Changes

=== Use eBPF to lock and unlock the network ===

=== Use eBPF to lock and unlock the network ===

   

   

'''Summary:''' Use ePBF instead of external iptables-restore tool for network lock and unlock.

'''Summary:''' Use eBPF instead of external iptables-restore tool for network lock and unlock.

During checkpointing and restoring CRIU locks the network to make sure no network packets are accepted by the network stack during the time the process is checkpointed. Currently CRIU calls out to iptables-restore to create and delete the corresponding iptables rules. Another approach which avoids calling out to the external binary iptables-restore would be to directly inject eBPF rules. There have been reports from users that iptables-restore fails in some way and eBPF could avoid this external dependency.

During checkpointing and restoring CRIU locks the network to make sure no network packets are accepted by the network stack during the time the process is checkpointed. Currently CRIU calls out to iptables-restore to create and delete the corresponding iptables rules. Another approach which avoids calling out to the external binary iptables-restore would be to directly inject eBPF rules. There have been reports from users that iptables-restore fails in some way and eBPF could avoid this external dependency.

* https://www.criu.org/TCP_connection#Checkpoint_and_restore_TCP_connection

* https://www.criu.org/TCP_connection#Checkpoint_and_restore_TCP_connection

* https://github.com/systemd/systemd/blob/master/src/core/bpf-firewall.c

* https://github.com/systemd/systemd/blob/master/src/core/bpf-firewall.c

'''Details:'''

'''Details:'''

* Skill level: intermediate

* Skill level: intermediate

* Language: C

* Language: C

* Mentor: Radostin Stoyanov <rstoyanov@fedoraproject.org>, Adrian Reber <areber@redhat.com>

* Mentor: Radostin Stoyanov <rstoyanov@fedoraproject.org>

* Suggested by: Adrian Reber <areber@redhat.com>

* Suggested by: Adrian Reber <areber@redhat.com>