net: redirect nftables stdout and stderr to CRIU's log file

When using the nftables network locking backend and restoring a process a second time the network locking has already been deleted by the first restore. The second restore will print out to the console text like: Error: Could not process rule: No such file or directory delete table inet CRIU-202621 With this change CRIU's log FD is used by libnftables stdout and stderr. Signed-off-by: Adrian Reber <[email protected]>
adrianreber · Jan 15, 2025 · c079a61 · c079a61
1 parent d4d3937
commit c079a61
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/criu/net.c b/criu/net.c
@@ -3066,6 +3066,32 @@ static int iptables_restore(bool ipv6, char *buf, int size)
 	return ret;
 }
 
+#if defined(CONFIG_HAS_NFTABLES_LIB_API_0) || defined(CONFIG_HAS_NFTABLES_LIB_API_1)
+static inline int redirect_nftables_output(struct nft_ctx *nft)
+{
+	FILE *fp;
+
+	fp = fdopen(log_get_fd(), "w");
+	if (!fp) {
+		pr_perror("fdopen() to redirect nftables output failed");
+		return -1;
+	}
+
+	/**
+	 * Without setvbuf() the output from libnftables will be
+	 * somewhere in the log file, probably at the end.
+	 * With setvbuf() potential output will be at the correct
+	 * position.
+	 */
+	setvbuf(fp, NULL, _IONBF, 0);
+
+	nft_ctx_set_output(nft, fp);
+	nft_ctx_set_error(nft, fp);
+
+	return 0;
+}
+#endif
+
 static inline int nftables_lock_network_internal(void)
 {
 #if defined(CONFIG_HAS_NFTABLES_LIB_API_0) || defined(CONFIG_HAS_NFTABLES_LIB_API_1)
@@ -3081,6 +3107,9 @@ static inline int nftables_lock_network_internal(void)
 	if (!nft)
 		return -1;
 
+	if (redirect_nftables_output(nft))
+		goto out;
+
 	snprintf(buf, sizeof(buf), "create table %s", table);
 	if (NFT_RUN_CMD(nft, buf))
 		goto err2;
@@ -3179,6 +3208,9 @@ static inline int nftables_network_unlock(void)
 	if (!nft)
 		return -1;
 
+	if (redirect_nftables_output(nft))
+		return -1;
+
 	snprintf(buf, sizeof(buf), "delete table %s", table);
 	if (NFT_RUN_CMD(nft, buf))
 		ret = -1;