criu: add --network-lock option to allow nftables alternative

This adds the option to choose the networking locking method. CRIU currently uses iptables-restore cli for network locking/unlocking but nftables support will be added later. There have been reports from users that iptables-restore fails in some way and an nftables based approach using libnftables could avoid this external dependency. v2: remove dependency details in man page for --network-lock. v3: remove --network-lock from restore section in docs because it is automatically detected from the inventory image now. v4: add message that --network-lock will be ignored during restore and value from dump will be used. v5: run make indent Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
2026-01-23 02:14:37 +00:00 · 2021-07-09 14:16:52 +02:00 · 2021-07-09 14:16:52 +02:00 · 2e30db5c3d
commit 2e30db5c3d
parent ef7af1dd15
4 changed files with 46 additions and 0 deletions
--- a/Documentation/criu.txt
+++ b/Documentation/criu.txt
@ -420,6 +420,19 @@ The 'mode' may be one of the following:
                build-ID cannot be obtained, 'chksm-first' method will be
                used. This is the default if mode is unspecified.

+*--network-lock* ['mode']::
+    Set the method to be used for network locking/unlocking. Locking is done
+    to ensure that tcp packets are dropped between dump and restore. This is
+    done to avoid the kernel sending RST when a packet arrives destined for
+    the dumped process.
+
+The 'mode' may be one of the following:
+
+    *iptables*::: Use iptables rules to drop the packets.
+    This is the default if 'mode' is not specified.
+
+    *nftables*::: Use nftables rules to drop the packets.
+
 *restore*
 ~~~~~~~~~
 Restores previously checkpointed processes.