criu: rename iptables network locking/unlocking functions

Related to the new --network-lock option, other methods for network locking/unlocking will be added as an alternative to iptables like nftables. This option is used in the core network locking/unlocking hooks to decide which method should be used, making it easier to add new methods later smoothly. i.e. - network_lock_internal - network_unlock_internal - lock_connection (renamed from nf_lock_connection) - unlock_connection (renamed from nf_unlock_connection) - unlock_connection_info (renamed from unlock_connection_info) nf_* functions are renamed to iptables_* to avoid confusion with other netfilter methods in the future like nftables. v2: run make indent v3: make error messages more descriptive Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
2026-01-23 02:14:37 +00:00 · 2021-07-09 16:11:34 +02:00 · 2021-07-09 16:11:34 +02:00 · f246ca56c0
commit f246ca56c0
parent e9d24a2ba3
4 changed files with 84 additions and 38 deletions
--- a/criu/include/netfilter.h
+++ b/criu/include/netfilter.h
@ -2,11 +2,11 @@
 #define __CR_NETFILTER_H__

 struct inet_sk_desc;
-extern int nf_lock_connection(struct inet_sk_desc *);
-extern int nf_unlock_connection(struct inet_sk_desc *);
+extern int iptables_lock_connection(struct inet_sk_desc *);
+extern int iptables_unlock_connection(struct inet_sk_desc *);

 struct inet_sk_info;
-extern int nf_unlock_connection_info(struct inet_sk_info *);
+extern int iptables_unlock_connection_info(struct inet_sk_info *);

 extern void preload_netfilter_modules(void);

--- a/criu/net.c
+++ b/criu/net.c
@ -3014,7 +3014,7 @@ err:
 	return ret;
 }

-int network_lock_internal(void)
+static int iptables_network_lock_internal(void)
 {
 	char conf[] = "*filter\n"
 		      ":CRIU - [0:0]\n"
@ -3023,10 +3023,7 @@ int network_lock_internal(void)
 		      "-A CRIU -m mark --mark " __stringify(SOCCR_MARK) " -j ACCEPT\n"
 									"-A CRIU -j DROP\n"
 									"COMMIT\n";
-	int ret = 0, nsret;
-
-	if (switch_ns(root_item->pid->real, &net_ns_desc, &nsret))
-		return -1;
+	int ret = 0;

 	ret |= iptables_restore(false, conf, sizeof(conf) - 1);
 	if (kdat.ipv6)
@ -3039,13 +3036,26 @@ int network_lock_internal(void)
 		       "option.\n",
 		       ret);

+	return ret;
+}
+
+int network_lock_internal(void)
+{
+	int ret = 0, nsret;
+
+	if (switch_ns(root_item->pid->real, &net_ns_desc, &nsret))
+		return -1;
+
+	if (opts.network_lock_method == NETWORK_LOCK_IPTABLES)
+		ret = iptables_network_lock_internal();
+
 	if (restore_ns(nsret, &net_ns_desc))
 		ret = -1;

 	return ret;
 }

-static int network_unlock_internal(void)
+static int iptables_network_unlock_internal(void)
 {
 	char conf[] = "*filter\n"
 		      ":CRIU - [0:0]\n"
@ -3053,14 +3063,24 @@ static int network_unlock_internal(void)
 		      "-D OUTPUT -j CRIU\n"
 		      "-X CRIU\n"
 		      "COMMIT\n";
+	int ret = 0;
+
+	ret |= iptables_restore(false, conf, sizeof(conf) - 1);
+	if (kdat.ipv6)
+		ret |= iptables_restore(true, conf, sizeof(conf) - 1);
+
+	return ret;
+}
+
+static int network_unlock_internal(void)
+{
 	int ret = 0, nsret;

 	if (switch_ns(root_item->pid->real, &net_ns_desc, &nsret))
 		return -1;

-	ret |= iptables_restore(false, conf, sizeof(conf) - 1);
-	if (kdat.ipv6)
-		ret |= iptables_restore(true, conf, sizeof(conf) - 1);
+	if (opts.network_lock_method == NETWORK_LOCK_IPTABLES)
+		ret = iptables_network_unlock_internal();

 	if (restore_ns(nsret, &net_ns_desc))
 		ret = -1;
--- a/criu/netfilter.c
+++ b/criu/netfilter.c
@ -22,7 +22,7 @@ static char buf[512];
 * Any brave soul to write it using xtables-devel?
 */

-#define NF_CONN_CMD                             \
+#define IPTABLES_CONN_CMD                       \
 	"%s %s -t filter %s %s --protocol tcp " \
 	"-m mark ! --mark " __stringify(SOCCR_MARK) " --source %s --sport %d --destination %s --dport %d -j DROP"

@ -52,8 +52,8 @@ static int ipv6_addr_mapped(u32 *addr)
 	return (addr[2] == htonl(0x0000ffff));
 }

-static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port, u32 *dst_addr, u16 dst_port, bool input,
-				    bool lock)
+static int iptables_connection_switch_raw(int family, u32 *src_addr, u16 src_port, u32 *dst_addr, u16 dst_port,
+					  bool input, bool lock)
 {
 	char sip[INET_ADDR_LEN], dip[INET_ADDR_LEN];
 	char *cmd;
@ -84,7 +84,7 @@ static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port, u32
 		return -1;
 	}

-	snprintf(buf, sizeof(buf), NF_CONN_CMD, cmd, kdat.has_xtlocks ? "-w" : "", lock ? "-I" : "-D",
+	snprintf(buf, sizeof(buf), IPTABLES_CONN_CMD, cmd, kdat.has_xtlocks ? "-w" : "", lock ? "-I" : "-D",
 		 input ? "INPUT" : "OUTPUT", dip, (int)dst_port, sip, (int)src_port);

 	pr_debug("\tRunning iptables [%s]\n", buf);
@ -103,41 +103,41 @@ static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port, u32
 	return 0;
 }

-static int nf_connection_switch(struct inet_sk_desc *sk, bool lock)
+static int iptables_connection_switch(struct inet_sk_desc *sk, bool lock)
 {
 	int ret = 0;

-	ret = nf_connection_switch_raw(sk->sd.family, sk->src_addr, sk->src_port, sk->dst_addr, sk->dst_port, true,
-				       lock);
+	ret = iptables_connection_switch_raw(sk->sd.family, sk->src_addr, sk->src_port, sk->dst_addr, sk->dst_port,
+					     true, lock);
 	if (ret)
 		return -1;

-	ret = nf_connection_switch_raw(sk->sd.family, sk->dst_addr, sk->dst_port, sk->src_addr, sk->src_port, false,
-				       lock);
+	ret = iptables_connection_switch_raw(sk->sd.family, sk->dst_addr, sk->dst_port, sk->src_addr, sk->src_port,
+					     false, lock);
 	if (ret) /* rollback */
-		nf_connection_switch_raw(sk->sd.family, sk->src_addr, sk->src_port, sk->dst_addr, sk->dst_port, true,
-					 !lock);
+		iptables_connection_switch_raw(sk->sd.family, sk->src_addr, sk->src_port, sk->dst_addr, sk->dst_port,
+					       true, !lock);
 	return ret;
 }

-int nf_lock_connection(struct inet_sk_desc *sk)
+int iptables_lock_connection(struct inet_sk_desc *sk)
 {
-	return nf_connection_switch(sk, true);
+	return iptables_connection_switch(sk, true);
 }

-int nf_unlock_connection(struct inet_sk_desc *sk)
+int iptables_unlock_connection(struct inet_sk_desc *sk)
 {
-	return nf_connection_switch(sk, false);
+	return iptables_connection_switch(sk, false);
 }

-int nf_unlock_connection_info(struct inet_sk_info *si)
+int iptables_unlock_connection_info(struct inet_sk_info *si)
 {
 	int ret = 0;

-	ret |= nf_connection_switch_raw(si->ie->family, si->ie->src_addr, si->ie->src_port, si->ie->dst_addr,
-					si->ie->dst_port, true, false);
-	ret |= nf_connection_switch_raw(si->ie->family, si->ie->dst_addr, si->ie->dst_port, si->ie->src_addr,
-					si->ie->src_port, false, false);
+	ret |= iptables_connection_switch_raw(si->ie->family, si->ie->src_addr, si->ie->src_port, si->ie->dst_addr,
+					      si->ie->dst_port, true, false);
+	ret |= iptables_connection_switch_raw(si->ie->family, si->ie->dst_addr, si->ie->dst_port, si->ie->src_addr,
+					      si->ie->src_port, false, false);
 	/*
 	 * rollback nothing in case of any error,
 	 * because nobody checks errors of this function
--- a/criu/sk-tcp.c
+++ b/criu/sk-tcp.c
@ -33,6 +33,22 @@
 static LIST_HEAD(cpt_tcp_repair_sockets);
 static LIST_HEAD(rst_tcp_repair_sockets);

+static int lock_connection(struct inet_sk_desc *sk)
+{
+	if (opts.network_lock_method == NETWORK_LOCK_IPTABLES)
+		return iptables_lock_connection(sk);
+
+	return -1;
+}
+
+static int unlock_connection(struct inet_sk_desc *sk)
+{
+	if (opts.network_lock_method == NETWORK_LOCK_IPTABLES)
+		return iptables_unlock_connection(sk);
+
+	return -1;
+}
+
 static int tcp_repair_established(int fd, struct inet_sk_desc *sk)
 {
 	int ret;
@ -51,9 +67,11 @@ static int tcp_repair_established(int fd, struct inet_sk_desc *sk)
 	}

 	if (!(root_ns_mask & CLONE_NEWNET)) {
-		ret = nf_lock_connection(sk);
-		if (ret < 0)
+		ret = lock_connection(sk);
+		if (ret < 0) {
+			pr_err("Failed to lock TCP connection %x\n", sk->sd.ino);
 			goto err2;
+		}
 	}

 	socr = libsoccr_pause(sk->rfd);
@ -66,7 +84,7 @@ static int tcp_repair_established(int fd, struct inet_sk_desc *sk)

 err3:
 	if (!(root_ns_mask & CLONE_NEWNET))
-		nf_unlock_connection(sk);
+		unlock_connection(sk);
 err2:
 	close(sk->rfd);
 err1:
@ -80,9 +98,9 @@ static void tcp_unlock_one(struct inet_sk_desc *sk)
 	list_del(&sk->rlist);

 	if (!(root_ns_mask & CLONE_NEWNET)) {
-		ret = nf_unlock_connection(sk);
+		ret = unlock_connection(sk);
 		if (ret < 0)
-			pr_perror("Failed to unlock TCP connection");
+			pr_err("Failed to unlock TCP connection %x\n", sk->sd.ino);
 	}

 	libsoccr_resume(sk->priv);
@ -453,6 +471,14 @@ void tcp_locked_conn_add(struct inet_sk_info *ii)
 	ii->sk_fd = -1;
 }

+static int unlock_connection_info(struct inet_sk_info *si)
+{
+	if (opts.network_lock_method == NETWORK_LOCK_IPTABLES)
+		return iptables_unlock_connection_info(si);
+
+	return -1;
+}
+
 void rst_unlock_tcp_connections(void)
 {
 	struct inet_sk_info *ii;
@ -465,5 +491,5 @@ void rst_unlock_tcp_connections(void)
 		return;

 	list_for_each_entry(ii, &rst_tcp_repair_sockets, rlist)
-		nf_unlock_connection_info(ii);
+		unlock_connection_info(ii);
 }