[PATCH 0/6] ip: add save/restore to xfrm tables

[PATCH 0/6] ip: add save/restore to xfrm tables

[Pavel Tikhomirov]

Pavel Tikhomirov (6):
  ip: merge together all save_xxx_preps and xxx_dump_check_magics
  ip: merge together all save_xxx to save_nlmsg
  ip xfrm state: add save/restore
  ip xfrm policy: add save/restore
  ip xfrm state: fixup hard/soft timeouts/limits while save
  ip xfrm policy: fixup hard/soft timeouts/limits while save

 ip/ip_common.h     |  10 ++++
 ip/ipaddress.c     |  57 ++--------------------
 ip/iproute.c       |  41 +++++++++-------
 ip/iprule.c        |  58 ++--------------------
 ip/xfrm_policy.c   | 104 ++++++++++++++++++++++++++++++++++++++--
 ip/xfrm_state.c    | 138 +++++++++++++++++++++++++++++++++++++++++++++++++++--
 man/man8/ip-xfrm.8 |  24 ++++++++++
 7 files changed, 296 insertions(+), 136 deletions(-)

-- 
2.5.5

[PATCH 1/6] ip: merge together all save_xxx_preps and xxx_dump_check_magics

[Pavel Tikhomirov]

want to reuse them in xfrm state/policy save

Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
---
 ip/ip_common.h |  3 +++
 ip/ipaddress.c | 43 +++----------------------------------------
 ip/iproute.c   | 18 +++++++++---------
 ip/iprule.c    | 42 ++----------------------------------------
 4 files changed, 17 insertions(+), 89 deletions(-)

diff --git a/ip/ip_common.h b/ip/ip_common.h
index 93ff5bc..8e7a2c9 100644
--- a/ip/ip_common.h
+++ b/ip/ip_common.h
@@ -67,6 +67,9 @@ static inline int rtm_get_table(struct rtmsg *r, struct rtattr **tb)
 	return table;
 }
 
+extern int dump_write_magic(__u32 dump_magic);
+extern int dump_check_magic(__u32 dump_magic);
+
 extern struct rtnl_handle rth;
 
 #include <stdbool.h>
diff --git a/ip/ipaddress.c b/ip/ipaddress.c
index 76bd7b3..995813e 100644
--- a/ip/ipaddress.c
+++ b/ip/ipaddress.c
@@ -1261,43 +1261,6 @@ static int store_nlmsg(const struct sockaddr_nl *who, struct nlmsghdr *n,
 
 static __u32 ipadd_dump_magic = 0x47361222;
 
-static int ipadd_save_prep(void)
-{
-	int ret;
-
-	if (isatty(STDOUT_FILENO)) {
-		fprintf(stderr, "Not sending a binary stream to stdout\n");
-		return -1;
-	}
-
-	ret = write(STDOUT_FILENO, &ipadd_dump_magic, sizeof(ipadd_dump_magic));
-	if (ret != sizeof(ipadd_dump_magic)) {
-		fprintf(stderr, "Can't write magic to dump file\n");
-		return -1;
-	}
-
-	return 0;
-}
-
-static int ipadd_dump_check_magic(void)
-{
-	int ret;
-	__u32 magic = 0;
-
-	if (isatty(STDIN_FILENO)) {
-		fprintf(stderr, "Can't restore address dump from a terminal\n");
-		return -1;
-	}
-
-	ret = fread(&magic, sizeof(magic), 1, stdin);
-	if (magic != ipadd_dump_magic) {
-		fprintf(stderr, "Magic mismatch (%d elems, %x magic)\n", ret, magic);
-		return -1;
-	}
-
-	return 0;
-}
-
 static int save_nlmsg(const struct sockaddr_nl *who, struct nlmsghdr *n,
 		       void *arg)
 {
@@ -1325,7 +1288,7 @@ static int show_handler(const struct sockaddr_nl *nl,
 
 static int ipaddr_showdump(void)
 {
-	if (ipadd_dump_check_magic())
+	if (dump_check_magic(ipadd_dump_magic))
 		exit(-1);
 
 	exit(rtnl_from_file(stdin, &show_handler, NULL));
@@ -1350,7 +1313,7 @@ static int restore_handler(const struct sockaddr_nl *nl,
 
 static int ipaddr_restore(void)
 {
-	if (ipadd_dump_check_magic())
+	if (dump_check_magic(ipadd_dump_magic))
 		exit(-1);
 
 	exit(rtnl_from_file(stdin, &restore_handler, NULL));
@@ -1670,7 +1633,7 @@ static int ipaddr_list_flush_or_save(int argc, char **argv, int action)
 		return ipaddr_flush();
 
 	if (action == IPADD_SAVE) {
-		if (ipadd_save_prep())
+		if (dump_write_magic(ipadd_dump_magic))
 			exit(1);
 
 		if (rtnl_wilddump_request(&rth, preferred_family, RTM_GETADDR) < 0) {
diff --git a/ip/iproute.c b/ip/iproute.c
index 0bc0136..3c24250 100644
--- a/ip/iproute.c
+++ b/ip/iproute.c
@@ -1334,7 +1334,7 @@ static int save_route(const struct sockaddr_nl *who, struct nlmsghdr *n,
 	return ret == n->nlmsg_len ? 0 : ret;
 }
 
-static int save_route_prep(void)
+int dump_write_magic(__u32 dump_magic)
 {
 	int ret;
 
@@ -1343,8 +1343,8 @@ static int save_route_prep(void)
 		return -1;
 	}
 
-	ret = write(STDOUT_FILENO, &route_dump_magic, sizeof(route_dump_magic));
-	if (ret != sizeof(route_dump_magic)) {
+	ret = write(STDOUT_FILENO, &dump_magic, sizeof(dump_magic));
+	if (ret != sizeof(dump_magic)) {
 		fprintf(stderr, "Can't write magic to dump file\n");
 		return -1;
 	}
@@ -1361,7 +1361,7 @@ static int iproute_list_flush_or_save(int argc, char **argv, int action)
 	rtnl_filter_t filter_fn;
 
 	if (action == IPROUTE_SAVE) {
-		if (save_route_prep())
+		if (dump_write_magic(route_dump_magic))
 			return -1;
 
 		filter_fn = save_route;
@@ -1835,18 +1835,18 @@ static int restore_handler(const struct sockaddr_nl *nl,
 	return ret;
 }
 
-static int route_dump_check_magic(void)
+int dump_check_magic(__u32 dump_magic)
 {
 	int ret;
 	__u32 magic = 0;
 
 	if (isatty(STDIN_FILENO)) {
-		fprintf(stderr, "Can't restore route dump from a terminal\n");
+		fprintf(stderr, "Can't restore dump from a terminal\n");
 		return -1;
 	}
 
 	ret = fread(&magic, sizeof(magic), 1, stdin);
-	if (magic != route_dump_magic) {
+	if (magic != dump_magic) {
 		fprintf(stderr, "Magic mismatch (%d elems, %x magic)\n", ret, magic);
 		return -1;
 	}
@@ -1858,7 +1858,7 @@ static int iproute_restore(void)
 {
 	int pos, prio;
 
-	if (route_dump_check_magic())
+	if (dump_check_magic(route_dump_magic))
 		exit(-1);
 
 	pos = ftell(stdin);
@@ -1885,7 +1885,7 @@ static int show_handler(const struct sockaddr_nl *nl,
 
 static int iproute_showdump(void)
 {
-	if (route_dump_check_magic())
+	if (dump_check_magic(route_dump_magic))
 		exit(-1);
 
 	exit(rtnl_from_file(stdin, &show_handler, NULL));
diff --git a/ip/iprule.c b/ip/iprule.c
index 70562c5..7de5abc 100644
--- a/ip/iprule.c
+++ b/ip/iprule.c
@@ -211,24 +211,6 @@ int print_rule(const struct sockaddr_nl *who, struct nlmsghdr *n, void *arg)
 
 static __u32 rule_dump_magic = 0x71706986;
 
-static int save_rule_prep(void)
-{
-	int ret;
-
-	if (isatty(STDOUT_FILENO)) {
-		fprintf(stderr, "Not sending a binary stream to stdout\n");
-		return -1;
-	}
-
-	ret = write(STDOUT_FILENO, &rule_dump_magic, sizeof(rule_dump_magic));
-	if (ret != sizeof(rule_dump_magic)) {
-		fprintf(stderr, "Can't write magic to dump file\n");
-		return -1;
-	}
-
-	return 0;
-}
-
 static int save_rule(const struct sockaddr_nl *who,
 		     struct nlmsghdr *n, void *arg)
 {
@@ -258,7 +240,7 @@ static int iprule_list_or_save(int argc, char **argv, int save)
 	}
 
 	if (save) {
-		if (save_rule_prep())
+		if (dump_write_magic(rule_dump_magic))
 			return -1;
 		filter = save_rule;
 	}
@@ -276,26 +258,6 @@ static int iprule_list_or_save(int argc, char **argv, int save)
 	return 0;
 }
 
-static int rule_dump_check_magic(void)
-{
-	int ret;
-	__u32 magic = 0;
-
-	if (isatty(STDIN_FILENO)) {
-		fprintf(stderr, "Can't restore rule dump from a terminal\n");
-		return -1;
-	}
-
-	ret = fread(&magic, sizeof(magic), 1, stdin);
-	if (magic != rule_dump_magic) {
-		fprintf(stderr, "Magic mismatch (%d elems, %x magic)\n",
-			ret, magic);
-		return -1;
-	}
-
-	return 0;
-}
-
 static int restore_handler(const struct sockaddr_nl *nl,
 			   struct rtnl_ctrl_data *ctrl,
 			   struct nlmsghdr *n, void *arg)
@@ -316,7 +278,7 @@ static int restore_handler(const struct sockaddr_nl *nl,
 
 static int iprule_restore(void)
 {
-	if (rule_dump_check_magic())
+	if (dump_check_magic(rule_dump_magic))
 		exit(-1);
 
 	exit(rtnl_from_file(stdin, &restore_handler, NULL));
-- 
2.5.5

[PATCH 2/6] ip: merge together all save_xxx to save_nlmsg

[Pavel Tikhomirov]

want to reuse them in xfrm state/policy save

Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
---
 ip/ip_common.h |  2 ++
 ip/ipaddress.c | 14 --------------
 ip/iproute.c   | 23 +++++++++++++++--------
 ip/iprule.c    | 16 +---------------
 4 files changed, 18 insertions(+), 37 deletions(-)

diff --git a/ip/ip_common.h b/ip/ip_common.h
index 8e7a2c9..69e028d 100644
--- a/ip/ip_common.h
+++ b/ip/ip_common.h
@@ -69,6 +69,8 @@ static inline int rtm_get_table(struct rtmsg *r, struct rtattr **tb)
 
 extern int dump_write_magic(__u32 dump_magic);
 extern int dump_check_magic(__u32 dump_magic);
+extern int save_nlmsg(const struct sockaddr_nl *who,
+		struct nlmsghdr *n, void *arg);
 
 extern struct rtnl_handle rth;
 
diff --git a/ip/ipaddress.c b/ip/ipaddress.c
index 995813e..8b2051c 100644
--- a/ip/ipaddress.c
+++ b/ip/ipaddress.c
@@ -1261,20 +1261,6 @@ static int store_nlmsg(const struct sockaddr_nl *who, struct nlmsghdr *n,
 
 static __u32 ipadd_dump_magic = 0x47361222;
 
-static int save_nlmsg(const struct sockaddr_nl *who, struct nlmsghdr *n,
-		       void *arg)
-{
-	int ret;
-
-	ret = write(STDOUT_FILENO, n, n->nlmsg_len);
-	if ((ret > 0) && (ret != n->nlmsg_len)) {
-		fprintf(stderr, "Short write while saving nlmsg\n");
-		ret = -EIO;
-	}
-
-	return ret == n->nlmsg_len ? 0 : ret;
-}
-
 static int show_handler(const struct sockaddr_nl *nl,
 			struct rtnl_ctrl_data *ctrl,
 			struct nlmsghdr *n, void *arg)
diff --git a/ip/iproute.c b/ip/iproute.c
index 3c24250..4f29739 100644
--- a/ip/iproute.c
+++ b/ip/iproute.c
@@ -1309,10 +1309,23 @@ static int iproute_flush_cache(void)
 
 static __u32 route_dump_magic = 0x45311224;
 
+int save_nlmsg(const struct sockaddr_nl *who, struct nlmsghdr *n,
+		       void *arg)
+{
+	int ret;
+
+	ret = write(STDOUT_FILENO, n, n->nlmsg_len);
+	if ((ret > 0) && (ret != n->nlmsg_len)) {
+		fprintf(stderr, "Short write while saving nlmsg\n");
+		ret = -EIO;
+	}
+
+	return ret == n->nlmsg_len ? 0 : ret;
+}
+
 static int save_route(const struct sockaddr_nl *who, struct nlmsghdr *n,
 		      void *arg)
 {
-	int ret;
 	int len = n->nlmsg_len;
 	struct rtmsg *r = NLMSG_DATA(n);
 	struct rtattr *tb[RTA_MAX+1];
@@ -1325,13 +1338,7 @@ static int save_route(const struct sockaddr_nl *who, struct nlmsghdr *n,
 	if (!filter_nlmsg(n, tb, host_len))
 		return 0;
 
-	ret = write(STDOUT_FILENO, n, n->nlmsg_len);
-	if ((ret > 0) && (ret != n->nlmsg_len)) {
-		fprintf(stderr, "Short write while saving nlmsg\n");
-		ret = -EIO;
-	}
-
-	return ret == n->nlmsg_len ? 0 : ret;
+	return save_nlmsg(who, n, arg);
 }
 
 int dump_write_magic(__u32 dump_magic)
diff --git a/ip/iprule.c b/ip/iprule.c
index 7de5abc..3a92416 100644
--- a/ip/iprule.c
+++ b/ip/iprule.c
@@ -211,20 +211,6 @@ int print_rule(const struct sockaddr_nl *who, struct nlmsghdr *n, void *arg)
 
 static __u32 rule_dump_magic = 0x71706986;
 
-static int save_rule(const struct sockaddr_nl *who,
-		     struct nlmsghdr *n, void *arg)
-{
-	int ret;
-
-	ret = write(STDOUT_FILENO, n, n->nlmsg_len);
-	if ((ret > 0) && (ret != n->nlmsg_len)) {
-		fprintf(stderr, "Short write while saving nlmsg\n");
-		ret = -EIO;
-	}
-
-	return ret == n->nlmsg_len ? 0 : ret;
-}
-
 static int iprule_list_or_save(int argc, char **argv, int save)
 {
 	rtnl_filter_t filter = print_rule;
@@ -242,7 +228,7 @@ static int iprule_list_or_save(int argc, char **argv, int save)
 	if (save) {
 		if (dump_write_magic(rule_dump_magic))
 			return -1;
-		filter = save_rule;
+		filter = save_nlmsg;
 	}
 
 	if (rtnl_wilddump_request(&rth, af, RTM_GETRULE) < 0) {
-- 
2.5.5

[PATCH 3/6] ip xfrm state: add save/restore

[Pavel Tikhomirov]

This patch adds save and restore commands to "ip xfrm state"
similar to commit 2f4e171f7df2 and commit f4ff11e3e298 for
"ip rule" and "ip route" respectively.

The feature is useful in checkpoint/restore for container
migration.

Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
---
 ip/xfrm_state.c    | 54 +++++++++++++++++++++++++++++++++++++++++++++++++-----
 man/man8/ip-xfrm.8 |  8 ++++++++
 2 files changed, 57 insertions(+), 5 deletions(-)

diff --git a/ip/xfrm_state.c b/ip/xfrm_state.c
index 0357a43..56d9f22 100644
--- a/ip/xfrm_state.c
+++ b/ip/xfrm_state.c
@@ -31,6 +31,7 @@
 #include "utils.h"
 #include "xfrm.h"
 #include "ip_common.h"
+#include <errno.h>
 
 /* #define NLMSG_DELETEALL_BUF_SIZE (4096-512) */
 #define NLMSG_DELETEALL_BUF_SIZE 8192
@@ -65,6 +66,7 @@ static void usage(void)
 	fprintf(stderr, "Usage: ip xfrm state { delete | get } ID [ mark MARK [ mask MASK ] ]\n");
 	fprintf(stderr, "Usage: ip xfrm state { deleteall | list } [ ID ] [ mode MODE ] [ reqid REQID ]\n");
 	fprintf(stderr, "        [ flag FLAG-LIST ]\n");
+	fprintf(stderr, "Usage: ip xfrm state { save | restore }\n");
 	fprintf(stderr, "Usage: ip xfrm state flush [ proto XFRM-PROTO ]\n");
 	fprintf(stderr, "Usage: ip xfrm state count\n");
 	fprintf(stderr, "ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]\n");
@@ -1073,7 +1075,9 @@ static int xfrm_state_keep(const struct sockaddr_nl *who,
 	return 0;
 }
 
-static int xfrm_state_list_or_deleteall(int argc, char **argv, int deleteall)
+static __u32 state_dump_magic = 0x71706987;
+
+static int xfrm_state_list_deleteall_or_save(int argc, char **argv, int deleteall, int save)
 {
 	char *idp = NULL;
 	struct rtnl_handle rth;
@@ -1171,6 +1175,13 @@ static int xfrm_state_list_or_deleteall(int argc, char **argv, int deleteall)
 		}
 
 	} else {
+		rtnl_filter_t rtnl_filter = xfrm_state_print;
+		if (save) {
+			if (dump_write_magic(state_dump_magic))
+				return -1;
+			rtnl_filter = save_nlmsg;
+		}
+
 		struct xfrm_address_filter addrfilter = {
 			.saddr = filter.xsinfo.saddr,
 			.daddr = filter.xsinfo.id.daddr,
@@ -1199,7 +1210,7 @@ static int xfrm_state_list_or_deleteall(int argc, char **argv, int deleteall)
 			exit(1);
 		}
 
-		if (rtnl_dump_filter(&rth, xfrm_state_print, stdout) < 0) {
+		if (rtnl_dump_filter(&rth, rtnl_filter, stdout) < 0) {
 			fprintf(stderr, "Dump terminated\n");
 			exit(1);
 		}
@@ -1210,6 +1221,35 @@ static int xfrm_state_list_or_deleteall(int argc, char **argv, int deleteall)
 	exit(0);
 }
 
+static int restore_handler(const struct sockaddr_nl *nl,
+			   struct rtnl_ctrl_data *ctrl,
+			   struct nlmsghdr *n, void *arg)
+{
+	struct rtnl_handle *rth = (struct rtnl_handle *)arg;
+	int ret;
+
+	n->nlmsg_flags |= NLM_F_REQUEST | NLM_F_CREATE | NLM_F_ACK;
+
+	ret = rtnl_talk(rth, n, n, sizeof(*n));
+	if ((ret < 0) && (errno == EEXIST))
+		ret = 0;
+
+	return ret;
+}
+
+static int xfrm_state_restore(void)
+{
+	struct rtnl_handle rth;
+
+	if (dump_check_magic(state_dump_magic))
+		exit(-1);
+
+	if (rtnl_open_byproto(&rth, 0, NETLINK_XFRM) < 0)
+		exit(1);
+
+	exit(rtnl_from_file(stdin, &restore_handler, (void *)&rth));
+}
+
 static int print_sadinfo(struct nlmsghdr *n, void *arg)
 {
 	FILE *fp = (FILE *)arg;
@@ -1338,7 +1378,7 @@ static int xfrm_state_flush(int argc, char **argv)
 int do_xfrm_state(int argc, char **argv)
 {
 	if (argc < 1)
-		return xfrm_state_list_or_deleteall(0, NULL, 0);
+		return xfrm_state_list_deleteall_or_save(0, NULL, 0, 0);
 
 	if (matches(*argv, "add") == 0)
 		return xfrm_state_modify(XFRM_MSG_NEWSA, 0,
@@ -1351,10 +1391,14 @@ int do_xfrm_state(int argc, char **argv)
 	if (matches(*argv, "delete") == 0)
 		return xfrm_state_get_or_delete(argc-1, argv+1, 1);
 	if (matches(*argv, "deleteall") == 0 || matches(*argv, "delall") == 0)
-		return xfrm_state_list_or_deleteall(argc-1, argv+1, 1);
+		return xfrm_state_list_deleteall_or_save(argc-1, argv+1, 1, 0);
 	if (matches(*argv, "list") == 0 || matches(*argv, "show") == 0
 	    || matches(*argv, "lst") == 0)
-		return xfrm_state_list_or_deleteall(argc-1, argv+1, 0);
+		return xfrm_state_list_deleteall_or_save(argc-1, argv+1, 0, 0);
+	if (matches(*argv, "save") == 0)
+		return xfrm_state_list_deleteall_or_save(argc-1, argv+1, 0, 1);
+	if (matches(*argv, "restore") == 0)
+		return xfrm_state_restore();
 	if (matches(*argv, "get") == 0)
 		return xfrm_state_get_or_delete(argc-1, argv+1, 0);
 	if (matches(*argv, "flush") == 0)
diff --git a/man/man8/ip-xfrm.8 b/man/man8/ip-xfrm.8
index 11f7104..803ac3f 100644
--- a/man/man8/ip-xfrm.8
+++ b/man/man8/ip-xfrm.8
@@ -104,6 +104,12 @@ ip-xfrm \- transform configuration
 .BR "ip xfrm state count"
 
 .ti -8
+.BR "ip xfrm state save"
+
+.ti -8
+.BR "ip xfrm state restore"
+
+.ti -8
 .IR ID " :="
 .RB "[ " src
 .IR ADDR " ]"
@@ -414,6 +420,8 @@ ip xfrm state deleteall	delete all existing state in xfrm
 ip xfrm state list	print out the list of existing state in xfrm
 ip xfrm state flush	flush all state in xfrm
 ip xfrm state count	count all existing state in xfrm
+ip xfrm state save	save xfrm states table information to stdout
+ip xfrm state restore	restore xfrm states table from stdin
 .TE
 
 .TP
-- 
2.5.5

[PATCH 4/6] ip xfrm policy: add save/restore

[Pavel Tikhomirov]

This patch adds save and restore commands to "ip xfrm policy"
similar to commit 2f4e171f7df2 and commit f4ff11e3e298 for
"ip rule" and "ip route" respectively. Mind that we can not
restore socket policies these way, so silently skip them.

The feature is useful in checkpoint/restore for container
migration.

Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
---
 ip/xfrm_policy.c   | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++----
 man/man8/ip-xfrm.8 |  8 ++++++
 2 files changed, 76 insertions(+), 5 deletions(-)

diff --git a/ip/xfrm_policy.c b/ip/xfrm_policy.c
index cc9c0f1..2f1ce4b 100644
--- a/ip/xfrm_policy.c
+++ b/ip/xfrm_policy.c
@@ -32,6 +32,7 @@
 #include "utils.h"
 #include "xfrm.h"
 #include "ip_common.h"
+#include <errno.h>
 
 /* #define NLMSG_DELETEALL_BUF_SIZE (4096-512) */
 #define NLMSG_DELETEALL_BUF_SIZE 8192
@@ -61,6 +62,7 @@ static void usage(void)
 	fprintf(stderr, "Usage: ip xfrm policy { deleteall | list } [ SELECTOR ] [ dir DIR ]\n");
 	fprintf(stderr, "        [ index INDEX ] [ ptype PTYPE ] [ action ACTION ] [ priority PRIORITY ]\n");
 	fprintf(stderr, "        [ flag FLAG-LIST ]\n");
+	fprintf(stderr, "Usage: ip xfrm policy { save | restore }\n");
 	fprintf(stderr, "Usage: ip xfrm policy flush [ ptype PTYPE ]\n");
 	fprintf(stderr, "Usage: ip xfrm policy count\n");
 	fprintf(stderr, "Usage: ip xfrm policy set [ hthresh4 LBITS RBITS ] [ hthresh6 LBITS RBITS ]\n");
@@ -754,7 +756,9 @@ static int xfrm_policy_keep(const struct sockaddr_nl *who,
 	return 0;
 }
 
-static int xfrm_policy_list_or_deleteall(int argc, char **argv, int deleteall)
+static __u32 policy_dump_magic = 0x71706988;
+
+static int xfrm_policy_list_or_deleteall_or_save(int argc, char **argv, int deleteall, int save)
 {
 	char *selp = NULL;
 	struct rtnl_handle rth;
@@ -877,6 +881,13 @@ static int xfrm_policy_list_or_deleteall(int argc, char **argv, int deleteall)
 			xb.nlmsg_count = 0;
 		}
 	} else {
+		rtnl_filter_t rtnl_filter = xfrm_policy_print;
+		if (save) {
+			if (dump_write_magic(policy_dump_magic))
+				return -1;
+			rtnl_filter = save_nlmsg;
+		}
+
 		struct {
 			struct nlmsghdr n;
 			char buf[NLMSG_BUF_SIZE];
@@ -892,7 +903,7 @@ static int xfrm_policy_list_or_deleteall(int argc, char **argv, int deleteall)
 			exit(1);
 		}
 
-		if (rtnl_dump_filter(&rth, xfrm_policy_print, stdout) < 0) {
+		if (rtnl_dump_filter(&rth, rtnl_filter, stdout) < 0) {
 			fprintf(stderr, "Dump terminated\n");
 			exit(1);
 		}
@@ -903,6 +914,54 @@ static int xfrm_policy_list_or_deleteall(int argc, char **argv, int deleteall)
 	exit(0);
 }
 
+static int restore_handler(const struct sockaddr_nl *nl,
+			   struct rtnl_ctrl_data *ctrl,
+			   struct nlmsghdr *n, void *arg)
+{
+	struct rtnl_handle *rth = (struct rtnl_handle *)arg;
+	int ret;
+	struct xfrm_userpolicy_info *xpinfo;
+	int len = n->nlmsg_len;
+
+	if (n->nlmsg_type != XFRM_MSG_NEWPOLICY) {
+		fprintf(stderr, "BUG: wrong nlmsg_type: %08x\n",
+			n->nlmsg_type);
+		return -1;
+	}
+
+	xpinfo = NLMSG_DATA(n);
+	len -= NLMSG_SPACE(sizeof(*xpinfo));
+
+	if (len < 0) {
+		fprintf(stderr, "BUG: wrong nlmsg len %d\n", len);
+		return -1;
+	}
+
+	/* We can not restore socket policies here - skip them */
+	if (xpinfo->dir >= XFRM_POLICY_MAX)
+		return 0;
+
+	n->nlmsg_flags |= NLM_F_REQUEST | NLM_F_CREATE | NLM_F_ACK;
+
+	ret = rtnl_talk(rth, n, n, sizeof(*n));
+	if ((ret < 0) && (errno == EEXIST))
+		ret = 0;
+
+	return ret;
+}
+
+static int xfrm_policy_restore(void)
+{
+	struct rtnl_handle rth;
+	if (dump_check_magic(policy_dump_magic))
+		exit(-1);
+
+	if (rtnl_open_byproto(&rth, 0, NETLINK_XFRM) < 0)
+		exit(1);
+
+	exit(rtnl_from_file(stdin, &restore_handler, (void *)&rth));
+}
+
 static int print_spdinfo(struct nlmsghdr *n, void *arg)
 {
 	FILE *fp = (FILE *)arg;
@@ -1136,7 +1195,7 @@ static int xfrm_policy_flush(int argc, char **argv)
 int do_xfrm_policy(int argc, char **argv)
 {
 	if (argc < 1)
-		return xfrm_policy_list_or_deleteall(0, NULL, 0);
+		return xfrm_policy_list_or_deleteall_or_save(0, NULL, 0, 0);
 
 	if (matches(*argv, "add") == 0)
 		return xfrm_policy_modify(XFRM_MSG_NEWPOLICY, 0,
@@ -1147,10 +1206,14 @@ int do_xfrm_policy(int argc, char **argv)
 	if (matches(*argv, "delete") == 0)
 		return xfrm_policy_delete(argc-1, argv+1);
 	if (matches(*argv, "deleteall") == 0 || matches(*argv, "delall") == 0)
-		return xfrm_policy_list_or_deleteall(argc-1, argv+1, 1);
+		return xfrm_policy_list_or_deleteall_or_save(argc-1, argv+1, 1, 0);
 	if (matches(*argv, "list") == 0 || matches(*argv, "show") == 0
 	    || matches(*argv, "lst") == 0)
-		return xfrm_policy_list_or_deleteall(argc-1, argv+1, 0);
+		return xfrm_policy_list_or_deleteall_or_save(argc-1, argv+1, 0, 0);
+	if (matches(*argv, "save") == 0)
+		return xfrm_policy_list_or_deleteall_or_save(argc-1, argv+1, 0, 1);
+	if (matches(*argv, "restore") == 0)
+		return xfrm_policy_restore();
 	if (matches(*argv, "get") == 0)
 		return xfrm_policy_get(argc-1, argv+1);
 	if (matches(*argv, "flush") == 0)
diff --git a/man/man8/ip-xfrm.8 b/man/man8/ip-xfrm.8
index 803ac3f..f5b8290 100644
--- a/man/man8/ip-xfrm.8
+++ b/man/man8/ip-xfrm.8
@@ -274,6 +274,12 @@ ip-xfrm \- transform configuration
 .B "ip xfrm policy count"
 
 .ti -8
+.BR "ip xfrm policy save"
+
+.ti -8
+.BR "ip xfrm policy restore"
+
+.ti -8
 .B "ip xfrm policy set"
 .RB "[ " hthresh4
 .IR LBITS " " RBITS " ]"
@@ -555,6 +561,8 @@ ip xfrm policy get	get an existing policy
 ip xfrm policy deleteall	delete all existing xfrm policies
 ip xfrm policy list	print out the list of xfrm policies
 ip xfrm policy flush	flush policies
+ip xfrm policy save	save xfrm policies table information to stdout
+ip xfrm policy restore	restore xfrm policies table from stdin
 .TE
 
 .TP
-- 
2.5.5

[PATCH 5/6] ip xfrm state: fixup hard/soft timeouts/limits while save

[Pavel Tikhomirov]

introduce "fixlimits" option of "ip xfrm state save",
if have these option we will change the limits saved to
dump file according to the real passed time/bytes/packets
since the state add-time.

For instance, we have a process in container which set
xfrm state 10sec ago with a timeout of 30sec and now we
do C/R for the whole container. As the process in question
knows nothing about C/R, after restore it might expect that
xfrm state dissappears in 30-10=20sec, so we need to set
timeout to 20. If difference is <=0 set 1 at least to do
not lose the limit completely.

Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
---
 ip/xfrm_state.c    | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++--
 man/man8/ip-xfrm.8 | 10 ++++++-
 2 files changed, 95 insertions(+), 3 deletions(-)

diff --git a/ip/xfrm_state.c b/ip/xfrm_state.c
index 56d9f22..6c55b3e 100644
--- a/ip/xfrm_state.c
+++ b/ip/xfrm_state.c
@@ -32,6 +32,7 @@
 #include "xfrm.h"
 #include "ip_common.h"
 #include <errno.h>
+#include <time.h>
 
 /* #define NLMSG_DELETEALL_BUF_SIZE (4096-512) */
 #define NLMSG_DELETEALL_BUF_SIZE 8192
@@ -66,7 +67,8 @@ static void usage(void)
 	fprintf(stderr, "Usage: ip xfrm state { delete | get } ID [ mark MARK [ mask MASK ] ]\n");
 	fprintf(stderr, "Usage: ip xfrm state { deleteall | list } [ ID ] [ mode MODE ] [ reqid REQID ]\n");
 	fprintf(stderr, "        [ flag FLAG-LIST ]\n");
-	fprintf(stderr, "Usage: ip xfrm state { save | restore }\n");
+	fprintf(stderr, "Usage: ip xfrm state save [ fixlimits ]\n");
+	fprintf(stderr, "Usage: ip xfrm state restore\n");
 	fprintf(stderr, "Usage: ip xfrm state flush [ proto XFRM-PROTO ]\n");
 	fprintf(stderr, "Usage: ip xfrm state count\n");
 	fprintf(stderr, "ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]\n");
@@ -1077,10 +1079,89 @@ static int xfrm_state_keep(const struct sockaddr_nl *who,
 
 static __u32 state_dump_magic = 0x71706987;
 
+static inline void fixup_lft_limit(__u64 *lft_limit, __u64 lft_cur)
+{
+	if (lft_cur < *lft_limit)
+		/*
+		 * Limit is not yet hit, decrease it by
+		 * current lifetime
+		 */
+		*lft_limit -= lft_cur;
+	else
+		/*
+		 * Limit is already hit or almost hit, set it
+		 * to 1 to hit it imediately after restore
+		 */
+		*lft_limit = 1;
+}
+
+static int fixup_lifetime(struct xfrm_lifetime_cur *curlft, struct xfrm_lifetime_cfg *lft)
+{
+	unsigned long now;
+	__u64 time_since_add, time_since_use;
+
+	now = time(NULL);
+	if (now < 0) {
+		fprintf(stderr, "Failed to get current time\n");
+		return -1;
+	}
+	time_since_add = now - curlft->add_time;
+	time_since_use = now - (curlft->use_time ? : curlft->add_time);
+
+	/* Fixup expire timeouts */
+	if (lft->hard_add_expires_seconds)
+		fixup_lft_limit(&lft->hard_add_expires_seconds, time_since_add);
+	if (lft->hard_use_expires_seconds)
+		fixup_lft_limit(&lft->hard_use_expires_seconds, time_since_use);
+	if (lft->soft_add_expires_seconds)
+		fixup_lft_limit(&lft->soft_add_expires_seconds, time_since_add);
+	if (lft->soft_use_expires_seconds)
+		fixup_lft_limit(&lft->soft_use_expires_seconds, time_since_use);
+
+	/* Fixup expire limits */
+	if (lft->hard_byte_limit != XFRM_INF)
+		fixup_lft_limit(&lft->hard_byte_limit, curlft->bytes);
+	if (lft->hard_packet_limit != XFRM_INF)
+		fixup_lft_limit(&lft->hard_packet_limit, curlft->packets);
+	if (lft->soft_byte_limit != XFRM_INF)
+		fixup_lft_limit(&lft->soft_byte_limit, curlft->bytes);
+	if (lft->soft_packet_limit != XFRM_INF)
+		fixup_lft_limit(&lft->soft_packet_limit, curlft->packets);
+
+	return 0;
+}
+
+static int save_state(const struct sockaddr_nl *who, struct nlmsghdr *n,
+		void *arg)
+{
+	struct xfrm_usersa_info *xsinfo;
+	int len = n->nlmsg_len;
+
+	if (n->nlmsg_type != XFRM_MSG_NEWSA) {
+		fprintf(stderr, "BUG: wrong nlmsg_type: %08x\n",
+			n->nlmsg_type);
+		return -1;
+	}
+
+	xsinfo = NLMSG_DATA(n);
+	len -= NLMSG_SPACE(sizeof(*xsinfo));
+
+	if (len < 0) {
+		fprintf(stderr, "BUG: wrong nlmsg len %d\n", len);
+		return -1;
+	}
+
+	if (fixup_lifetime(&xsinfo->curlft, &xsinfo->lft))
+		return -1;
+
+	return save_nlmsg(who, n, arg);
+}
+
 static int xfrm_state_list_deleteall_or_save(int argc, char **argv, int deleteall, int save)
 {
 	char *idp = NULL;
 	struct rtnl_handle rth;
+	int fixlimits = 0;
 
 	if (argc > 0)
 		filter.use = 1;
@@ -1105,6 +1186,9 @@ static int xfrm_state_list_deleteall_or_save(int argc, char **argv, int deleteal
 
 			filter.state_flags_mask = XFRM_FILTER_MASK_FULL;
 
+		} else if (strcmp(*argv, "fixlimits") == 0) {
+			fixlimits = 1;
+
 		} else {
 			if (idp)
 				invarg("unknown", *argv);
@@ -1179,7 +1263,7 @@ static int xfrm_state_list_deleteall_or_save(int argc, char **argv, int deleteal
 		if (save) {
 			if (dump_write_magic(state_dump_magic))
 				return -1;
-			rtnl_filter = save_nlmsg;
+			rtnl_filter = fixlimits ? save_state : save_nlmsg;
 		}
 
 		struct xfrm_address_filter addrfilter = {
diff --git a/man/man8/ip-xfrm.8 b/man/man8/ip-xfrm.8
index f5b8290..2fd088d 100644
--- a/man/man8/ip-xfrm.8
+++ b/man/man8/ip-xfrm.8
@@ -104,7 +104,7 @@ ip-xfrm \- transform configuration
 .BR "ip xfrm state count"
 
 .ti -8
-.BR "ip xfrm state save"
+.BR "ip xfrm state save" " [ " fixlimits " ]"
 
 .ti -8
 .BR "ip xfrm state restore"
@@ -550,6 +550,14 @@ encapsulates packets with protocol
 .RI "using source port " SPORT ", destination port "  DPORT
 .RI ", and original address " OADDR "."
 
+.P
+If the
+.BI fixlimits
+option is set on save, change entry
+.I LIMITs
+saved to dump file according to the real time/bytes/packets passed
+since entry add-time.
+
 .sp
 .PP
 .TS
-- 
2.5.5

[PATCH 6/6] ip xfrm policy: fixup hard/soft timeouts/limits while save

[Pavel Tikhomirov]

same as for states, though I beleive that plicies do not actually
support byte-soft | byte-hard | packet-soft | packet-hard, but
they still can be set.

Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
---
 ip/ip_common.h     |  5 +++++
 ip/xfrm_policy.c   | 35 +++++++++++++++++++++++++++++++++--
 ip/xfrm_state.c    |  2 +-
 man/man8/ip-xfrm.8 |  2 +-
 4 files changed, 40 insertions(+), 4 deletions(-)

diff --git a/ip/ip_common.h b/ip/ip_common.h
index 69e028d..7c10413 100644
--- a/ip/ip_common.h
+++ b/ip/ip_common.h
@@ -72,6 +72,11 @@ extern int dump_check_magic(__u32 dump_magic);
 extern int save_nlmsg(const struct sockaddr_nl *who,
 		struct nlmsghdr *n, void *arg);
 
+#ifdef _LINUX_XFRM_H
+extern int fixup_lifetime(struct xfrm_lifetime_cur *curlft,
+		struct xfrm_lifetime_cfg *lft);
+#endif
+
 extern struct rtnl_handle rth;
 
 #include <stdbool.h>
diff --git a/ip/xfrm_policy.c b/ip/xfrm_policy.c
index 2f1ce4b..987fae8 100644
--- a/ip/xfrm_policy.c
+++ b/ip/xfrm_policy.c
@@ -62,7 +62,8 @@ static void usage(void)
 	fprintf(stderr, "Usage: ip xfrm policy { deleteall | list } [ SELECTOR ] [ dir DIR ]\n");
 	fprintf(stderr, "        [ index INDEX ] [ ptype PTYPE ] [ action ACTION ] [ priority PRIORITY ]\n");
 	fprintf(stderr, "        [ flag FLAG-LIST ]\n");
-	fprintf(stderr, "Usage: ip xfrm policy { save | restore }\n");
+	fprintf(stderr, "Usage: ip xfrm policy save [ fixlimits ]\n");
+	fprintf(stderr, "Usage: ip xfrm policy restore\n");
 	fprintf(stderr, "Usage: ip xfrm policy flush [ ptype PTYPE ]\n");
 	fprintf(stderr, "Usage: ip xfrm policy count\n");
 	fprintf(stderr, "Usage: ip xfrm policy set [ hthresh4 LBITS RBITS ] [ hthresh6 LBITS RBITS ]\n");
@@ -758,10 +759,37 @@ static int xfrm_policy_keep(const struct sockaddr_nl *who,
 
 static __u32 policy_dump_magic = 0x71706988;
 
+static int save_policy(const struct sockaddr_nl *who, struct nlmsghdr *n,
+		void *arg)
+{
+	struct xfrm_userpolicy_info *xpinfo;
+	int len = n->nlmsg_len;
+
+	if (n->nlmsg_type != XFRM_MSG_NEWPOLICY) {
+		fprintf(stderr, "BUG: wrong nlmsg_type: %08x\n",
+			n->nlmsg_type);
+		return -1;
+	}
+
+	xpinfo = NLMSG_DATA(n);
+	len -= NLMSG_SPACE(sizeof(*xpinfo));
+
+	if (len < 0) {
+		fprintf(stderr, "BUG: wrong nlmsg len %d\n", len);
+		return -1;
+	}
+
+	if (fixup_lifetime(&xpinfo->curlft, &xpinfo->lft))
+		return -1;
+
+	return save_nlmsg(who, n, arg);
+}
+
 static int xfrm_policy_list_or_deleteall_or_save(int argc, char **argv, int deleteall, int save)
 {
 	char *selp = NULL;
 	struct rtnl_handle rth;
+	int fixlimits = 0;
 
 	if (argc > 0)
 		filter.use = 1;
@@ -812,6 +840,9 @@ static int xfrm_policy_list_or_deleteall_or_save(int argc, char **argv, int dele
 
 			filter.policy_flags_mask = XFRM_FILTER_MASK_FULL;
 
+		} else if (strcmp(*argv, "fixlimits") == 0) {
+			fixlimits = 1;
+
 		} else {
 			if (selp)
 				invarg("unknown", *argv);
@@ -885,7 +916,7 @@ static int xfrm_policy_list_or_deleteall_or_save(int argc, char **argv, int dele
 		if (save) {
 			if (dump_write_magic(policy_dump_magic))
 				return -1;
-			rtnl_filter = save_nlmsg;
+			rtnl_filter = fixlimits ? save_policy : save_nlmsg;
 		}
 
 		struct {
diff --git a/ip/xfrm_state.c b/ip/xfrm_state.c
index 6c55b3e..ea324ef 100644
--- a/ip/xfrm_state.c
+++ b/ip/xfrm_state.c
@@ -1095,7 +1095,7 @@ static inline void fixup_lft_limit(__u64 *lft_limit, __u64 lft_cur)
 		*lft_limit = 1;
 }
 
-static int fixup_lifetime(struct xfrm_lifetime_cur *curlft, struct xfrm_lifetime_cfg *lft)
+int fixup_lifetime(struct xfrm_lifetime_cur *curlft, struct xfrm_lifetime_cfg *lft)
 {
 	unsigned long now;
 	__u64 time_since_add, time_since_use;
diff --git a/man/man8/ip-xfrm.8 b/man/man8/ip-xfrm.8
index 2fd088d..d3b62bb 100644
--- a/man/man8/ip-xfrm.8
+++ b/man/man8/ip-xfrm.8
@@ -274,7 +274,7 @@ ip-xfrm \- transform configuration
 .B "ip xfrm policy count"
 
 .ti -8
-.BR "ip xfrm policy save"
+.BR "ip xfrm policy save" " [ " fixlimits " ]"
 
 .ti -8
 .BR "ip xfrm policy restore"
-- 
2.5.5

Re: [PATCH 3/6] ip xfrm state: add save/restore

[Stephen Hemminger]

On Fri,  2 Sep 2016 12:02:23 +0300
Pavel Tikhomirov <ptikhomirov@virtuozzo.com> wrote:

> +static __u32 state_dump_magic = 0x71706987;
> +
> +static int xfrm_state_list_deleteall_or_save(int argc, char **argv, int deleteall, int save)

I have no problem with the overall functionality of this patch set, but this
function_name_is_too_long_for_rational_humans.

Please make the function names (especially the local static ones) shorter and more reasonable
and resubmit