From 1009c8bb502b603c7bf652bebd39fddc21b288a8 Mon Sep 17 00:00:00 2001
From: Andrey Vagin <avagin@openvz.org>
Date: Wed, 2 Oct 2013 19:29:23 +0400
Subject: [PATCH] iptables: use cr_system instead of system

We are going to detect parasite crashes. For that we are goint to check
all unwaited processes in SIGCHLD handler.

cr_system blocks SIGCHLD and unblocks it after waiting a target process.

Signed-off-by: Andrey Vagin <avagin@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
---
 netfilter.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/netfilter.c b/netfilter.c
index 9fecf08a4..e6a2a42cd 100644
--- a/netfilter.c
+++ b/netfilter.c
@@ -32,6 +32,7 @@ static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port,
 {
 	char sip[INET_ADDR_LEN], dip[INET_ADDR_LEN];
 	char *cmd;
+	char *argv[4] = { "sh", "-c", buf, NULL };
 	int ret;
 
 	switch (family) {
@@ -58,7 +59,12 @@ static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port,
 			dip, (int)dst_port, sip, (int)src_port);
 
 	pr_debug("\tRunning iptables [%s]\n", buf);
-	ret = system(buf);
+
+	/*
+	 * cr_system is used here, because it blocks SIGCHLD before waiting
+	 * a child and the child can't be waited from SIGCHLD handler.
+	 */
+	ret = cr_system(-1, -1, -1, "sh", argv);
 	if (ret < 0 || !WIFEXITED(ret) || WEXITSTATUS(ret)) {
 		pr_perror("Iptables configuration failed");
 		return -1;