[CRIU] [PATCH] net: drop network traffic for loopback device only

Tue Jan 17 12:05:21 PST 2017

On Mon, Jan 16, 2017 at 07:04:50PM +0300, Stanislav Kinsburskiy wrote:
> The intention of commit 61b8fc264f55e15dea90350834a50d551d33bffa was to drop
> local traffic only.
> But there was a side effect: iptables rules were blocking all the traffic
> including external communication.
> While it's not a big problem by itself, it significantly complicates external
> communication when needed (say, in case of NFS files), because forces one to
> unmask NFS routes within container.
> Let's get rid of this side effect by limiting rules to loopback interface.
> External traffic blocking is controlled outside containers anyway.

* Does it controlled for venet?
* Both ends of a local tcp connection can be bond to an ip address
  (which is set to any interface). I am not sure that this hack will
  work for this case.

> 
> Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
> ---
>  criu/net.c |    8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/criu/net.c b/criu/net.c
> index 080c617..d75c9fa 100644
> --- a/criu/net.c
> +++ b/criu/net.c
> @@ -1547,8 +1547,8 @@ static int network_lock_internal()
>  {
>  	char conf[] =	"*filter\n"
>  				":CRIU - [0:0]\n"
> -				"-I INPUT -j CRIU\n"
> -				"-I OUTPUT -j CRIU\n"
> +				"-I INPUT -i lo -j CRIU\n"
> +				"-I OUTPUT -o lo -j CRIU\n"
>  				"-A CRIU -j DROP\n"
>  				"COMMIT\n";
>  	int ret = 0, nsret;
> @@ -1571,8 +1571,8 @@ static int network_unlock_internal()
>  {
>  	char conf[] =	"*filter\n"
>  			":CRIU - [0:0]\n"
> -			"-D INPUT -j CRIU\n"
> -			"-D OUTPUT -j CRIU\n"
> +			"-D INPUT -i lo -j CRIU\n"
> +			"-D OUTPUT -o lo -j CRIU\n"
>  			"-X CRIU\n"
>  			"COMMIT\n";
>  	int ret = 0, nsret;
> 