empty-ns: Don't C/R iptables too (v2)

When C/R-ing a net namespace with --empty-ns net option we should also skip netfilter rules too (as per https://github.com/docker/docker/issues/27597). However, there's one thing to be handled -- local TCP blocking rules are expected to be there on restore by restore_iptables() which is no longer the case, so put them back manually. Test included, checked on zdtm/static/socket-tcpbuf-local :) v2: Full scripts for empty netns setup. https://github.com/xemul/criu/issues/246 Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
2025-08-31 22:35:33 +00:00 · 2016-11-15 17:08:00 +03:00
parent 7251cb3aa9
commit cde33dcb06
5 changed files with 38 additions and 6 deletions
--- a/test/empty-netns-prep.sh
+++ b/test/empty-netns-prep.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+if [ "$CRTOOLS_SCRIPT_ACTION" == "setup-namespaces" ]; then
+	echo "Will up lo at $CRTOOLS_INIT_PID netns"
+	nsenter -t "$CRTOOLS_INIT_PID" --net ip link set up dev lo || exit 1
+fi
+
+exit 0