[libvirt] [PATCH 0/2] network: improve firewall rule creation error handling

Daniel P. Berrangé posted 2 patches 4 weeks ago
Test syntax-check passed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20190318174711.28591-1-berrange@redhat.com
src/network/bridge_driver.c          |  3 +-
src/network/bridge_driver_linux.c    | 51 ++++++++++++++++++++++++----
src/network/bridge_driver_nop.c      |  3 +-
src/network/bridge_driver_platform.h |  2 +-
src/util/viriptables.c               | 14 +++-----
src/util/viriptables.h               |  2 +-
6 files changed, 53 insertions(+), 22 deletions(-)

[libvirt] [PATCH 0/2] network: improve firewall rule creation error handling

Posted by Daniel P. Berrangé 4 weeks ago
This is a different approach to solving the problem describd in:

  https://www.redhat.com/archives/libvir-list/2019-March/msg00584.html

That patch would treat each chain creation attempt as non-fatal. This
means ipv4 chains still get created if ipv6 is missing, or if a subset
of ip[6]tables modules are missing (eg "mangle" chain).

This series takes a different approach of splitting IPv4 and IPv6
chain creation. Setup for either address family can succeed/fail
independently, however, within an address family everything must
still succeed. Improved error reporting means that users will see
the root cause error when trying to start an error.

So with this series, 'mangle' support is still compulsory for
any address family, but if IPv6 lacks mangle support, this won't
break IPv4 support. This is good for the default network which
only does IPv4 out of the box.

Daniel P. Berrangé (2):
  network: improve error report when firewall chain creation fails
  network: split setup of ipv4 and ipv6 top level chains

 src/network/bridge_driver.c          |  3 +-
 src/network/bridge_driver_linux.c    | 51 ++++++++++++++++++++++++----
 src/network/bridge_driver_nop.c      |  3 +-
 src/network/bridge_driver_platform.h |  2 +-
 src/util/viriptables.c               | 14 +++-----
 src/util/viriptables.h               |  2 +-
 6 files changed, 53 insertions(+), 22 deletions(-)

-- 
2.20.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 0/2] network: improve firewall rule creation error handling

Posted by Andrea Bolognani 4 weeks ago
On Mon, 2019-03-18 at 17:47 +0000, Daniel P. Berrangé wrote:
> This is a different approach to solving the problem describd in:
> 
>   https://www.redhat.com/archives/libvir-list/2019-March/msg00584.html
> 
> That patch would treat each chain creation attempt as non-fatal. This
> means ipv4 chains still get created if ipv6 is missing, or if a subset
> of ip[6]tables modules are missing (eg "mangle" chain).
> 
> This series takes a different approach of splitting IPv4 and IPv6
> chain creation. Setup for either address family can succeed/fail
> independently, however, within an address family everything must
> still succeed. Improved error reporting means that users will see
> the root cause error when trying to start an error.
> 
> So with this series, 'mangle' support is still compulsory for
> any address family, but if IPv6 lacks mangle support, this won't
> break IPv4 support. This is good for the default network which
> only does IPv4 out of the box.
> 
> Daniel P. Berrangé (2):
>   network: improve error report when firewall chain creation fails
>   network: split setup of ipv4 and ipv6 top level chains
> 
>  src/network/bridge_driver.c          |  3 +-
>  src/network/bridge_driver_linux.c    | 51 ++++++++++++++++++++++++----
>  src/network/bridge_driver_nop.c      |  3 +-
>  src/network/bridge_driver_platform.h |  2 +-
>  src/util/viriptables.c               | 14 +++-----
>  src/util/viriptables.h               |  2 +-
>  6 files changed, 53 insertions(+), 22 deletions(-)

The changes make sense and they make the issue I was encountering on
my machine go away, so with the tweaks Michal already pointed out

  Reviewed-by: Andrea Bolognani <abologna@redhat.com>

Is this worth backporting to the stable 5.1.0 branch?

-- 
Andrea Bolognani / Red Hat / Virtualization

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list