make: allow setting the default network locking backend

.github/workflows/nftables-test.yml

@@ -0,0 +1,20 @@
+name: Nftables bases testing
+
+on: [push, pull_request]
+
+# Cancel any preceding run on the pull request.
+concurrency:
+  group: nftables-test-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/criu-dev' }}
+
+jobs:
+  build:
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: actions/checkout@v4
+    - name: Remove iptables
+      run: sudo apt remove -y iptables
+    - name: Install libnftables-dev
+      run: sudo scripts/ci/apt-install libnftables-dev
+    - name: Build with nftables network locking backend
+      run: sudo make -C scripts/ci local COMPILE_FLAGS="NETWORK_LOCK_DEFAULT=NETWORK_LOCK_NFTABLES"

INSTALL.md

@@ -1,11 +1,31 @@
+## Building CRIU from source code
+
+First, you need to install compile-time dependencies. Check [Installation dependencies](https://criu.org/Installation#Dependencies) for more info.
+
+To compile CRIU, run:
+```
+    make
+```
+This should create the `./criu/criu` executable.
+
+To change the default behaviour of CRIU following variables can be
+passed to the make command:
+
+ * **NETWORK_LOCK_DEFAULT**, can be set to one of the following
+   values: *NETWORK_LOCK_IPTABLES*, *NETWORK_LOCK_NFTABLES*,
+   *NETWORK_LOCK_SKIP*. CRIU defaults to *NETWORK_LOCK_IPTABLES*
+   if nothing is specified. If another network locking backend is
+   needed `make` can be called like this:
+   `make NETWORK_LOCK_DEFAULT=NETWORK_LOCK_NFTABLES`
+
 ## Installing CRIU from source code
 
 Once CRIU is built one can easily setup the complete CRIU package
 (which includes executable itself, CRIT tool, libraries, manual
 and etc) simply typing
-
+```
     make install
-
+```
 this command accepts the following variables:
 
  * **DESTDIR**, to specify global root where all components will be placed under (empty by default);
@@ -16,17 +36,17 @@ this command accepts the following variables:
  * **LIBDIR**, to specify directory where to put libraries (guess the correct path  by default).
 
 Thus one can type
-
+```
     make DESTDIR=/some/new/place install
-
+```
 and get everything installed under `/some/new/place`.
 
 ## Uninstalling CRIU
 
 To clean up previously installed CRIU instance one can type
-
+```
     make uninstall
-
+```
 and everything should be removed. Note though that if some variable (**DESTDIR**, **BINDIR**
 and such) has been used during installation procedure, the same *must* be passed with
 uninstall action.

Makefile

@@ -140,6 +140,10 @@ ifneq ($(GCOV),)
         CFLAGS          += $(CFLAGS-GCOV)
 endif
 
+ifneq ($(NETWORK_LOCK_DEFAULT),)
+	CFLAGS		+= -DNETWORK_LOCK_DEFAULT=$(NETWORK_LOCK_DEFAULT)
+endif
+
 ifeq ($(ASAN),1)
 	CFLAGS-ASAN	:= -fsanitize=address
 	export		CFLAGS-ASAN

criu/include/cr_options.h

@@ -70,7 +70,15 @@ enum NETWORK_LOCK_METHOD {
 	NETWORK_LOCK_SKIP,
 };
 
+/**
+ * CRIU currently defaults to the iptables locking backend.
+ *
+ * It is, however, possible to change this by defining
+ * NETWORK_LOCK_DEFAULT to a different value on the command-line.
+ */
+#ifndef NETWORK_LOCK_DEFAULT
 #define NETWORK_LOCK_DEFAULT NETWORK_LOCK_IPTABLES
+#endif
 
 /*
  * Ghost file size we allow to carry by default.

scripts/ci/run-ci-tests.sh

@@ -121,8 +121,14 @@ if [ "${CD_TO_TOP}" = "1" ]; then
 fi
 
 export GCOV CC
+if [ -z "$COMPILE_FLAGS" ]; then
+	LOCAL_COMPILE_FLAGS=("V=1")
+else
+	IFS=" " read -r -a LOCAL_COMPILE_FLAGS <<< "$COMPILE_FLAGS"
+	LOCAL_COMPILE_FLAGS=("V=1" "${LOCAL_COMPILE_FLAGS[@]}")
+fi
 $CC --version
-time make CC="$CC" -j4 V=1
+time make CC="$CC" -j4 "${LOCAL_COMPILE_FLAGS[@]}"
 
 ./criu/criu -v4 cpuinfo dump || :
 ./criu/criu -v4 cpuinfo check || :