Andrey, please review this patchset ASAP.
--
Best regards,
Konstantin Khorenko,
Virtuozzo Linux Kernel Team
On 07/21/2017 10:23 AM, Stanislav Kinsburskiy wrote:
This series is aimed to give CRCIU an ability to suspend and restore
VZ containers with disabled netfilter.
The problem is that with CT doesn't have any netfilter objects, when netfilter
is disabled, while CRIU needs iptables to suspend and restore container
network reliably.
This series does the following:
1) Make netfilter tables objects always created
2) Hides corresponding proc entries in CT, if netfilter is disabled
3) Doesn't allow to access netfilter via sys_{get_set}sockopts in CT is
netfilter is disabled.
With this series applid, CRIU is able to suspend container, because it joins
containers network namespace remaining in VE#0, thus all the netfilter stuff
is always accessible.
https://jira.sw.ru/browse/PSBM-58574
---
Stanislav Kinsburskiy (5):
netfilter: ve_ipt_permitted() helper introduced
netfilter: control iptables detries visibility in CT by S_ISVTX
netfilter: check per-ve netfilter status on actual operation
netfilter: always create per-net "filter" tables objects
netfilter: always create netfilter per-net objects for ipv4/ipv6
include/linux/netfilter.h | 3 +++
net/ipv4/ip_sockglue.c | 7 +++++++
net/ipv4/netfilter/ip_tables.c | 5 -----
net/ipv4/netfilter/iptable_filter.c | 6 ------
net/ipv6/netfilter/ip6_tables.c | 6 ------
net/ipv6/netfilter/ip6table_filter.c | 6 ------
net/netfilter/x_tables.c | 10 +++++++---
7 files changed, 17 insertions(+), 26 deletions(-)
--
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
.
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
