[CRIU] [PATCH 2/3] net: block all traffic in internal network

Andrew Vagin avagin at odin.com
Thu Oct 22 08:35:19 PDT 2015 

On Wed, Sep 23, 2015 at 03:25:07PM +0300, Andrew Vagin wrote:
> On Thu, Sep 17, 2015 at 08:26:42PM +0300, Pavel Emelyanov wrote:
> > 
> > > +static int network_lock_internal(void)
> > > +{
> > > +	int exit_code = -1, nsret = -1, i;
> > > +	char *cmds[][10] = {
> > > +			{"iptables",  "-N", "CRIU",	NULL},
> > > +			{"iptables",  "-A", "CRIU",	"-t", "filter", "-j", "DROP", NULL},
> > > +			{"iptables",  "-I", "INPUT",	"-j", "CRIU", NULL},
> > > +			{"iptables",  "-I", "OUTPUT",	"-j", "CRIU", NULL},
> > > +			{"ip6tables", "-N", "CRIU",	NULL},
> > > +			{"ip6tables", "-A", "CRIU",	"-t", "filter", "-j", "DROP", NULL},
> > > +			{"ip6tables", "-I", "INPUT",	"-j", "CRIU", NULL},
> > > +			{"ip6tables", "-I", "OUTPUT",	"-j", "CRIU", NULL},
> > 
> > Running this stuff even with cr_system will be incredibly slow :( Each iptables
> > command is
> > 
> > - pull all the tables from kernel
> > - parse them and insert a new rule
> > - push all the tables back into kernel
> > 
> > Can we do it faster? Somehow?
> 
> Yes, we can. I think we can do this for one iteration. iptables doesn't
> allow to do this, so we will need to hangle these rules ourself.
> Unfortunately I don't have time to do that now, so I suggest to commit
> these patches to fix the bug and optimize this process later.

ping

> 
> > 
> > > +		};
> > > +	/*
> > > +	 * These rules will be dumped and restore, so we don't need
> > > +	 * to block internal network on restore.
> > > +	 */
> > > +
> > > +	if (switch_ns(root_item->pid.real, &net_ns_desc, &nsret))
> > > +		return -1;
> > > +
> > > +	for (i = 0; i < sizeof(cmds) / sizeof(cmds[1]); i++) {
> > > +		if (cr_system(-1, -1, -1, cmds[i][0], cmds[i]))
> > > +			goto err;
> > > +	}
> > > +
> > > +	exit_code = 0;
> > > +err:
> > > +	if (restore_ns(nsret, &net_ns_desc))
> > > +		return -1;
> > > +
> > > +	return exit_code;
> > 
> > 
> > > @@ -815,7 +875,10 @@ int network_lock(void)
> > >  	if  (!(root_ns_mask & CLONE_NEWNET))
> > >  		return 0;
> > >  
> > > -	return run_scripts(ACT_NET_LOCK);
> > > +	if (run_scripts(ACT_NET_LOCK))
> > > +		return -1;
> > > +
> > > +	return network_lock_internal();
> > 
> > If we lock all the traffic with iptables, I'd suggest not to call
> > network lock scripts at all.
> 
> No, we can't do this. When we do online migrations, we don't stop a source
> container and restore the same container. If we will not block external
> network, we will have two identical ip addresses in network.
> 
> > 
> > >  }
> > >  
> > >  void network_unlock(void)
> > > @@ -825,8 +888,10 @@ void network_unlock(void)
> > >  	cpt_unlock_tcp_connections();
> > >  	rst_unlock_tcp_connections();
> > >  
> > > -	if (root_ns_mask & CLONE_NEWNET)
> > > +	if (root_ns_mask & CLONE_NEWNET) {
> > >  		run_scripts(ACT_NET_UNLOCK);
> > > +		network_unlock_internal();
> > > +	}
> > >  }
> > >  
> > >  int veth_pair_add(char *in, char *out)
> > > 
> > 
> > -- Pavel

More information about the CRIU mailing list