From 70cdf43a90ebc4a5cae53aaf1a23f16ca0ea23aa Mon Sep 17 00:00:00 2001
From: Andrei Vagin <avagin@virtuozzo.com>
Date: Thu, 1 Dec 2016 11:32:22 +0300
Subject: [PATCH] net: add criu iptables rules at the head of the chain

CRIU uses iptables rules to block tcp connections and
if rules are added at the tail of the chain, other rules
can accept packets which have to be blocked.

travis-ci: success for series starting with [01/21] build: install libnet-dev
Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
---
 criu/netfilter.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/criu/netfilter.c b/criu/netfilter.c
index 2ba331efa..1896365d2 100644
--- a/criu/netfilter.c
+++ b/criu/netfilter.c
@@ -74,7 +74,7 @@ static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port,
 
 	snprintf(buf, sizeof(buf), NF_CONN_CMD, cmd,
 			kdat.has_xtlocks ? "-w" : "",
-			lock ? "-A" : "-D",
+			lock ? "-I" : "-D",
 			input ? "INPUT" : "OUTPUT",
 			dip, (int)dst_port, sip, (int)src_port);