From mboxrd@z Thu Jan  1 00:00:00 1970
From: Kirill Tkhai <ktkhai@virtuozzo.com>
Subject: Re: [PATCH RFC iptables] iptables: Per-net ns lock
Date: Fri, 20 Apr 2018 13:41:12 +0300
Message-ID: <5708be4f-d8a1-fb94-67a7-3b447036be80@virtuozzo.com>
References: <152329277200.18428.18388703172485475447.stgit@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
To: netdev@vger.kernel.org, pablo@netfilter.org, rstoyanov1@gmail.com,
        fw@strlen.de, ptikhomirov@virtuozzo.com, avagin@virtuozzo.com
Return-path: <netdev-owner@vger.kernel.org>
Received: from mail-eopbgr20096.outbound.protection.outlook.com ([40.107.2.96]:45888
        "EHLO EUR02-VE1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1751964AbeDTKlS (ORCPT <rfc822;netdev@vger.kernel.org>);
        Fri, 20 Apr 2018 06:41:18 -0400
In-Reply-To: <152329277200.18428.18388703172485475447.stgit@localhost.localdomain>
Content-Language: en-US
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

Pablo, Florian, could you please provide comments on this?

On 09.04.2018 19:55, Kirill Tkhai wrote:
> In CRIU and LXC-restore we met the situation,
> when iptables in container can't be restored
> because of permission denied:
> 
> https://github.com/checkpoint-restore/criu/issues/469
> 
> Containers want to restore their own net ns,
> while they may have no their own mnt ns.
> This case they share host's /run/xtables.lock
> file, but they may not have permission to open
> it.
> 
> Patch makes /run/xtables.lock to be per-namespace,
> i.e., to refer to the caller task's net ns.
> 
> What you think?
> 
> Thanks,
> Kirill
> 
> Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
> ---
>  iptables/xshared.c |    7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/iptables/xshared.c b/iptables/xshared.c
> index 06db72d4..b6dbe4e7 100644
> --- a/iptables/xshared.c
> +++ b/iptables/xshared.c
> @@ -254,7 +254,12 @@ static int xtables_lock(int wait, struct timeval *wait_interval)
>  	time_left.tv_sec = wait;
>  	time_left.tv_usec = 0;
>  
> -	fd = open(XT_LOCK_NAME, O_CREAT, 0600);
> +	if (symlink("/proc/self/ns/net", XT_LOCK_NAME) != 0 &&
> +	    errno != EEXIST) {
> +		fprintf(stderr, "Fatal: can't create lock file\n");
> +		return XT_LOCK_FAILED;
> +	}
> +	fd = open(XT_LOCK_NAME, O_RDONLY);
>  	if (fd < 0) {
>  		fprintf(stderr, "Fatal: can't open lock file %s: %s\n",
>  			XT_LOCK_NAME, strerror(errno));
>