From 5670b488a2099c928ac38b18d0c9f3696c8f98d0 Mon Sep 17 00:00:00 2001
From: Radostin Stoyanov <rstoyanov@fedoraproject.org>
Date: Fri, 23 Sep 2022 15:59:04 +0100
Subject: [PATCH] utils: suppress errors on missing legacy iptables

When the legacy iptables backend is not installed, iptables-legacy-save
and ip6tables-legacy-save binary files are missing and this results in
the following error messages:

	(00.062021) iptables has nft backend: iptables-save v1.8.8 (nf_tables)
	Error (criu/util.c:626): execvp("iptables-legacy-save", ...) failed: No such file or directory
	(00.062793) Error (criu/util.c:641): exited, status=1
	(00.062800) Error (criu/util.c:1566): iptables-legacy-save -V failed
	(00.069758) iptables has nft backend: ip6tables-save v1.8.8 (nf_tables)
	Error (criu/util.c:626): execvp("ip6tables-legacy-save", ...) failed: No such file or directory
	(00.070615) Error (criu/util.c:641): exited, status=1
	(00.070624) Error (criu/util.c:1566): ip6tables-legacy-save -V failed
	(00.070632) skipping iptables dump - no legacy version present
	(00.070635) skipping ip6tables dump - no legacy version present

The error messages "No such file or directory" can be ignored.

This patch updates the get_legacy_iptables_bin() to check if the
/proc/net/ip(6)_tables_names file is empty before trying to run
iptables-legacy.

Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
---
 criu/util.c | 35 +++++++++++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

diff --git a/criu/util.c b/criu/util.c
index 95ba0feda6..42bcc9b2e6 100644
--- a/criu/util.c
+++ b/criu/util.c
@@ -1676,6 +1676,34 @@ static int is_iptables_nft(char *bin)
 	return ret;
 }
 
+
+/**
+ * Check if the system is using legacy iptables.
+ * This function is similar to nft_check_xt_legacy():
+ * https://git.netfilter.org/iptables/tree/iptables/nft-shared.c
+ *
+ * Return value:
+ *  1 legacy tables present
+ *  0 legacy tables not present
+ * -1 error
+ */
+int check_ipt_legacy(bool ipv6)
+{
+	FILE *fp = NULL;
+	char buf[1024];
+	const char tables[2][27] = {"/proc/net/ip_tables_names", "/proc/net/ip6_tables_names"};
+	int exit_code = 0;
+
+	fp = fopen(tables[ipv6], "r");
+	if (!fp)
+		return -1;
+
+	if (fgets(buf, sizeof(buf), fp))
+		exit_code = 1;
+	fclose(fp);
+	return exit_code;
+}
+
 char *get_legacy_iptables_bin(bool ipv6, bool restore)
 {
 	static char iptables_bin[2][2][32];
@@ -1704,8 +1732,11 @@ char *get_legacy_iptables_bin(bool ipv6, bool restore)
 	 * let's try iptables-legacy
 	 */
 	if (ret < 0 || ret == 1) {
-		memcpy(iptables_bin[ipv6][restore], bins[ipv6][restore][1], strlen(bins[ipv6][restore][1]) + 1);
-		ret = is_iptables_nft(iptables_bin[ipv6][restore]);
+		if (check_ipt_legacy(ipv6) == 1) {
+			memcpy(iptables_bin[ipv6][restore], bins[ipv6][restore][1], strlen(bins[ipv6][restore][1]) + 1);
+			ret = is_iptables_nft(iptables_bin[ipv6][restore]);
+		}
+
 		if (ret < 0 || ret == 1) {
 			iptables_present[ipv6][restore] = -1;
 			return NULL;