Allow skipping iptables/nftables invocation.

Make it possible to skip network lock to enable uses that break connections anyway to work without iptables/nftables being present. Signed-off-by: Michał Mirosław <emmir@google.com>
2026-01-23 02:14:37 +00:00 · 2022-09-12 16:17:43 +02:00 · 2022-09-12 16:17:43 +02:00 · a2c4dd2265
commit a2c4dd2265
parent 9301aba877
9 changed files with 24 additions and 1 deletions
--- a/Documentation/criu.txt
+++ b/Documentation/criu.txt
@ -457,6 +457,9 @@ The 'mode' may be one of the following:

    *nftables*::: Use nftables rules to drop the packets.

+    *skip*::: Don't lock the network. If *--tcp-close* is not used, the network
+    must be locked externally to allow CRIU to dump TCP connections.
+
 *restore*
 ~~~~~~~~~
 Restores previously checkpointed processes.
--- a/criu/config.c
+++ b/criu/config.c
@ -1036,6 +1036,8 @@ int parse_options(int argc, char **argv, bool *usage_error, bool *has_exec_cmd,
 				opts.network_lock_method = NETWORK_LOCK_IPTABLES;
 			} else if (!strcmp("nftables", optarg)) {
 				opts.network_lock_method = NETWORK_LOCK_NFTABLES;
+			} else if (!strcmp("skip", optarg) || !strcmp("none", optarg)) {
+				opts.network_lock_method = NETWORK_LOCK_SKIP;
 			} else {
 				pr_err("Invalid value for --network-lock: %s\n", optarg);
 				return 1;
--- a/criu/cr-service.c
+++ b/criu/cr-service.c
@ -526,6 +526,9 @@ static int setup_opts_from_req(int sk, CriuOpts *req)
 		case CRIU_NETWORK_LOCK_METHOD__NFTABLES:
 			opts.network_lock_method = NETWORK_LOCK_NFTABLES;
 			break;
+		case CRIU_NETWORK_LOCK_METHOD__SKIP:
+			opts.network_lock_method = NETWORK_LOCK_SKIP;
+			break;
 		default:
 			goto err;
 		}
--- a/criu/include/cr_options.h
+++ b/criu/include/cr_options.h
@ -67,6 +67,7 @@ struct cg_root_opt {
 enum NETWORK_LOCK_METHOD {
 	NETWORK_LOCK_IPTABLES,
 	NETWORK_LOCK_NFTABLES,
+	NETWORK_LOCK_SKIP,
 };

 #define NETWORK_LOCK_DEFAULT NETWORK_LOCK_IPTABLES
--- a/criu/net.c
+++ b/criu/net.c
@ -3131,6 +3131,9 @@ int network_lock_internal(void)
 {
 	int ret = 0, nsret;

+	if (opts.network_lock_method == NETWORK_LOCK_SKIP)
+		return 0;
+
 	if (switch_ns(root_item->pid->real, &net_ns_desc, &nsret))
 		return -1;

@ -3193,6 +3196,9 @@ static int network_unlock_internal(void)
 {
 	int ret = 0, nsret;

+	if (opts.network_lock_method == NETWORK_LOCK_SKIP)
+		return 0;
+
 	if (switch_ns(root_item->pid->real, &net_ns_desc, &nsret))
 		return -1;

--- a/criu/sk-tcp.c
+++ b/criu/sk-tcp.c
@ -39,6 +39,8 @@ static int lock_connection(struct inet_sk_desc *sk)
 		return iptables_lock_connection(sk);
 	else if (opts.network_lock_method == NETWORK_LOCK_NFTABLES)
 		return nftables_lock_connection(sk);
+	else if (opts.network_lock_method == NETWORK_LOCK_SKIP)
+		return 0;

 	return -1;
 }
@ -50,6 +52,8 @@ static int unlock_connection(struct inet_sk_desc *sk)
 	else if (opts.network_lock_method == NETWORK_LOCK_NFTABLES)
 		/* All connections will be unlocked in network_unlock(void) */
 		return 0;
+	else if (opts.network_lock_method == NETWORK_LOCK_SKIP)
+		return 0;

 	return -1;
 }
@ -483,6 +487,8 @@ static int unlock_connection_info(struct inet_sk_info *si)
 	else if (opts.network_lock_method == NETWORK_LOCK_NFTABLES)
 		/* All connections will be unlocked in network_unlock(void) */
 		return 0;
+	else if (opts.network_lock_method == NETWORK_LOCK_SKIP)
+		return 0;

 	return -1;
 }
--- a/images/rpc.proto
+++ b/images/rpc.proto
@ -52,6 +52,7 @@ enum criu_cg_mode {
 enum criu_network_lock_method {
 	IPTABLES = 	1;
 	NFTABLES = 	2;
+	SKIP =  	3;
 };

 enum criu_pre_dump_mode {
--- a/lib/c/criu.c
+++ b/lib/c/criu.c
@ -1868,7 +1868,7 @@ void criu_set_pidfd_store_sk(int sk)
 int criu_local_set_network_lock(criu_opts *opts, enum criu_network_lock_method method)
 {
 	opts->rpc->has_network_lock = true;
-	if (method == CRIU_NETWORK_LOCK_IPTABLES || method == CRIU_NETWORK_LOCK_NFTABLES) {
+	if (method == CRIU_NETWORK_LOCK_IPTABLES || method == CRIU_NETWORK_LOCK_NFTABLES || method == CRIU_NETWORK_LOCK_SKIP) {
 		opts->rpc->network_lock = (CriuNetworkLockMethod)method;
 		return 0;
 	}
--- a/lib/c/criu.h
+++ b/lib/c/criu.h
@ -50,6 +50,7 @@ enum criu_cg_mode {
 enum criu_network_lock_method {
 	CRIU_NETWORK_LOCK_IPTABLES = 1,
 	CRIU_NETWORK_LOCK_NFTABLES = 2,
+	CRIU_NETWORK_LOCK_SKIP = 3,
 };

 enum criu_pre_dump_mode { CRIU_PRE_DUMP_SPLICE = 1, CRIU_PRE_DUMP_READ = 2 };