criu: rename iptables network locking/unlocking functions

ZeyadYasser · avagin · commit f246ca56c081 · 2021-09-03T10:31:00.000-07:00
Related to the new --network-lock option, other methods for network
locking/unlocking will be added as an alternative to iptables like
nftables.

This option is used in the core network locking/unlocking hooks to
decide which method should be used, making it easier to add new
methods later smoothly.
i.e.
	- network_lock_internal
	- network_unlock_internal
	- lock_connection (renamed from nf_lock_connection)
	- unlock_connection (renamed from nf_unlock_connection)
	- unlock_connection_info (renamed from unlock_connection_info)

nf_* functions are renamed to iptables_* to avoid confusion with
other netfilter methods in the future like nftables.

v2: run make indent
v3: make error messages more descriptive

Signed-off-by: Zeyad Yasser &lt;zeyady98@gmail.com&gt;
diff --git a/criu/include/netfilter.h b/criu/include/netfilter.h
@@ -2,11 +2,11 @@
 #define __CR_NETFILTER_H__
 
 struct inet_sk_desc;
-extern int nf_lock_connection(struct inet_sk_desc *);
-extern int nf_unlock_connection(struct inet_sk_desc *);
+extern int iptables_lock_connection(struct inet_sk_desc *);
+extern int iptables_unlock_connection(struct inet_sk_desc *);
 
 struct inet_sk_info;
-extern int nf_unlock_connection_info(struct inet_sk_info *);
+extern int iptables_unlock_connection_info(struct inet_sk_info *);
 
 extern void preload_netfilter_modules(void);
 
diff --git a/criu/net.c b/criu/net.c
@@ -3014,7 +3014,7 @@ static int iptables_restore(bool ipv6, char *buf, int size)
 	return ret;
 }
 
-int network_lock_internal(void)
+static int iptables_network_lock_internal(void)
 {
 	char conf[] = "*filter\n"
 		      ":CRIU - [0:0]\n"
@@ -3023,10 +3023,7 @@ int network_lock_internal(void)
 		      "-A CRIU -m mark --mark " __stringify(SOCCR_MARK) " -j ACCEPT\n"
 									"-A CRIU -j DROP\n"
 									"COMMIT\n";
-	int ret = 0, nsret;
-
-	if (switch_ns(root_item->pid->real, &net_ns_desc, &nsret))
-		return -1;
+	int ret = 0;
 
 	ret |= iptables_restore(false, conf, sizeof(conf) - 1);
 	if (kdat.ipv6)
@@ -3039,28 +3036,51 @@ int network_lock_internal(void)
 		       "option.\n",
 		       ret);
 
+	return ret;
+}
+
+int network_lock_internal(void)
+{
+	int ret = 0, nsret;
+
+	if (switch_ns(root_item->pid->real, &net_ns_desc, &nsret))
+		return -1;
+
+	if (opts.network_lock_method == NETWORK_LOCK_IPTABLES)
+		ret = iptables_network_lock_internal();
+
 	if (restore_ns(nsret, &net_ns_desc))
 		ret = -1;
 
 	return ret;
 }
 
-static int network_unlock_internal(void)
+static int iptables_network_unlock_internal(void)
 {
 	char conf[] = "*filter\n"
 		      ":CRIU - [0:0]\n"
 		      "-D INPUT -j CRIU\n"
 		      "-D OUTPUT -j CRIU\n"
 		      "-X CRIU\n"
 		      "COMMIT\n";
+	int ret = 0;
+
+	ret |= iptables_restore(false, conf, sizeof(conf) - 1);
+	if (kdat.ipv6)
+		ret |= iptables_restore(true, conf, sizeof(conf) - 1);
+
+	return ret;
+}
+
+static int network_unlock_internal(void)
+{
 	int ret = 0, nsret;
 
 	if (switch_ns(root_item->pid->real, &net_ns_desc, &nsret))
 		return -1;
 
-	ret |= iptables_restore(false, conf, sizeof(conf) - 1);
-	if (kdat.ipv6)
-		ret |= iptables_restore(true, conf, sizeof(conf) - 1);
+	if (opts.network_lock_method == NETWORK_LOCK_IPTABLES)
+		ret = iptables_network_unlock_internal();
 
 	if (restore_ns(nsret, &net_ns_desc))
 		ret = -1;
diff --git a/criu/netfilter.c b/criu/netfilter.c
@@ -22,7 +22,7 @@ static char buf[512];
  * Any brave soul to write it using xtables-devel?
  */
 
-#define NF_CONN_CMD                             \
+#define IPTABLES_CONN_CMD                       \
 	"%s %s -t filter %s %s --protocol tcp " \
 	"-m mark ! --mark " __stringify(SOCCR_MARK) " --source %s --sport %d --destination %s --dport %d -j DROP"
 
@@ -52,8 +52,8 @@ static int ipv6_addr_mapped(u32 *addr)
 	return (addr[2] == htonl(0x0000ffff));
 }
 
-static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port, u32 *dst_addr, u16 dst_port, bool input,
-				    bool lock)
+static int iptables_connection_switch_raw(int family, u32 *src_addr, u16 src_port, u32 *dst_addr, u16 dst_port,
+					  bool input, bool lock)
 {
 	char sip[INET_ADDR_LEN], dip[INET_ADDR_LEN];
 	char *cmd;
@@ -84,7 +84,7 @@ static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port, u32
 		return -1;
 	}
 
-	snprintf(buf, sizeof(buf), NF_CONN_CMD, cmd, kdat.has_xtlocks ? "-w" : "", lock ? "-I" : "-D",
+	snprintf(buf, sizeof(buf), IPTABLES_CONN_CMD, cmd, kdat.has_xtlocks ? "-w" : "", lock ? "-I" : "-D",
 		 input ? "INPUT" : "OUTPUT", dip, (int)dst_port, sip, (int)src_port);
 
 	pr_debug("\tRunning iptables [%s]\n", buf);
@@ -103,41 +103,41 @@ static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port, u32
 	return 0;
 }
 
-static int nf_connection_switch(struct inet_sk_desc *sk, bool lock)
+static int iptables_connection_switch(struct inet_sk_desc *sk, bool lock)
 {
 	int ret = 0;
 
-	ret = nf_connection_switch_raw(sk->sd.family, sk->src_addr, sk->src_port, sk->dst_addr, sk->dst_port, true,
-				       lock);
+	ret = iptables_connection_switch_raw(sk->sd.family, sk->src_addr, sk->src_port, sk->dst_addr, sk->dst_port,
+					     true, lock);
 	if (ret)
 		return -1;
 
-	ret = nf_connection_switch_raw(sk->sd.family, sk->dst_addr, sk->dst_port, sk->src_addr, sk->src_port, false,
-				       lock);
+	ret = iptables_connection_switch_raw(sk->sd.family, sk->dst_addr, sk->dst_port, sk->src_addr, sk->src_port,
+					     false, lock);
 	if (ret) /* rollback */
-		nf_connection_switch_raw(sk->sd.family, sk->src_addr, sk->src_port, sk->dst_addr, sk->dst_port, true,
-					 !lock);
+		iptables_connection_switch_raw(sk->sd.family, sk->src_addr, sk->src_port, sk->dst_addr, sk->dst_port,
+					       true, !lock);
 	return ret;
 }
 
-int nf_lock_connection(struct inet_sk_desc *sk)
+int iptables_lock_connection(struct inet_sk_desc *sk)
 {
-	return nf_connection_switch(sk, true);
+	return iptables_connection_switch(sk, true);
 }
 
-int nf_unlock_connection(struct inet_sk_desc *sk)
+int iptables_unlock_connection(struct inet_sk_desc *sk)
 {
-	return nf_connection_switch(sk, false);
+	return iptables_connection_switch(sk, false);
 }
 
-int nf_unlock_connection_info(struct inet_sk_info *si)
+int iptables_unlock_connection_info(struct inet_sk_info *si)
 {
 	int ret = 0;
 
-	ret |= nf_connection_switch_raw(si->ie->family, si->ie->src_addr, si->ie->src_port, si->ie->dst_addr,
-					si->ie->dst_port, true, false);
-	ret |= nf_connection_switch_raw(si->ie->family, si->ie->dst_addr, si->ie->dst_port, si->ie->src_addr,
-					si->ie->src_port, false, false);
+	ret |= iptables_connection_switch_raw(si->ie->family, si->ie->src_addr, si->ie->src_port, si->ie->dst_addr,
+					      si->ie->dst_port, true, false);
+	ret |= iptables_connection_switch_raw(si->ie->family, si->ie->dst_addr, si->ie->dst_port, si->ie->src_addr,
+					      si->ie->src_port, false, false);
 	/*
 	 * rollback nothing in case of any error,
 	 * because nobody checks errors of this function
diff --git a/criu/sk-tcp.c b/criu/sk-tcp.c
@@ -33,6 +33,22 @@
 static LIST_HEAD(cpt_tcp_repair_sockets);
 static LIST_HEAD(rst_tcp_repair_sockets);
 
+static int lock_connection(struct inet_sk_desc *sk)
+{
+	if (opts.network_lock_method == NETWORK_LOCK_IPTABLES)
+		return iptables_lock_connection(sk);
+
+	return -1;
+}
+
+static int unlock_connection(struct inet_sk_desc *sk)
+{
+	if (opts.network_lock_method == NETWORK_LOCK_IPTABLES)
+		return iptables_unlock_connection(sk);
+
+	return -1;
+}
+
 static int tcp_repair_established(int fd, struct inet_sk_desc *sk)
 {
 	int ret;
@@ -51,9 +67,11 @@ static int tcp_repair_established(int fd, struct inet_sk_desc *sk)
 	}
 
 	if (!(root_ns_mask & CLONE_NEWNET)) {
-		ret = nf_lock_connection(sk);
-		if (ret < 0)
+		ret = lock_connection(sk);
+		if (ret < 0) {
+			pr_err("Failed to lock TCP connection %x\n", sk->sd.ino);
 			goto err2;
+		}
 	}
 
 	socr = libsoccr_pause(sk->rfd);
@@ -66,7 +84,7 @@ static int tcp_repair_established(int fd, struct inet_sk_desc *sk)
 
 err3:
 	if (!(root_ns_mask & CLONE_NEWNET))
-		nf_unlock_connection(sk);
+		unlock_connection(sk);
 err2:
 	close(sk->rfd);
 err1:
@@ -80,9 +98,9 @@ static void tcp_unlock_one(struct inet_sk_desc *sk)
 	list_del(&sk->rlist);
 
 	if (!(root_ns_mask & CLONE_NEWNET)) {
-		ret = nf_unlock_connection(sk);
+		ret = unlock_connection(sk);
 		if (ret < 0)
-			pr_perror("Failed to unlock TCP connection");
+			pr_err("Failed to unlock TCP connection %x\n", sk->sd.ino);
 	}
 
 	libsoccr_resume(sk->priv);
@@ -453,6 +471,14 @@ void tcp_locked_conn_add(struct inet_sk_info *ii)
 	ii->sk_fd = -1;
 }
 
+static int unlock_connection_info(struct inet_sk_info *si)
+{
+	if (opts.network_lock_method == NETWORK_LOCK_IPTABLES)
+		return iptables_unlock_connection_info(si);
+
+	return -1;
+}
+
 void rst_unlock_tcp_connections(void)
 {
 	struct inet_sk_info *ii;
@@ -465,5 +491,5 @@ void rst_unlock_tcp_connections(void)
 		return;
 
 	list_for_each_entry(ii, &rst_tcp_repair_sockets, rlist)
-		nf_unlock_connection_info(ii);
+		unlock_connection_info(ii);
 }
