We need "fib" nft feature to be able to restore nft ruleset dump. The original problem is that Docker creates nft-compat addrtype match rule which is converted by "nft list ruleset" to a corresponding "fib" rule and if we don't have "fib" in kernel we fail to restore this ruleset with nft. This affects CRIU because criu dumps all nft rules via nft util.
Note: this is only part of solution as nft utility on host (vz7) is a bit outdated, so it can't understand fib rules anyway, so CRIU needs to use a modern nft util/library to resolve this. I take all patches which touch nft fib modules from rh8: initial feature + fixes, though some patches which look not fib specific are skipped from porting as they touch to much other files. Also I add fib modules to config and to autoload. https://jira.sw.ru/browse/PSBM-125002 Signed-off-by: Pavel Tikhomirov <[email protected]> Florian Westphal (2): netfilter: nf_tables: add fib expression netfilter: don't set F_IFACE on ipv6 fib lookups Liping Zhang (4): netfilter: nft_fib: convert htonl to ntohl properly netfilter: nft_fib_ipv4: initialize *dest to zero netfilter: rpfilter: bypass ipv4 lbcast packets with zeronet source netfilter: rpfilter: fix incorrect loopback packet judgment Pablo M. Bermudo Garay (1): netfilter: nf_tables: fib: use skb_header_pointer Pavel Tikhomirov (2): configs: enable modules for nft fib rules ve/kmod: make fib modules autoloadable from CT Phil Sutter (1): netfilter: nft_fib: Support existence check configs/kernel-3.10.0-x86_64-debug.config | 4 + configs/kernel-3.10.0-x86_64.config | 4 + include/net/netfilter/nft_fib.h | 37 +++ include/uapi/linux/netfilter/nf_tables.h | 37 +++ kernel/kmod.c | 5 + net/ipv4/netfilter/Kconfig | 8 + net/ipv4/netfilter/Makefile | 1 + net/ipv4/netfilter/ipt_rpfilter.c | 8 +- net/ipv4/netfilter/nft_fib_ipv4.c | 248 +++++++++++++++++++ net/ipv6/netfilter/Kconfig | 8 + net/ipv6/netfilter/Makefile | 1 + net/ipv6/netfilter/ip6t_rpfilter.c | 12 +- net/ipv6/netfilter/nft_fib_ipv6.c | 279 ++++++++++++++++++++++ net/netfilter/Kconfig | 13 + net/netfilter/Makefile | 2 + net/netfilter/nft_fib.c | 163 +++++++++++++ net/netfilter/nft_fib_inet.c | 82 +++++++ 17 files changed, 900 insertions(+), 12 deletions(-) create mode 100644 include/net/netfilter/nft_fib.h create mode 100644 net/ipv4/netfilter/nft_fib_ipv4.c create mode 100644 net/ipv6/netfilter/nft_fib_ipv6.c create mode 100644 net/netfilter/nft_fib.c create mode 100644 net/netfilter/nft_fib_inet.c -- 2.26.2 _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
