[CRIU] [PATCH 2/3] net: block all traffic in internal network
Andrew Vagin
avagin at odin.com
Wed Sep 23 05:25:07 PDT 2015
On Thu, Sep 17, 2015 at 08:26:42PM +0300, Pavel Emelyanov wrote:
>
> > +static int network_lock_internal(void)
> > +{
> > + int exit_code = -1, nsret = -1, i;
> > + char *cmds[][10] = {
> > + {"iptables", "-N", "CRIU", NULL},
> > + {"iptables", "-A", "CRIU", "-t", "filter", "-j", "DROP", NULL},
> > + {"iptables", "-I", "INPUT", "-j", "CRIU", NULL},
> > + {"iptables", "-I", "OUTPUT", "-j", "CRIU", NULL},
> > + {"ip6tables", "-N", "CRIU", NULL},
> > + {"ip6tables", "-A", "CRIU", "-t", "filter", "-j", "DROP", NULL},
> > + {"ip6tables", "-I", "INPUT", "-j", "CRIU", NULL},
> > + {"ip6tables", "-I", "OUTPUT", "-j", "CRIU", NULL},
>
> Running this stuff even with cr_system will be incredibly slow :( Each iptables
> command is
>
> - pull all the tables from kernel
> - parse them and insert a new rule
> - push all the tables back into kernel
>
> Can we do it faster? Somehow?
Yes, we can. I think we can do this for one iteration. iptables doesn't
allow to do this, so we will need to hangle these rules ourself.
Unfortunately I don't have time to do that now, so I suggest to commit
these patches to fix the bug and optimize this process later.
>
> > + };
> > + /*
> > + * These rules will be dumped and restore, so we don't need
> > + * to block internal network on restore.
> > + */
> > +
> > + if (switch_ns(root_item->pid.real, &net_ns_desc, &nsret))
> > + return -1;
> > +
> > + for (i = 0; i < sizeof(cmds) / sizeof(cmds[1]); i++) {
> > + if (cr_system(-1, -1, -1, cmds[i][0], cmds[i]))
> > + goto err;
> > + }
> > +
> > + exit_code = 0;
> > +err:
> > + if (restore_ns(nsret, &net_ns_desc))
> > + return -1;
> > +
> > + return exit_code;
>
>
> > @@ -815,7 +875,10 @@ int network_lock(void)
> > if (!(root_ns_mask & CLONE_NEWNET))
> > return 0;
> >
> > - return run_scripts(ACT_NET_LOCK);
> > + if (run_scripts(ACT_NET_LOCK))
> > + return -1;
> > +
> > + return network_lock_internal();
>
> If we lock all the traffic with iptables, I'd suggest not to call
> network lock scripts at all.
No, we can't do this. When we do online migrations, we don't stop a source
container and restore the same container. If we will not block external
network, we will have two identical ip addresses in network.
>
> > }
> >
> > void network_unlock(void)
> > @@ -825,8 +888,10 @@ void network_unlock(void)
> > cpt_unlock_tcp_connections();
> > rst_unlock_tcp_connections();
> >
> > - if (root_ns_mask & CLONE_NEWNET)
> > + if (root_ns_mask & CLONE_NEWNET) {
> > run_scripts(ACT_NET_UNLOCK);
> > + network_unlock_internal();
> > + }
> > }
> >
> > int veth_pair_add(char *in, char *out)
> >
>
> -- Pavel
More information about the CRIU
mailing list