criu: add --network-lock option to allow nftables alternative

This adds the option to choose the networking locking method. CRIU currently uses iptables-restore cli for network locking/unlocking but nftables support will be added later. There have been reports from users that iptables-restore fails in some way and an nftables based approach using libnftables could avoid this external dependency. v2: remove dependency details in man page for --network-lock. v3: remove --network-lock from restore section in docs because it is automatically detected from the inventory image now. v4: add message that --network-lock will be ignored during restore and value from dump will be used. v5: run make indent Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
2025-08-22 09:58:09 +00:00 · 2021-07-09 14:16:52 +02:00 · 2021-07-09 14:16:52 +02:00 · 2e30db5c3d
commit 2e30db5c3d
parent ef7af1dd15
4 changed files with 46 additions and 0 deletions
--- a/Documentation/criu.txt
+++ b/Documentation/criu.txt
@ -420,6 +420,19 @@ The 'mode' may be one of the following:
                build-ID cannot be obtained, 'chksm-first' method will be
                used. This is the default if mode is unspecified.

+*--network-lock* ['mode']::
+    Set the method to be used for network locking/unlocking. Locking is done
+    to ensure that tcp packets are dropped between dump and restore. This is
+    done to avoid the kernel sending RST when a packet arrives destined for
+    the dumped process.
+
+The 'mode' may be one of the following:
+
+    *iptables*::: Use iptables rules to drop the packets.
+    This is the default if 'mode' is not specified.
+
+    *nftables*::: Use nftables rules to drop the packets.
+
 *restore*
 ~~~~~~~~~
 Restores previously checkpointed processes.
--- a/criu/config.c
+++ b/criu/config.c
@ -428,6 +428,7 @@ void init_opts(void)
 	opts.log_level = DEFAULT_LOGLEVEL;
 	opts.pre_dump_mode = PRE_DUMP_SPLICE;
 	opts.file_validation_method = FILE_VALIDATION_DEFAULT;
+	opts.network_lock_method = NETWORK_LOCK_DEFAULT;
 }

 bool deprecated_ok(char *what)
@ -606,6 +607,7 @@ int parse_options(int argc, char **argv, bool *usage_error, bool *has_exec_cmd,
 	char *cfg_file = NULL;
 	char **_argv = NULL;
 	int _argc = 0;
+	bool has_network_lock_opt = false;

 #define BOOL_OPT(OPT_NAME, SAVE_TO)                         \
 	{ OPT_NAME, no_argument, SAVE_TO, true },           \
@ -694,6 +696,7 @@ int parse_options(int argc, char **argv, bool *usage_error, bool *has_exec_cmd,
 		{ "pre-dump-mode", required_argument, 0, 1097 },
 		{ "file-validation", required_argument, 0, 1098 },
 		{ "lsm-mount-context", required_argument, 0, 1099 },
+		{ "network-lock", required_argument, 0, 1100 },
 		{},
 	};

@ -1018,6 +1021,17 @@ int parse_options(int argc, char **argv, bool *usage_error, bool *has_exec_cmd,
 		case 1099:
 			SET_CHAR_OPTS(lsm_mount_context, optarg);
 			break;
+		case 1100:
+			has_network_lock_opt = true;
+			if (!strcmp("iptables", optarg)) {
+				opts.network_lock_method = NETWORK_LOCK_IPTABLES;
+			} else if (!strcmp("nftables", optarg)) {
+				opts.network_lock_method = NETWORK_LOCK_NFTABLES;
+			} else {
+				pr_err("Invalid value for --network-lock: %s\n", optarg);
+				return 1;
+			}
+			break;
 		case 'V':
 			pr_msg("Version: %s\n", CRIU_VERSION);
 			if (strcmp(CRIU_GITID, "0"))
@ -1031,6 +1045,11 @@ int parse_options(int argc, char **argv, bool *usage_error, bool *has_exec_cmd,
 		}
 	}

+	if (has_network_lock_opt && !strcmp(argv[optind], "restore")) {
+		pr_warn("--network-lock will be ignored in restore command\n");
+		pr_info("Network lock method from dump will be used in restore\n");
+	}
+
 	return 0;

 bad_arg:
--- a/criu/crtools.c
+++ b/criu/crtools.c
@ -354,6 +354,9 @@ usage:
 	       "                        in lazy-pages mode: 'criu lazy-pages -D DIR'\n"
 	       "                        --lazy-pages and lazy-pages mode require userfaultfd\n"
 	       "  --stream              dump/restore images using criu-image-streamer\n"
+	       "  --network-lock METHOD\n"
+	       "                      network locking/unlocking method; argument\n"
+	       "                      can be 'nftables' or 'iptables' (default).\n"
 	       "\n"
 	       "* External resources support:\n"
 	       "  --external RES        dump objects from this list as external resources:\n"
--- a/criu/include/cr_options.h
+++ b/criu/include/cr_options.h
@ -59,6 +59,16 @@ struct cg_root_opt {

 #define CG_MODE_DEFAULT (CG_MODE_SOFT)

+/*
+ * Network locking method
+ */
+enum NETWORK_LOCK_METHOD {
+	NETWORK_LOCK_IPTABLES,
+	NETWORK_LOCK_NFTABLES,
+};
+
+#define NETWORK_LOCK_DEFAULT NETWORK_LOCK_IPTABLES
+
 /*
 * Ghost file size we allow to carry by default.
 */
@ -152,6 +162,7 @@ struct cr_options {
 	int tcp_skip_in_flight;
 	bool lazy_pages;
 	char *work_dir;
+	int network_lock_method;

 	/*
 	 * When we scheduler for removal some functionality we first