On 07/21/2017 10:23 AM, Stanislav Kinsburskiy wrote:
> This series is aimed to give CRCIU an ability to suspend and restore
> VZ containers with disabled netfilter.
> The problem is that with CT doesn't have any netfilter objects, when netfilter
> is disabled, while CRIU needs iptables to suspend and restore container
> network reliably.
> This series does the following:
> 1) Make netfilter tables objects always created
> 2) Hides corresponding proc entries in CT, if netfilter is disabled
> 3) Doesn't allow to access netfilter via sys_{get_set}sockopts in CT is
> netfilter is disabled.
>
> With this series applid, CRIU is able to suspend container, because it joins
> containers network namespace remaining in VE#0, thus all the netfilter stuff
> is always accessible.
>
> https://jira.sw.ru/browse/PSBM-58574
>
> ---
>
> Stanislav Kinsburskiy (5):
> netfilter: ve_ipt_permitted() helper introduced
> netfilter: control iptables detries visibility in CT by S_ISVTX
> netfilter: check per-ve netfilter status on actual operation
> netfilter: always create per-net "filter" tables objects
> netfilter: always create netfilter per-net objects for ipv4/ipv6
>
>
> include/linux/netfilter.h | 3 +++
> net/ipv4/ip_sockglue.c | 7 +++++++
> net/ipv4/netfilter/ip_tables.c | 5 -----
> net/ipv4/netfilter/iptable_filter.c | 6 ------
> net/ipv6/netfilter/ip6_tables.c | 6 ------
> net/ipv6/netfilter/ip6table_filter.c | 6 ------
> net/netfilter/x_tables.c | 10 +++++++---
> 7 files changed, 17 insertions(+), 26 deletions(-)
>
Reviewed-by: Andrey Ryabinin <aryabi...@virtuozzo.com>
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
