[Devel] [PATCH criu] net: execute iptables-restore in a target network namespace

Andrei Vagin Wed, 18 Oct 2017 22:48:02 -0700

otherwise the kernel can return an error, one of these checks
is in xt_owner.c:owner_check():
...
        if ((info->match & (XT_OWNER_UID|XT_OWNER_GID)) &&
            (current_user_ns() != net->user_ns))
                return -EINVAL;
...


https://jira.sw.ru/browse/PSBM-75531
---
 criu/net.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/criu/net.c b/criu/net.c
index b90a730..e3f083b 100644
--- a/criu/net.c
+++ b/criu/net.c
@@ -1807,7 +1807,12 @@ static int do_iptables_restore(bool ipv6, char *buf, int 
size)
        }
        close_safe(&pfd[1]);
 
-       ret = cr_system(pfd[0], -1, -1, cmd[0], cmd, 0);
+       /*
+        * iptables-restore has to be executed in a network userns,
+        * otherwise the kernel can return an error. One of these checks
+        * is in xt_owner.c:owner_check().
+        */
+       ret = cr_system_userns(pfd[0], -1, -1, cmd[0], cmd, 0, 
root_item->pid->real);
 err:
        close_safe(&pfd[1]);
        close_safe(&pfd[0]);
-- 
1.8.3.1

_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

[Devel] [PATCH criu] net: execute iptables-restore in a target network namespace

Reply via email to