587,8 @@  static int prepare_net_ns_second_stage(struct ns_id *ns)
 		if (!ret)
 			ret = restore_rule(nsid);
 		if (!ret)
+			ret = restore_ipset(nsid);
+		if (!ret)
 			ret = restore_iptables(nsid);
 		if (!ret)
 			ret = restore_nftables(nsid);