[Devel] [PATCH 0/5] netfilter: rework iptables containerization
Stanislav Kinsburskiy
skinsbursky at virtuozzo.com
Fri Jul 21 10:23:08 MSK 2017
This series is aimed to give CRCIU an ability to suspend and restore
VZ containers with disabled netfilter.
The problem is that with CT doesn't have any netfilter objects, when netfilter
is disabled, while CRIU needs iptables to suspend and restore container
network reliably.
This series does the following:
1) Make netfilter tables objects always created
2) Hides corresponding proc entries in CT, if netfilter is disabled
3) Doesn't allow to access netfilter via sys_{get_set}sockopts in CT is
netfilter is disabled.
With this series applid, CRIU is able to suspend container, because it joins
containers network namespace remaining in VE#0, thus all the netfilter stuff
is always accessible.
https://jira.sw.ru/browse/PSBM-58574
---
Stanislav Kinsburskiy (5):
netfilter: ve_ipt_permitted() helper introduced
netfilter: control iptables detries visibility in CT by S_ISVTX
netfilter: check per-ve netfilter status on actual operation
netfilter: always create per-net "filter" tables objects
netfilter: always create netfilter per-net objects for ipv4/ipv6
include/linux/netfilter.h | 3 +++
net/ipv4/ip_sockglue.c | 7 +++++++
net/ipv4/netfilter/ip_tables.c | 5 -----
net/ipv4/netfilter/iptable_filter.c | 6 ------
net/ipv6/netfilter/ip6_tables.c | 6 ------
net/ipv6/netfilter/ip6table_filter.c | 6 ------
net/netfilter/x_tables.c | 10 +++++++---
7 files changed, 17 insertions(+), 26 deletions(-)
--
More information about the Devel
mailing list