From ca3e3c50bec92390a6d57f827f9685b48ec6200c Mon Sep 17 00:00:00 2001
From: Zeyad Yasser <zeyady98@gmail.com>
Date: Sun, 1 Aug 2021 13:03:28 +0200
Subject: [PATCH] inventory: save network lock method to reuse in restore

When the network is locked using a specific method like iptables
or nftables there is no need to require passing the same method
during restore.

We save the lock method during dump in the inventory image and
use that in restore.

This always overwrites the restore --network-lock option.

v2: store opts.network_lock_method directly to avoid dependency
    on rpc.proto's 'enum criu_network_lock_method'.
v3: fall back to iptables if image is generated with an older
    version of CRIU.
v4: remove --network-lock from netns_lock_* from restore

Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
---
 criu/image.c                                  | 19 +++++++++++++++++++
 images/inventory.proto                        |  1 +
 .../zdtm/static/net_lock_socket_iptables.desc |  3 ++-
 .../static/net_lock_socket_iptables6.desc     |  3 ++-
 .../zdtm/static/net_lock_socket_nftables.desc |  3 ++-
 .../static/net_lock_socket_nftables6.desc     |  3 ++-
 test/zdtm/static/netns_lock_iptables.desc     |  3 ++-
 test/zdtm/static/netns_lock_nftables.desc     |  3 ++-
 8 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/criu/image.c b/criu/image.c
index 3a85eb532c..353de48e8f 100644
--- a/criu/image.c
+++ b/criu/image.c
@@ -86,6 +86,21 @@ int check_img_inventory(bool restore)
 		goto out_err;
 	}
 
+	if (restore) {
+		if (!he->has_network_lock_method) {
+			/*
+			 * Image files were generated with an older version of CRIU
+			 * so we should fall back to iptables because this is the
+			 * network-lock mechanism used in older versions.
+			 */
+			pr_info("Network lock method not found in inventory image\n");
+			pr_info("Falling back to iptables network lock method\n");
+			opts.network_lock_method = NETWORK_LOCK_IPTABLES;
+		} else {
+			opts.network_lock_method = he->network_lock_method;
+		}
+	}
+
 	ret = 0;
 
 out_err:
@@ -223,6 +238,10 @@ int prepare_inventory(InventoryEntry *he)
 		he->has_tcp_close = true;
 	}
 
+	/* Save network lock method to reuse in restore */
+	he->has_network_lock_method = true;
+	he->network_lock_method = opts.network_lock_method;
+
 	return 0;
 }
 
diff --git a/images/inventory.proto b/images/inventory.proto
index 56e85a80a9..a735bad1d0 100644
--- a/images/inventory.proto
+++ b/images/inventory.proto
@@ -20,4 +20,5 @@ message inventory_entry {
 	optional uint64			dump_uptime	= 8;
 	optional uint32			pre_dump_mode	= 9;
 	optional bool			tcp_close	= 10;
+	optional uint32			network_lock_method	= 11;
 }
diff --git a/test/zdtm/static/net_lock_socket_iptables.desc b/test/zdtm/static/net_lock_socket_iptables.desc
index 7231886da7..1e233132d1 100644
--- a/test/zdtm/static/net_lock_socket_iptables.desc
+++ b/test/zdtm/static/net_lock_socket_iptables.desc
@@ -1,5 +1,6 @@
 {
     'flavor': 'h',
     'flags': 'suid excl',
-    'opts': '--tcp-established --network-lock iptables',
+    'dopts': '--tcp-established --network-lock iptables',
+    'ropts': '--tcp-established',
 }
diff --git a/test/zdtm/static/net_lock_socket_iptables6.desc b/test/zdtm/static/net_lock_socket_iptables6.desc
index 7231886da7..1e233132d1 100644
--- a/test/zdtm/static/net_lock_socket_iptables6.desc
+++ b/test/zdtm/static/net_lock_socket_iptables6.desc
@@ -1,5 +1,6 @@
 {
     'flavor': 'h',
     'flags': 'suid excl',
-    'opts': '--tcp-established --network-lock iptables',
+    'dopts': '--tcp-established --network-lock iptables',
+    'ropts': '--tcp-established',
 }
diff --git a/test/zdtm/static/net_lock_socket_nftables.desc b/test/zdtm/static/net_lock_socket_nftables.desc
index fd8a431ed5..d3b82067f6 100644
--- a/test/zdtm/static/net_lock_socket_nftables.desc
+++ b/test/zdtm/static/net_lock_socket_nftables.desc
@@ -2,5 +2,6 @@
     'flavor': 'h',
     'flags': 'suid excl',
     'feature': 'network_lock_nftables',
-    'opts': '--tcp-established --network-lock nftables',
+    'dopts': '--tcp-established --network-lock nftables',
+    'ropts': '--tcp-established',
 }
diff --git a/test/zdtm/static/net_lock_socket_nftables6.desc b/test/zdtm/static/net_lock_socket_nftables6.desc
index fd8a431ed5..d3b82067f6 100644
--- a/test/zdtm/static/net_lock_socket_nftables6.desc
+++ b/test/zdtm/static/net_lock_socket_nftables6.desc
@@ -2,5 +2,6 @@
     'flavor': 'h',
     'flags': 'suid excl',
     'feature': 'network_lock_nftables',
-    'opts': '--tcp-established --network-lock nftables',
+    'dopts': '--tcp-established --network-lock nftables',
+    'ropts': '--tcp-established',
 }
diff --git a/test/zdtm/static/netns_lock_iptables.desc b/test/zdtm/static/netns_lock_iptables.desc
index 08664b53d8..52d4177e0e 100644
--- a/test/zdtm/static/netns_lock_iptables.desc
+++ b/test/zdtm/static/netns_lock_iptables.desc
@@ -1,6 +1,7 @@
 {
     'flavor': 'h',
     'flags': 'suid excl',
-    'opts': '--tcp-established --network-lock iptables',
+    'opts': '--tcp-established',
+    'dopts': '--network-lock iptables',
     'ropts': '--join-ns net:/var/run/netns/criu-net-lock-test'
 }
diff --git a/test/zdtm/static/netns_lock_nftables.desc b/test/zdtm/static/netns_lock_nftables.desc
index 5e67f45ddc..7ed5b3358e 100644
--- a/test/zdtm/static/netns_lock_nftables.desc
+++ b/test/zdtm/static/netns_lock_nftables.desc
@@ -2,6 +2,7 @@
     'flavor': 'h',
     'flags': 'suid excl',
     'feature': 'network_lock_nftables',
-    'opts': '--tcp-established --network-lock nftables',
+    'opts': '--tcp-established',
+    'dopts': '--network-lock nftables',
     'ropts': '--join-ns net:/var/run/netns/criu-net-lock-test'
 }