otherwise the kernel can return an error, one of these checks is in xt_owner.c:owner_check(): ... if ((info->match & (XT_OWNER_UID|XT_OWNER_GID)) && (current_user_ns() != net->user_ns)) return -EINVAL; ...
https://jira.sw.ru/browse/PSBM-75531 --- criu/net.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/criu/net.c b/criu/net.c index b90a730..e3f083b 100644 --- a/criu/net.c +++ b/criu/net.c @@ -1807,7 +1807,12 @@ static int do_iptables_restore(bool ipv6, char *buf, int size) } close_safe(&pfd[1]); - ret = cr_system(pfd[0], -1, -1, cmd[0], cmd, 0); + /* + * iptables-restore has to be executed in a network userns, + * otherwise the kernel can return an error. One of these checks + * is in xt_owner.c:owner_check(). + */ + ret = cr_system_userns(pfd[0], -1, -1, cmd[0], cmd, 0, root_item->pid->real); err: close_safe(&pfd[1]); close_safe(&pfd[0]); -- 1.8.3.1 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel