[Devel] [PATCH 0/5] netfilter: rework iptables containerization

Konstantin Khorenko khorenko at virtuozzo.com
Fri Jul 21 10:51:19 MSK 2017


Andrey, please review this patchset ASAP.

--
Best regards,

Konstantin Khorenko,
Virtuozzo Linux Kernel Team

On 07/21/2017 10:23 AM, Stanislav Kinsburskiy wrote:
> This series is aimed to give CRCIU an ability to suspend and restore
> VZ containers with disabled netfilter.
> The problem is that with CT doesn't have any netfilter objects, when netfilter
> is disabled, while CRIU needs iptables to suspend and restore container
> network reliably.
> This series does the following:
> 1) Make netfilter tables objects always created
> 2) Hides corresponding proc entries in CT, if netfilter is disabled
> 3) Doesn't allow to access netfilter via sys_{get_set}sockopts in CT is
> netfilter is disabled.
>
> With this series applid, CRIU is able to suspend container, because it joins
> containers network namespace remaining in VE#0, thus all the netfilter stuff
> is always accessible.
>
> https://jira.sw.ru/browse/PSBM-58574
>
> ---
>
> Stanislav Kinsburskiy (5):
>       netfilter: ve_ipt_permitted() helper introduced
>       netfilter: control iptables detries visibility in CT by S_ISVTX
>       netfilter: check per-ve netfilter status on actual operation
>       netfilter: always create per-net "filter" tables objects
>       netfilter: always create netfilter per-net objects for ipv4/ipv6
>
>
>  include/linux/netfilter.h            |    3 +++
>  net/ipv4/ip_sockglue.c               |    7 +++++++
>  net/ipv4/netfilter/ip_tables.c       |    5 -----
>  net/ipv4/netfilter/iptable_filter.c  |    6 ------
>  net/ipv6/netfilter/ip6_tables.c      |    6 ------
>  net/ipv6/netfilter/ip6table_filter.c |    6 ------
>  net/netfilter/x_tables.c             |   10 +++++++---
>  7 files changed, 17 insertions(+), 26 deletions(-)
>
> --
> _______________________________________________
> Devel mailing list
> Devel at openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
> .
>


More information about the Devel mailing list