From nobody Sun Apr 28 23:08:04 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1535641724499415.1785882302539; Thu, 30 Aug 2018 08:08:44 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1D26380F7A; Thu, 30 Aug 2018 15:08:42 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 911DA8EF04; Thu, 30 Aug 2018 15:08:41 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id D2CFC18005D0; Thu, 30 Aug 2018 15:08:40 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w7UF6C7t012075 for ; Thu, 30 Aug 2018 11:06:12 -0400 Received: by smtp.corp.redhat.com (Postfix) id 600B8309132F; Thu, 30 Aug 2018 15:06:12 +0000 (UTC) Received: from unknown54ee7586bd10.attlocal.net.com (ovpn-117-135.phx2.redhat.com [10.3.117.135]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1C94D30912F4 for ; Thu, 30 Aug 2018 15:06:12 +0000 (UTC) From: John Ferlan To: libvir-list@redhat.com Date: Thu, 30 Aug 2018 11:06:07 -0400 Message-Id: <20180830150608.13336-2-jferlan@redhat.com> In-Reply-To: <20180830150608.13336-1-jferlan@redhat.com> References: <20180830150608.13336-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.26 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v2 1/2] nwfilter: Disallow binding creation in session mode X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.27 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Thu, 30 Aug 2018 15:08:43 +0000 (UTC) X-ZohoMail: RDMRC_0 RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Similar to nwfilterDefineXML, let's be sure the a filter binding creation is not attempted in session mode and generate the proper error message. Failure to open nwfilter in session mode (nwfilterConnectOpen) fails already, but that doesn't stop the free thinker from using a different connection in order to attempt to attempt to create the binding. Although even doing that would result in a failure: $ virsh nwfilter-binding-create QEMUGuest1-binding.xml error: Failed to create network filter from QEMUGuest1-binding.xml error: internal error: Could not get access to ACL tech driver 'ebiptables' $ Signed-off-by: John Ferlan Reviewed-by: Daniel P. Berrang=C3=A9 --- src/nwfilter/nwfilter_driver.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c index ac3a964388..1ee5162b9a 100644 --- a/src/nwfilter/nwfilter_driver.c +++ b/src/nwfilter/nwfilter_driver.c @@ -745,6 +745,12 @@ nwfilterBindingCreateXML(virConnectPtr conn, =20 virCheckFlags(0, NULL); =20 + if (!driver->privileged) { + virReportError(VIR_ERR_OPERATION_INVALID, "%s", + _("Can't define NWFilter bindings in session mode")= ); + return NULL; + } + def =3D virNWFilterBindingDefParseString(xml); if (!def) return NULL; --=20 2.17.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun Apr 28 23:08:04 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1535641738629718.6045893192857; Thu, 30 Aug 2018 08:08:58 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5EF07C01F290; Thu, 30 Aug 2018 15:08:56 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2BD78BFCA9; Thu, 30 Aug 2018 15:08:56 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id CF69E4BB7F; Thu, 30 Aug 2018 15:08:55 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w7UF6Cs8012080 for ; Thu, 30 Aug 2018 11:06:12 -0400 Received: by smtp.corp.redhat.com (Postfix) id CFC10309132F; Thu, 30 Aug 2018 15:06:12 +0000 (UTC) Received: from unknown54ee7586bd10.attlocal.net.com (ovpn-117-135.phx2.redhat.com [10.3.117.135]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8A9AA30912F4 for ; Thu, 30 Aug 2018 15:06:12 +0000 (UTC) From: John Ferlan To: libvir-list@redhat.com Date: Thu, 30 Aug 2018 11:06:08 -0400 Message-Id: <20180830150608.13336-3-jferlan@redhat.com> In-Reply-To: <20180830150608.13336-1-jferlan@redhat.com> References: <20180830150608.13336-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.26 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v2 2/2] nwfilter: Check for filter presence before open connect during teardown X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.27 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Thu, 30 Aug 2018 15:08:57 +0000 (UTC) X-ZohoMail: RDMRC_0 RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" https://bugzilla.redhat.com/show_bug.cgi?id=3D1608275 Instantiation of an nwfilter binding is only allowed when the net->filter is defined for the network; however, the teardown of the binding does not make this check. This leaves open the possibility that the teardown could be called during guest shutdown/teardown in session mode resulting in the following error being logged: error : nwfilterConnectOpen:383 : internal error: unexpected nwfilter URI path '/session', try nwfilter:///system So before going through the teardown processing, let's be sure the network had a filter and then attempt to get a connection. For session mode it's not even possible create an nwfilter binding. Signed-off-by: John Ferlan Reviewed-by: Daniel P. Berrang=C3=A9 --- src/conf/domain_nwfilter.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/src/conf/domain_nwfilter.c b/src/conf/domain_nwfilter.c index f39c8a1f9b..e75fb598e8 100644 --- a/src/conf/domain_nwfilter.c +++ b/src/conf/domain_nwfilter.c @@ -149,9 +149,12 @@ virDomainConfNWFilterTeardownImpl(virConnectPtr conn, void virDomainConfNWFilterTeardown(virDomainNetDefPtr net) { - virConnectPtr conn =3D virGetConnectNWFilter(); + virConnectPtr conn; =20 - if (!conn) + if (!net->filter) + return; + + if (!(conn =3D virGetConnectNWFilter())) return; =20 virDomainConfNWFilterTeardownImpl(conn, net); @@ -163,14 +166,19 @@ void virDomainConfVMNWFilterTeardown(virDomainObjPtr vm) { size_t i; - virConnectPtr conn =3D virGetConnectNWFilter(); + virConnectPtr conn =3D NULL; =20 - if (!conn) - return; + for (i =3D 0; i < vm->def->nnets; i++) { + virDomainNetDefPtr net =3D vm->def->nets[i]; =20 + if (!net->filter) + continue; =20 - for (i =3D 0; i < vm->def->nnets; i++) - virDomainConfNWFilterTeardownImpl(conn, vm->def->nets[i]); + if (!conn && !(conn =3D virGetConnectNWFilter())) + return; + + virDomainConfNWFilterTeardownImpl(conn, net); + } =20 virObjectUnref(conn); } --=20 2.17.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list