search

checkpoint-restore / criu

Checkpoint/Restore tool
criu.org
Other
2.77k stars 561 forks source link

net: fix network unlock with iptables-nft #2323

Closed rst0git closed 5 months ago

rst0git commented 6 months ago

When iptables-nft is used as backend for iptables, the rules for network locking are translated into the following nft rules:

$ iptables-restore-translate -f lock.txt
add table ip filter
add chain ip filter CRIU
insert rule ip filter INPUT counter jump CRIU
insert rule ip filter OUTPUT counter jump CRIU
add rule ip filter CRIU mark 0xc114 counter accept
add rule ip filter CRIU counter drop

These rules create the following chains:

table ip filter { # handle 1
    chain CRIU { # handle 1
        meta mark 0x0000c114 counter packets 16 bytes 890 accept # handle 6
        counter packets 1 bytes 60 drop # handle 7
        meta mark 0x0000c114 counter packets 0 bytes 0 accept # handle 8
        counter packets 0 bytes 0 drop # handle 9
    }

    chain INPUT { # handle 2
        type filter hook input priority filter; policy accept;
        counter packets 8 bytes 445 jump CRIU # handle 3
        counter packets 0 bytes 0 jump CRIU # handle 10
    }

    chain OUTPUT { # handle 4
        type filter hook output priority filter; policy accept;
        counter packets 9 bytes 505 jump CRIU # handle 5
        counter packets 0 bytes 0 jump CRIU # handle 11
    }
}

In order to delete the CRIU chain, we need to first delete all four jump targets. Otherwise, -X CRIU would fail with the following error:

iptables-restore v1.8.10 (nf_tables):
line 5: CHAIN_DEL failed (Resource busy): chain CRIU

Fixes: #2313

codecov-commenter commented 6 months ago

Codecov Report

Attention: 5 lines in your changes are missing coverage. Please review.

Comparison is base (50aa6da) 70.51% compared to head (b7482ae) 70.62%.

:exclamation: Current head b7482ae differs from pull request most recent head e35df4d. Consider uploading reports for the commit e35df4d to get more accurate results

Files Patch % Lines
criu/net.c 76.19% 5 Missing :warning:
Additional details and impacted files ```diff @@ Coverage Diff @@ ## criu-dev #2323 +/- ## ============================================ + Coverage 70.51% 70.62% +0.10% ============================================ Files 133 133 Lines 33534 33556 +22 ============================================ + Hits 23646 23698 +52 + Misses 9888 9858 -30 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

mihalicyn commented 5 months ago

Great job, Radostin!

LGTM.

to discuss: probably at some point it makes sense to change NETWORK_LOCK_DEFAULT value to NETWORK_LOCK_NFTABLES.