Check needed kernel features exist
clsact Qdisc with shared filter blocks is supported [has_qdisc_shared_blocks] (Note: run in a test netns) https://lwn.net/Articles/743391/ https://lwn.net/Articles/671458/criu check --feature network-lock-bpf
Add ability to check if bpf based locking/unlocking is possible.
This would typically check the corresponding kerndat fields + capabilities needed (i.e. CAP_BPF, CAP_NET_ADMIN).
After bpf based locking/unlocking we would have two values available for this option (iptables and bpf)
It would be better to default to iptables until bpf method is tested thoroughly.
e.g. criu dump -t 2221 --tcp-established --network-lock iptables
`criu dump -t 2221 --tcp-established --network-lock bpf`
The corresponding RPC and libcriu option should be added.
I want to use the same hooks that invoke iptables locking/unlocking.
i.e. network_lock_internal, network_unlock_internal for network-wide case
nf_connection_switch for per-socket case (could be renamed to connection_switch)
Note: Per-socket filter should be loaded in network_lock, connection_switch will just add connection tuple entries to the associated bpf map.
CRIU could just decide in those hooks which method should be used based on --network-lock **option opts.network_lock_method.