search

checkpoint-restore / criu

Checkpoint/Restore tool
criu.org
Other
2.97k stars 596 forks source link

Nft vs iptables-nft problems #2105

Open Snorch opened 1 year ago

Snorch commented 1 year ago

On the one hand we have examples of some rules which can be created with iptables-nft utility and can't be dumped/restored with nft utility, for instance:

ip6tables-nft -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT  # Multicast Listener Query [RFC2710]
ip6tables-nft -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT  # Multicast Listener Report [RFC2710]
ip6tables-nft -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT  # Multicast Listener Done [RFC2710]

or we have physdev or match-set compatibility rules in iptables-nft which are not supported in nft utility.

On the other hand nft utility can create tables with arbitrary names:

nft add table newtable

which can't be dumped or restored with iptables-nft.

I found an article where it is said that "Mixing iptables-nft and nft on the other hand is not unproblematic, either. A good rule of thumb to avoid issues is to not touch the tables iptables-nft creates with nft." https://www.redhat.com/en/blog/using-iptables-nft-hybrid-linux-firewall

Conclusion here is that nft and iptables-nft are completely incompatible between each other in terms of dumping nftables rules in CRIU, some simple rules created by one may work with another, but surely not all of them as the examples above point out.

When it comes to CRIU we don't know if nftables were created by nft or iptables-nft or even by both of them in the dumpee netns. So it's hard for CRIU to follow "not to mix" rule.

I've prepared a fix for this problem in Virtuozzo CRIU (where we have all kinds of rules in Virtuozzo containers both created with nft and iptables-nft) fork which looks for me more as a workaround:

So for now in Virtuozzo criu where we have all kinds of rules in containers both created with nft and iptables-nft I've prepared a fix which uses both nft and iptables-nft: https://github.com/OpenVZ/vzcriu/commit/d986e6df1aa9013556cc86440e8b7616c07299f0 https://github.com/OpenVZ/vzcriu/commit/8baea43807c725f57975b567f8a269158720b208 And it works somehow.

Note: that I do not use libnft to call nft tool in it as I need to call iptables-nft directly anyways, so to be symmetric I call them both directly without library.

Question are: do we want this in mainstream? is there a better way?

github-actions[bot] commented 1 year ago

A friendly reminder that this issue had no activity for 30 days.

rst0git commented 10 months ago

Question are: do we want this in mainstream? is there a better way?

It looks like we would need functionality similar to --nftables-mode in mainstream CRIU to fix the problem described in https://github.com/checkpoint-restore/criu/issues/2313.

@Snorch Would it be okay if I add these changes in https://github.com/checkpoint-restore/criu/pull/2323?

Snorch commented 10 months ago

Would it be okay if I add these changes in https://github.com/checkpoint-restore/criu/pull/2323?

@rst0git If it helps, sure, please do!

I just don't have so much time to port everything from OpenVZ repos (600+ patches) to mainstream, but if there is something useful in it - please don't hesitate to port it =)