net: fix network unlock with iptables-nft #2323
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rst0git
force-pushed
the
fix-iptables-unlock
branch
from
98ebd01
to
5dab401
Compare
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## criu-dev #2323 +/- ##
============================================
+ Coverage 70.51% 70.62% +0.10%
============================================
Files 133 133
Lines 33534 33556 +22
============================================
+ Hits 23646 23698 +52
+ Misses 9888 9858 -30 ☔ View full report in Codecov by Sentry. |
rst0git
force-pushed
the
fix-iptables-unlock
branch
4 times, most recently
from
9eacd6e
to
c3d604b
Compare
When iptables-nft is used as backend for iptables, the rules for
network locking are translated into the following nft rules:
```
$ iptables-restore-translate -f lock.txt
add table ip filter
add chain ip filter CRIU
insert rule ip filter INPUT counter jump CRIU
insert rule ip filter OUTPUT counter jump CRIU
add rule ip filter CRIU mark 0xc114 counter accept
add rule ip filter CRIU counter drop
```
These rules create the following chains:
```
table ip filter { # handle 1
chain CRIU { # handle 1
meta mark 0x0000c114 counter packets 16 bytes 890 accept # handle 6
counter packets 1 bytes 60 drop # handle 7
meta mark 0x0000c114 counter packets 0 bytes 0 accept # handle 8
counter packets 0 bytes 0 drop # handle 9
}
chain INPUT { # handle 2
type filter hook input priority filter; policy accept;
counter packets 8 bytes 445 jump CRIU # handle 3
counter packets 0 bytes 0 jump CRIU # handle 10
}
chain OUTPUT { # handle 4
type filter hook output priority filter; policy accept;
counter packets 9 bytes 505 jump CRIU # handle 5
counter packets 0 bytes 0 jump CRIU # handle 11
}
}
```
In order to delete the CRIU chain, we need to first delete all four
jump targets. Otherwise, `-X CRIU` would fail with the following error:
iptables-restore v1.8.10 (nf_tables):
line 5: CHAIN_DEL failed (Resource busy): chain CRIU
Reported-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
rst0git
force-pushed
the
fix-iptables-unlock
branch
3 times, most recently
from
0ac0e13
to
cbf0e64
Compare
rst0git
force-pushed
the
fix-iptables-unlock
branch
2 times, most recently
from
fcfdc90
to
9069e76
Compare
nft does not support xtables compat expressions https://git.netfilter.org/nftables/commit/?id=79195a8cc9e9d9cf2d17165bf07ac4cc9d55539f Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
rst0git
force-pushed
the
fix-iptables-unlock
branch
from
9069e76
to
e35df4d
Compare
Show appropriate error messages when restore of nftables fails. Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
rst0git
force-pushed
the
fix-iptables-unlock
branch
from
e35df4d
to
8b69f18
Compare
|
Great job, Radostin! LGTM. to discuss: probably at some point it makes sense to change |
mihalicyn
approved these changes
Jan 15, 2024
Snorch
reviewed
Jan 22, 2024
Snorch
reviewed
Jan 22, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When iptables-nft is used as backend for iptables, the rules for network locking are translated into the following nft rules:
These rules create the following chains:
In order to delete the CRIU chain, we need to first delete all four jump targets. Otherwise,
-X CRIUwould fail with the following error:Fixes: #2313