[CRIU] [PATCH 04/21] net: add criu iptables rules at the head of the chain
Andrei Vagin
avagin at openvz.org
Mon Nov 28 11:27:39 PST 2016
From: Andrei Vagin <avagin at virtuozzo.com>
CRIU uses iptables rules to block tcp connections and
if rules are added at the tail of the chain, other rules
can accept packets which have to be blocked.
Signed-off-by: Andrei Vagin <avagin at virtuozzo.com>
---
criu/netfilter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/criu/netfilter.c b/criu/netfilter.c
index 2ba331e..1896365 100644
--- a/criu/netfilter.c
+++ b/criu/netfilter.c
@@ -74,7 +74,7 @@ static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port,
snprintf(buf, sizeof(buf), NF_CONN_CMD, cmd,
kdat.has_xtlocks ? "-w" : "",
- lock ? "-A" : "-D",
+ lock ? "-I" : "-D",
input ? "INPUT" : "OUTPUT",
dip, (int)dst_port, sip, (int)src_port);
--
2.7.4
More information about the CRIU
mailing list