[CRIU] Network locking with bpf instead of iptables-restore

Andrei Vagin avagin at gmail.com
Thu Mar 28 19:35:27 MSK 2019


On Wed, Mar 27, 2019 at 6:20 AM Adrian Reber <adrian at lisas.de> wrote:
>
> I am just curious if this has already been discussed. Instead of running
> iptables-restore to lock and unlock the network, would creating a bpf
> based network lock and unlock be possible?
>
> Something like systemd does here:
>
> https://github.com/systemd/systemd/blob/master/src/core/bpf-firewall.c
>
> Wouldn't it be possible to lose the dependency on iptables-restore if we
> could directly add firewall rules using bpf?

Yes, it would be. This idea appeared a few times in different discussions,
but there were not volunteers to implemented this. I agree
with Pavel, that this can be a good idea for GSoC.

>
>                 Adrian
> _______________________________________________
> CRIU mailing list
> CRIU at openvz.org
> https://lists.openvz.org/mailman/listinfo/criu


More information about the CRIU mailing list