[CRIU] [PATCH] net: drop network traffic for loopback device only

Stanislav Kinsburskiy skinsbursky at virtuozzo.com
Mon Jan 16 08:04:50 PST 2017


The intention of commit 61b8fc264f55e15dea90350834a50d551d33bffa was to drop
local traffic only.
But there was a side effect: iptables rules were blocking all the traffic
including external communication.
While it's not a big problem by itself, it significantly complicates external
communication when needed (say, in case of NFS files), because forces one to
unmask NFS routes within container.
Let's get rid of this side effect by limiting rules to loopback interface.
External traffic blocking is controlled outside containers anyway.

Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
---
 criu/net.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/criu/net.c b/criu/net.c
index 080c617..d75c9fa 100644
--- a/criu/net.c
+++ b/criu/net.c
@@ -1547,8 +1547,8 @@ static int network_lock_internal()
 {
 	char conf[] =	"*filter\n"
 				":CRIU - [0:0]\n"
-				"-I INPUT -j CRIU\n"
-				"-I OUTPUT -j CRIU\n"
+				"-I INPUT -i lo -j CRIU\n"
+				"-I OUTPUT -o lo -j CRIU\n"
 				"-A CRIU -j DROP\n"
 				"COMMIT\n";
 	int ret = 0, nsret;
@@ -1571,8 +1571,8 @@ static int network_unlock_internal()
 {
 	char conf[] =	"*filter\n"
 			":CRIU - [0:0]\n"
-			"-D INPUT -j CRIU\n"
-			"-D OUTPUT -j CRIU\n"
+			"-D INPUT -i lo -j CRIU\n"
+			"-D OUTPUT -o lo -j CRIU\n"
 			"-X CRIU\n"
 			"COMMIT\n";
 	int ret = 0, nsret;



More information about the CRIU mailing list