[CRIU] [PATCH 2/3] net: block all traffic in internal network

Andrew Vagin avagin at odin.com
Wed Sep 23 05:25:07 PDT 2015 

On Thu, Sep 17, 2015 at 08:26:42PM +0300, Pavel Emelyanov wrote:
> 
> > +static int network_lock_internal(void)
> > +{
> > +	int exit_code = -1, nsret = -1, i;
> > +	char *cmds[][10] = {
> > +			{"iptables",  "-N", "CRIU",	NULL},
> > +			{"iptables",  "-A", "CRIU",	"-t", "filter", "-j", "DROP", NULL},
> > +			{"iptables",  "-I", "INPUT",	"-j", "CRIU", NULL},
> > +			{"iptables",  "-I", "OUTPUT",	"-j", "CRIU", NULL},
> > +			{"ip6tables", "-N", "CRIU",	NULL},
> > +			{"ip6tables", "-A", "CRIU",	"-t", "filter", "-j", "DROP", NULL},
> > +			{"ip6tables", "-I", "INPUT",	"-j", "CRIU", NULL},
> > +			{"ip6tables", "-I", "OUTPUT",	"-j", "CRIU", NULL},
> 
> Running this stuff even with cr_system will be incredibly slow :( Each iptables
> command is
> 
> - pull all the tables from kernel
> - parse them and insert a new rule
> - push all the tables back into kernel
> 
> Can we do it faster? Somehow?

Yes, we can. I think we can do this for one iteration. iptables doesn't
allow to do this, so we will need to hangle these rules ourself.
Unfortunately I don't have time to do that now, so I suggest to commit
these patches to fix the bug and optimize this process later.

> 
> > +		};
> > +	/*
> > +	 * These rules will be dumped and restore, so we don't need
> > +	 * to block internal network on restore.
> > +	 */
> > +
> > +	if (switch_ns(root_item->pid.real, &net_ns_desc, &nsret))
> > +		return -1;
> > +
> > +	for (i = 0; i < sizeof(cmds) / sizeof(cmds[1]); i++) {
> > +		if (cr_system(-1, -1, -1, cmds[i][0], cmds[i]))
> > +			goto err;
> > +	}
> > +
> > +	exit_code = 0;
> > +err:
> > +	if (restore_ns(nsret, &net_ns_desc))
> > +		return -1;
> > +
> > +	return exit_code;
> 
> 
> > @@ -815,7 +875,10 @@ int network_lock(void)
> >  	if  (!(root_ns_mask & CLONE_NEWNET))
> >  		return 0;
> >  
> > -	return run_scripts(ACT_NET_LOCK);
> > +	if (run_scripts(ACT_NET_LOCK))
> > +		return -1;
> > +
> > +	return network_lock_internal();
> 
> If we lock all the traffic with iptables, I'd suggest not to call
> network lock scripts at all.

No, we can't do this. When we do online migrations, we don't stop a source
container and restore the same container. If we will not block external
network, we will have two identical ip addresses in network.

> 
> >  }
> >  
> >  void network_unlock(void)
> > @@ -825,8 +888,10 @@ void network_unlock(void)
> >  	cpt_unlock_tcp_connections();
> >  	rst_unlock_tcp_connections();
> >  
> > -	if (root_ns_mask & CLONE_NEWNET)
> > +	if (root_ns_mask & CLONE_NEWNET) {
> >  		run_scripts(ACT_NET_UNLOCK);
> > +		network_unlock_internal();
> > +	}
> >  }
> >  
> >  int veth_pair_add(char *in, char *out)
> > 
> 
> -- Pavel

More information about the CRIU mailing list