[CRIU] [PATCH 2/3] net: block all traffic in internal network
Pavel Emelyanov
xemul at parallels.com
Thu Sep 17 10:26:42 PDT 2015
> +static int network_lock_internal(void)
> +{
> + int exit_code = -1, nsret = -1, i;
> + char *cmds[][10] = {
> + {"iptables", "-N", "CRIU", NULL},
> + {"iptables", "-A", "CRIU", "-t", "filter", "-j", "DROP", NULL},
> + {"iptables", "-I", "INPUT", "-j", "CRIU", NULL},
> + {"iptables", "-I", "OUTPUT", "-j", "CRIU", NULL},
> + {"ip6tables", "-N", "CRIU", NULL},
> + {"ip6tables", "-A", "CRIU", "-t", "filter", "-j", "DROP", NULL},
> + {"ip6tables", "-I", "INPUT", "-j", "CRIU", NULL},
> + {"ip6tables", "-I", "OUTPUT", "-j", "CRIU", NULL},
Running this stuff even with cr_system will be incredibly slow :( Each iptables
command is
- pull all the tables from kernel
- parse them and insert a new rule
- push all the tables back into kernel
Can we do it faster? Somehow?
> + };
> + /*
> + * These rules will be dumped and restore, so we don't need
> + * to block internal network on restore.
> + */
> +
> + if (switch_ns(root_item->pid.real, &net_ns_desc, &nsret))
> + return -1;
> +
> + for (i = 0; i < sizeof(cmds) / sizeof(cmds[1]); i++) {
> + if (cr_system(-1, -1, -1, cmds[i][0], cmds[i]))
> + goto err;
> + }
> +
> + exit_code = 0;
> +err:
> + if (restore_ns(nsret, &net_ns_desc))
> + return -1;
> +
> + return exit_code;
> @@ -815,7 +875,10 @@ int network_lock(void)
> if (!(root_ns_mask & CLONE_NEWNET))
> return 0;
>
> - return run_scripts(ACT_NET_LOCK);
> + if (run_scripts(ACT_NET_LOCK))
> + return -1;
> +
> + return network_lock_internal();
If we lock all the traffic with iptables, I'd suggest not to call
network lock scripts at all.
> }
>
> void network_unlock(void)
> @@ -825,8 +888,10 @@ void network_unlock(void)
> cpt_unlock_tcp_connections();
> rst_unlock_tcp_connections();
>
> - if (root_ns_mask & CLONE_NEWNET)
> + if (root_ns_mask & CLONE_NEWNET) {
> run_scripts(ACT_NET_UNLOCK);
> + network_unlock_internal();
> + }
> }
>
> int veth_pair_add(char *in, char *out)
>
-- Pavel
More information about the CRIU
mailing list