diff --git a/Documentation/criu.txt b/Documentation/criu.txt index 037257190..690f61e14 100644 --- a/Documentation/criu.txt +++ b/Documentation/criu.txt @@ -420,6 +420,19 @@ The 'mode' may be one of the following: build-ID cannot be obtained, 'chksm-first' method will be used. This is the default if mode is unspecified. +*--network-lock* ['mode']:: + Set the method to be used for network locking/unlocking. Locking is done + to ensure that tcp packets are dropped between dump and restore. This is + done to avoid the kernel sending RST when a packet arrives destined for + the dumped process. ++ +The 'mode' may be one of the following: + + *iptables*::: Use iptables rules to drop the packets. + This is the default if 'mode' is not specified. + + *nftables*::: Use nftables rules to drop the packets. + *restore* ~~~~~~~~~ Restores previously checkpointed processes. diff --git a/criu/config.c b/criu/config.c index a851f69df..91fb0b64d 100644 --- a/criu/config.c +++ b/criu/config.c @@ -428,6 +428,7 @@ void init_opts(void) opts.log_level = DEFAULT_LOGLEVEL; opts.pre_dump_mode = PRE_DUMP_SPLICE; opts.file_validation_method = FILE_VALIDATION_DEFAULT; + opts.network_lock_method = NETWORK_LOCK_DEFAULT; } bool deprecated_ok(char *what) @@ -606,6 +607,7 @@ int parse_options(int argc, char **argv, bool *usage_error, bool *has_exec_cmd, char *cfg_file = NULL; char **_argv = NULL; int _argc = 0; + bool has_network_lock_opt = false; #define BOOL_OPT(OPT_NAME, SAVE_TO) \ { OPT_NAME, no_argument, SAVE_TO, true }, \ @@ -694,6 +696,7 @@ int parse_options(int argc, char **argv, bool *usage_error, bool *has_exec_cmd, { "pre-dump-mode", required_argument, 0, 1097 }, { "file-validation", required_argument, 0, 1098 }, { "lsm-mount-context", required_argument, 0, 1099 }, + { "network-lock", required_argument, 0, 1100 }, {}, }; @@ -1018,6 +1021,17 @@ int parse_options(int argc, char **argv, bool *usage_error, bool *has_exec_cmd, case 1099: SET_CHAR_OPTS(lsm_mount_context, optarg); break; + case 1100: + has_network_lock_opt = true; + if (!strcmp("iptables", optarg)) { + opts.network_lock_method = NETWORK_LOCK_IPTABLES; + } else if (!strcmp("nftables", optarg)) { + opts.network_lock_method = NETWORK_LOCK_NFTABLES; + } else { + pr_err("Invalid value for --network-lock: %s\n", optarg); + return 1; + } + break; case 'V': pr_msg("Version: %s\n", CRIU_VERSION); if (strcmp(CRIU_GITID, "0")) @@ -1031,6 +1045,11 @@ int parse_options(int argc, char **argv, bool *usage_error, bool *has_exec_cmd, } } + if (has_network_lock_opt && !strcmp(argv[optind], "restore")) { + pr_warn("--network-lock will be ignored in restore command\n"); + pr_info("Network lock method from dump will be used in restore\n"); + } + return 0; bad_arg: diff --git a/criu/crtools.c b/criu/crtools.c index ba41d382d..9c96691d9 100644 --- a/criu/crtools.c +++ b/criu/crtools.c @@ -354,6 +354,9 @@ usage: " in lazy-pages mode: 'criu lazy-pages -D DIR'\n" " --lazy-pages and lazy-pages mode require userfaultfd\n" " --stream dump/restore images using criu-image-streamer\n" + " --network-lock METHOD\n" + " network locking/unlocking method; argument\n" + " can be 'nftables' or 'iptables' (default).\n" "\n" "* External resources support:\n" " --external RES dump objects from this list as external resources:\n" diff --git a/criu/include/cr_options.h b/criu/include/cr_options.h index d46049cc9..a34f8dbbf 100644 --- a/criu/include/cr_options.h +++ b/criu/include/cr_options.h @@ -59,6 +59,16 @@ struct cg_root_opt { #define CG_MODE_DEFAULT (CG_MODE_SOFT) +/* + * Network locking method + */ +enum NETWORK_LOCK_METHOD { + NETWORK_LOCK_IPTABLES, + NETWORK_LOCK_NFTABLES, +}; + +#define NETWORK_LOCK_DEFAULT NETWORK_LOCK_IPTABLES + /* * Ghost file size we allow to carry by default. */ @@ -152,6 +162,7 @@ struct cr_options { int tcp_skip_in_flight; bool lazy_pages; char *work_dir; + int network_lock_method; /* * When we scheduler for removal some functionality we first