[CRIU] [PATCH 2/3] net: block all traffic in internal network

Andrey Vagin avagin at openvz.org
Thu Sep 17 08:09:03 PDT 2015 

From: Andrew Vagin <avagin at openvz.org>

Let's imagine that we have two local interconnected sockets.
Whe we are restoring tcp sockets, we need to disable the repair mode
to restore data in sending queues.

If traffic isn't blocked, a socket starts operating, but
in this time another end can be not restored yet.

$ test/zdtm.sh -r ns/static/socket-tcpbuf-local
...
(00.274632) 5: Error (sk-tcp.c:485): Can't restore 2 queue data (-1), want (1780919:1780919): Connection reset by peer

We create a separate chain to avoid conflicts with other rules.

https://bugs.openvz.org/browse/CRIU-96
Signed-off-by: Andrew Vagin <avagin at openvz.org>
---
 net.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 67 insertions(+), 2 deletions(-)

diff --git a/net.c b/net.c
index 6dc026e..1d0da13 100644
--- a/net.c
+++ b/net.c
@@ -807,6 +807,66 @@ int netns_pre_create(void)
 	return 0;
 }
 
+static int network_lock_internal(void)
+{
+	int exit_code = -1, nsret = -1, i;
+	char *cmds[][10] = {
+			{"iptables",  "-N", "CRIU",	NULL},
+			{"iptables",  "-A", "CRIU",	"-t", "filter", "-j", "DROP", NULL},
+			{"iptables",  "-I", "INPUT",	"-j", "CRIU", NULL},
+			{"iptables",  "-I", "OUTPUT",	"-j", "CRIU", NULL},
+			{"ip6tables", "-N", "CRIU",	NULL},
+			{"ip6tables", "-A", "CRIU",	"-t", "filter", "-j", "DROP", NULL},
+			{"ip6tables", "-I", "INPUT",	"-j", "CRIU", NULL},
+			{"ip6tables", "-I", "OUTPUT",	"-j", "CRIU", NULL},
+		};
+	/*
+	 * These rules will be dumped and restore, so we don't need
+	 * to block internal network on restore.
+	 */
+
+	if (switch_ns(root_item->pid.real, &net_ns_desc, &nsret))
+		return -1;
+
+	for (i = 0; i < sizeof(cmds) / sizeof(cmds[1]); i++) {
+		if (cr_system(-1, -1, -1, cmds[i][0], cmds[i]))
+			goto err;
+	}
+
+	exit_code = 0;
+err:
+	if (restore_ns(nsret, &net_ns_desc))
+		return -1;
+
+	return exit_code;
+}
+
+static int network_unlock_internal(void)
+{
+	int ret = 0, nsret = -1, i;
+	char *cmds[][10] = {
+			{"iptables", "-D",  "INPUT",	"-j", "CRIU", NULL},
+			{"iptables", "-D",  "OUTPUT",	"-j", "CRIU", NULL},
+			{"iptables", "-D",  "CRIU",	"-t", "filter", "-j", "DROP", NULL},
+			{"iptables", "-X",  "CRIU",	NULL},
+			{"ip6tables", "-D", "INPUT",	"-j", "CRIU", NULL},
+			{"ip6tables", "-D", "OUTPUT",	"-j", "CRIU", NULL},
+			{"ip6tables", "-D", "CRIU",	"-t", "filter", "-j", "DROP", NULL},
+			{"ip6tables", "-X", "CRIU",	NULL},
+		};
+
+	if (switch_ns(root_item->pid.real, &net_ns_desc, &nsret))
+		return -1;
+
+	for (i = 0; i < sizeof(cmds) / sizeof(cmds[1]); i++)
+		ret |= cr_system(-1, -1, -1, cmds[i][0], cmds[i]);
+
+	if (restore_ns(nsret, &net_ns_desc))
+		return -1;
+
+	return ret;
+}
+
 int network_lock(void)
 {
 	pr_info("Lock network\n");
@@ -815,7 +875,10 @@ int network_lock(void)
 	if  (!(root_ns_mask & CLONE_NEWNET))
 		return 0;
 
-	return run_scripts(ACT_NET_LOCK);
+	if (run_scripts(ACT_NET_LOCK))
+		return -1;
+
+	return network_lock_internal();
 }
 
 void network_unlock(void)
@@ -825,8 +888,10 @@ void network_unlock(void)
 	cpt_unlock_tcp_connections();
 	rst_unlock_tcp_connections();
 
-	if (root_ns_mask & CLONE_NEWNET)
+	if (root_ns_mask & CLONE_NEWNET) {
 		run_scripts(ACT_NET_UNLOCK);
+		network_unlock_internal();
+	}
 }
 
 int veth_pair_add(char *in, char *out)
-- 
2.4.3

More information about the CRIU mailing list