[CRIU] implementing some kind of --leave-frozen option for c/r in CRIU

[Tycho Andersen]

Hi Andrey,

On Tue, May 17, 2016 at 10:20:42AM -0700, Andrew Vagin wrote:
> Yesterday I tried to use a separate table in a case when netns isn't
> dumped:
> https://github.com/avagin/criu/commit/a3b3ae4e7db40f5b0d4456b27062484c9e27ad8a

Cool, thanks for this!

> here are two problem:
> * we need two tables to block input and output trafic
> * we need to generate uniq names for these tables. We can't use fixed
>   names, because we may want to make checkpoint/restore a few times
>   simulteniously.

r.e. the unique names, what if we add some parameter --iptables-suffix
so that the user can specify the suffix if they want. Otherwise, we
can just randomly generate a string that's say 10 characters long and
hope that they don't collide?

In lxc's case, we could just use the container's name as the suffix,
since we know that those are unique on the host. I assume the same
thing would be true of openvz.

If that sounds reasonable, I can adopt your patch + the
--iptables-suffix and my --leave-frozen patch and send the full set.

Tycho

> The profit from this approach is that:
> * we can unlock network very fast and don't need to enumerate sockets
>   for that.
> * It's easy to understand which rules were added by criu and an user
>   can easy clean up them himself
>
> > 
> > Tycho
> > 
> > > > 
> > > > static const char *nf_conn_cmd = "%s -t filter %s %s --protocol tcp "
> > > >         "--source %s --sport %d --destination %s --dport %d -j DROP";
> > > > 
> > > > Tycho