[CRIU] Network locking with bpf instead of iptables-restore

Pavel Emelianov xemul at virtuozzo.com
Wed Mar 27 22:15:28 MSK 2019


On 3/27/19 4:19 PM, Adrian Reber wrote:
> I am just curious if this has already been discussed. Instead of running
> iptables-restore to lock and unlock the network, would creating a bpf
> based network lock and unlock be possible?

We wanted this in early days of criu, but at that time the only possibility
we've found was to use libnetfilter library that could load the full nf config
from kernel, modify it and push it back.

> Something like systemd does here:
> 
> https://github.com/systemd/systemd/blob/master/src/core/bpf-firewall.c
> 
> Wouldn't it be possible to lose the dependency on iptables-restore if we
> could directly add firewall rules using bpf?

That'd be awesome! I wonder, if we still can push this into GSoC ideas page
and attract some attention from students? :)

-- Pavel



More information about the CRIU mailing list