[CRIU] Network locking with bpf instead of iptables-restore
Adrian Reber
adrian at lisas.de
Thu Mar 28 19:58:39 MSK 2019
On Thu, Mar 28, 2019 at 09:35:27AM -0700, Andrei Vagin wrote:
> On Wed, Mar 27, 2019 at 6:20 AM Adrian Reber <adrian at lisas.de> wrote:
> >
> > I am just curious if this has already been discussed. Instead of running
> > iptables-restore to lock and unlock the network, would creating a bpf
> > based network lock and unlock be possible?
> >
> > Something like systemd does here:
> >
> > https://github.com/systemd/systemd/blob/master/src/core/bpf-firewall.c
> >
> > Wouldn't it be possible to lose the dependency on iptables-restore if we
> > could directly add firewall rules using bpf?
>
> Yes, it would be. This idea appeared a few times in different discussions,
> but there were not volunteers to implemented this. I agree
> with Pavel, that this can be a good idea for GSoC.
https://criu.org/Google_Summer_of_Code_Ideas#Use_eBPF_to_lock_and_unlock_the_network
Please fix/enhance/change if necessary.
Adrian
More information about the CRIU
mailing list