On Mon, 2019-03-18 at 17:47 +0000, Daniel P. Berrangé wrote:
> This is a different approach to solving the problem describd in:
>
> https://www.redhat.com/archives/libvir-list/2019-March/msg00584.html
>
> That patch would treat each chain creation attempt as non-fatal. This
> means ipv4 chains still get created if ipv6 is missing, or if a subset
> of ip[6]tables modules are missing (eg "mangle" chain).
>
> This series takes a different approach of splitting IPv4 and IPv6
> chain creation. Setup for either address family can succeed/fail
> independently, however, within an address family everything must
> still succeed. Improved error reporting means that users will see
> the root cause error when trying to start an error.
>
> So with this series, 'mangle' support is still compulsory for
> any address family, but if IPv6 lacks mangle support, this won't
> break IPv4 support. This is good for the default network which
> only does IPv4 out of the box.
>
> Daniel P. Berrangé (2):
> network: improve error report when firewall chain creation fails
> network: split setup of ipv4 and ipv6 top level chains
>
> src/network/bridge_driver.c | 3 +-
> src/network/bridge_driver_linux.c | 51 ++++++++++++++++++++++++----
> src/network/bridge_driver_nop.c | 3 +-
> src/network/bridge_driver_platform.h | 2 +-
> src/util/viriptables.c | 14 +++-----
> src/util/viriptables.h | 2 +-
> 6 files changed, 53 insertions(+), 22 deletions(-)
The changes make sense and they make the issue I was encountering on
my machine go away, so with the tweaks Michal already pointed out
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Is this worth backporting to the stable 5.1.0 branch?
--
Andrea Bolognani / Red Hat / Virtualization
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list