[CRIU] [PATCH] net: drop network traffic for loopback device only

Tue Jan 17 19:34:44 PST 2017

On Tue, Jan 17, 2017 at 12:08:18PM -0800, Stanislav Kinsburskiy wrote:
> 
> 
> 17 янв. 2017 г. 9:05 PM пользователь Andrey Vagin <avagin at virtuozzo.com>
> написал:
> 
>     On Mon, Jan 16, 2017 at 07:04:50PM +0300, Stanislav Kinsburskiy wrote:
>     > The intention of commit 61b8fc264f55e15dea90350834a50d551d33bffa was to
>     drop
>     > local traffic only.
>     > But there was a side effect: iptables rules were blocking all the traffic
>     > including external communication.
>     > While it's not a big problem by itself, it significantly complicates
>     external
>     > communication when needed (say, in case of NFS files), because forces one
>     to
>     > unmask NFS routes within container.
>     > Let's get rid of this side effect by limiting rules to loopback
>     interface.
>     > External traffic blocking is controlled outside containers anyway.

Can you show where we block traffic in libvzctl?

> 
>     * Does it controlled for venet?
> 
> 
> Sorry, I don't understand the question.
> 
> 
>     * Both ends of a local tcp connection can be bond to an ip address
>       (which is set to any interface). I am not sure that this hack will
>       work for this case.
> 
> 
> Well, I was assured, that even it this case traffic is considered as local, and
> transfered via loopback.
> 
> 
> 
>     >
>     > Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
>     > ---
>     >  criu/net.c |    8 ++++----
>     >  1 file changed, 4 insertions(+), 4 deletions(-)
>     >
>     > diff --git a/criu/net.c b/criu/net.c
>     > index 080c617..d75c9fa 100644
>     > --- a/criu/net.c
>     > +++ b/criu/net.c
>     > @@ -1547,8 +1547,8 @@ static int network_lock_internal()
>     >  {
>     >        char conf[] =   "*filter\n"
>     >                                ":CRIU - [0:0]\n"
>     > -                             "-I INPUT -j CRIU\n"
>     > -                             "-I OUTPUT -j CRIU\n"
>     > +                             "-I INPUT -i lo -j CRIU\n"
>     > +                             "-I OUTPUT -o lo -j CRIU\n"
>     >                                "-A CRIU -j DROP\n"
>     >                                "COMMIT\n";
>     >        int ret = 0, nsret;
>     > @@ -1571,8 +1571,8 @@ static int network_unlock_internal()
>     >  {
>     >        char conf[] =   "*filter\n"
>     >                        ":CRIU - [0:0]\n"
>     > -                     "-D INPUT -j CRIU\n"
>     > -                     "-D OUTPUT -j CRIU\n"
>     > +                     "-D INPUT -i lo -j CRIU\n"
>     > +                     "-D OUTPUT -o lo -j CRIU\n"
>     >                        "-X CRIU\n"
>     >                        "COMMIT\n";
>     >        int ret = 0, nsret;
>     >
> 
> 