S/R iptables

PiperOrigin-RevId: 716114923
google · Jan 16, 2025 · 54c6f26 · 54c6f26
1 parent 25b1d71
commit 54c6f26
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 12 deletions.
diff --git a/pkg/tcpip/stack/conntrack.go b/pkg/tcpip/stack/conntrack.go
@@ -229,7 +229,7 @@ type ConnTrack struct {
 
 	// clock provides timing used to determine conntrack reapings.
 	clock tcpip.Clock
-	// TODO(b/341946753): Restore when netstack is savable.
+
 	rand *rand.Rand `state:"nosave"`
 
 	mu connTrackRWMutex `state:"nosave"`

diff --git a/pkg/tcpip/stack/iptables.go b/pkg/tcpip/stack/iptables.go
@@ -15,7 +15,6 @@
 package stack
 
 import (
-	"context"
 	"fmt"
 	"math/rand"
 	"reflect"
@@ -606,15 +605,19 @@ func (it *IPTables) check(table Table, hook Hook, pkt *PacketBuffer, r *Route, a
 
 // beforeSave is invoked by stateify.
 func (it *IPTables) beforeSave() {
-	// Ensure the reaper exits cleanly.
-	it.reaper.Stop()
-	// Prevent others from modifying the connection table.
-	it.connections.mu.Lock()
+	if it.reaper != nil {
+		// Ensure the reaper exits cleanly.
+		it.reaper.Stop()
+	}
 }
 
-// afterLoad is invoked by stateify.
-func (it *IPTables) afterLoad(context.Context) {
-	it.startReaper(reaperDelay)
+func (it *IPTables) Resume() {
+	it.mu.Lock()
+	defer it.mu.Unlock()
+
+	if it.modified {
+		it.startReaper(reaperDelay)
+	}
 }
 
 // startReaper periodically reaps timed out connections.

diff --git a/pkg/tcpip/stack/iptables_types.go b/pkg/tcpip/stack/iptables_types.go
@@ -82,7 +82,7 @@ const (
 type IPTables struct {
 	connections ConnTrack
 
-	reaper tcpip.Timer
+	reaper tcpip.Timer `state:"nosave"`
 
 	mu ipTablesRWMutex `state:"nosave"`
 	// v4Tables and v6tables map tableIDs to tables. They hold builtin

diff --git a/pkg/tcpip/stack/save_restore.go b/pkg/tcpip/stack/save_restore.go
@@ -26,4 +26,5 @@ import (
 func (s *Stack) afterLoad(context.Context) {
 	s.insecureRNG = rand.New(rand.NewSource(time.Now().UnixNano()))
 	s.secureRNG = cryptorand.RNGFrom(cryptorand.Reader)
+	s.tables.connections.rand = s.insecureRNG
 }
diff --git a/pkg/tcpip/stack/stack.go b/pkg/tcpip/stack/stack.go
@@ -115,8 +115,7 @@ type Stack struct {
 	handleLocal bool
 
 	// tables are the iptables packet filtering and manipulation rules.
-	// TODO(gvisor.dev/issue/4595): S/R this field.
-	tables *IPTables `state:"nosave"`
+	tables *IPTables
 
 	// restoredEndpoints is a list of endpoints that need to be restored if the
 	// stack is being restored.
@@ -2005,6 +2004,7 @@ func (s *Stack) Restore() {
 	eps := s.restoredEndpoints
 	s.restoredEndpoints = nil
 	saveRestoreEnabled := s.saveRestoreEnabled
+	s.tables.Resume()
 	s.mu.Unlock()
 	for _, e := range eps {
 		e.Restore(s)
@@ -2024,6 +2024,7 @@ func (s *Stack) Resume() {
 	s.mu.Lock()
 	eps := s.resumableEndpoints
 	s.resumableEndpoints = nil
+	s.tables.Resume()
 	s.mu.Unlock()
 	for _, e := range eps {
 		e.Resume()