network-lock

criu/net.c

@@ -1521,6 +1521,42 @@ static int iptables_restore(bool ipv6, char *buf, int size)
 	return ret;
 }
 
+static int network_lock_init()
+{
+	char conf[] =	"*filter\n"
+				":CRIU_IN - [0:0]\n"
+				":CRIU_OUT - [0:0]\n"
+				"-I INPUT -j CRIU_IN\n"
+				"-I OUTPUT -j CRIU_OUT\n"
+				"COMMIT\n";
+	int ret = 0;
+
+
+	ret |= iptables_restore(false, conf, sizeof(conf) - 1);
+	if (kdat.ipv6)
+		ret |= iptables_restore(true, conf, sizeof(conf) - 1);
+
+	return ret;
+}
+
+static int network_unlock_fini()
+{
+	char conf[] =	"*filter\n"
+			":CRIU_IN - [0:0]\n"
+			":CRIU_OUT - [0:0]\n"
+			"-D INPUT -j CRIU_IN\n"
+			"-D OUTPUT -j CRIU_OUT\n"
+			"-X CRIU_IN\n"
+			"-X CRIU_OUT\n"
+			"COMMIT\n";
+	int ret = 0;
+
+	ret |= iptables_restore(false, conf, sizeof(conf) - 1);
+	if (kdat.ipv6)
+		ret |= iptables_restore(true, conf, sizeof(conf) - 1);
+
+	return ret;
+}
 static int network_lock_internal()
 {
 	char conf[] =	"*filter\n"
@@ -1574,8 +1610,10 @@ int network_lock(void)
 	pr_info("Lock network\n");
 
 	/* Each connection will be locked on dump */
-	if  (!(root_ns_mask & CLONE_NEWNET))
+	if  (!(root_ns_mask & CLONE_NEWNET)) {
+		network_lock_init();
 		return 0;
+	}
 
 	if (run_scripts(ACT_NET_LOCK))
 		return -1;
@@ -1587,13 +1625,14 @@ void network_unlock(void)
 {
 	pr_info("Unlock network\n");
 
-	cpt_unlock_tcp_connections();
-	rst_unlock_tcp_connections();
+//	cpt_unlock_tcp_connections();
+//	rst_unlock_tcp_connections();
 
 	if (root_ns_mask & CLONE_NEWNET) {
 		run_scripts(ACT_NET_UNLOCK);
 		network_unlock_internal();
-	}
+	} else
+		network_unlock_fini();
 }
 
 int veth_pair_add(char *in, char *out)

criu/netfilter.c

@@ -74,7 +74,7 @@ static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port,
 
 	snprintf(buf, sizeof(buf), nf_conn_cmd, cmd,
 			lock ? "-A" : "-D",
-			input ? "INPUT" : "OUTPUT",
+			input ? "CRIU_IN" : "CRIU_OUT",
 			dip, (int)dst_port, sip, (int)src_port);
 
 	pr_debug("\tRunning iptables [%s]\n", buf);