From nobody Fri Apr 26 22:10:00 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1552931241096782.0327778731742;
 Mon, 18 Mar 2019 10:47:21 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
 [10.5.11.15])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 5F5ED30821E0;
	Mon, 18 Mar 2019 17:47:19 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 38E625D707;
	Mon, 18 Mar 2019 17:47:19 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id ED9F841F3D;
	Mon, 18 Mar 2019 17:47:18 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
	[10.5.11.14])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id x2IHlHk6017517 for <libvir-list@listman.util.phx.redhat.com>;
	Mon, 18 Mar 2019 13:47:17 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 1C21F5DD97; Mon, 18 Mar 2019 17:47:17 +0000 (UTC)
Received: from dhcp-16-102.lcy.redhat.com (unknown [10.42.16.102])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 47EA15D9C6;
	Mon, 18 Mar 2019 17:47:16 +0000 (UTC)
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
To: libvir-list@redhat.com
Date: Mon, 18 Mar 2019 17:47:10 +0000
Message-Id: <20190318174711.28591-2-berrange@redhat.com>
In-Reply-To: <20190318174711.28591-1-berrange@redhat.com>
References: <20190318174711.28591-1-berrange@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-loop: libvir-list@redhat.com
Cc: Michal Privoznik <mprivozn@redhat.com>,
	Andrea Bolognani <abologna@redhat.com>
Subject: [libvirt] [PATCH 1/2] network: improve error report when firewall
	chain creation fails
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.47]);
 Mon, 18 Mar 2019 17:47:20 +0000 (UTC)

During startup we create some top level chains in which all
virtual network firewall rules will be placed. The upfront
creation is done to avoid slowing down creation of individual
virtual networks by checking for chain existance every time.

There are some factors which can cause this upfront creation
to fail and while a message will get into the libvirtd log
this won't be seen by users who later try to start a virtual
network. Instead they'll just get a message saying that the
libvirt top level chain does not exist. This message is
accurate, but unhelpful for solving the root cause.

This patch thus saves any error during daemon startup and
reports it when trying to create a virtual network later.

Signed-off-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/network/bridge_driver.c          |  3 +--
 src/network/bridge_driver_linux.c    | 29 ++++++++++++++++++++++------
 src/network/bridge_driver_nop.c      |  3 +--
 src/network/bridge_driver_platform.h |  2 +-
 4 files changed, 26 insertions(+), 11 deletions(-)

diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index 6789dafd15..27d7d072ce 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -2095,8 +2095,7 @@ static void
 networkReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup)
 {
     VIR_INFO("Reloading iptables rules");
-    if (networkPreReloadFirewallRules(startup) < 0)
-        return;
+    networkPreReloadFirewallRules(startup);
     virNetworkObjListForEach(driver->networks,
                              networkReloadFirewallRulesHelper,
                              NULL);
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_=
linux.c
index b10d0a6c4d..04b9c079ff 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -35,11 +35,25 @@ VIR_LOG_INIT("network.bridge_driver_linux");
=20
 #define PROC_NET_ROUTE "/proc/net/route"
=20
-int networkPreReloadFirewallRules(bool startup)
+static virErrorPtr errInit;
+
+void networkPreReloadFirewallRules(bool startup)
 {
-    int ret =3D iptablesSetupPrivateChains();
-    if (ret < 0)
-        return -1;
+    int ret;
+
+    /* We create global rules upfront as we don't want
+     * the perf hit of conditionally figuring out whether
+     * to create them each time a network is started.
+     *
+     * Any errors here are saved to be reported at time
+     * of starting the network though as that makes them
+     * more likely to be seen by a human
+     */
+    ret =3D iptablesSetupPrivateChains();
+    if (ret < 0) {
+        errInit =3D virSaveLastError();
+        virResetLastError();
+    }
=20
     /*
      * If this is initial startup, and we just created the
@@ -56,8 +70,6 @@ int networkPreReloadFirewallRules(bool startup)
      */
     if (startup && ret =3D=3D 1)
         iptablesSetDeletePrivate(false);
-
-    return 0;
 }
=20
=20
@@ -671,6 +683,11 @@ int networkAddFirewallRules(virNetworkDefPtr def)
     virFirewallPtr fw =3D NULL;
     int ret =3D -1;
=20
+    if (errInit) {
+        virSetError(errInit);
+        return -1;
+    }
+
     if (def->bridgeZone) {
=20
         /* if a firewalld zone has been specified, fail/log an error
diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_no=
p.c
index a0e57012f9..ea9db338cb 100644
--- a/src/network/bridge_driver_nop.c
+++ b/src/network/bridge_driver_nop.c
@@ -19,9 +19,8 @@
=20
 #include <config.h>
=20
-int networkPreReloadFirewallRules(bool startup ATTRIBUTE_UNUSED)
+void networkPreReloadFirewallRules(bool startup ATTRIBUTE_UNUSED)
 {
-    return 0;
 }
=20
=20
diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driv=
er_platform.h
index baeb22bc3e..95fd64bdc7 100644
--- a/src/network/bridge_driver_platform.h
+++ b/src/network/bridge_driver_platform.h
@@ -58,7 +58,7 @@ struct _virNetworkDriverState {
 typedef struct _virNetworkDriverState virNetworkDriverState;
 typedef virNetworkDriverState *virNetworkDriverStatePtr;
=20
-int networkPreReloadFirewallRules(bool startup);
+void networkPreReloadFirewallRules(bool startup);
 void networkPostReloadFirewallRules(bool startup);
=20
 int networkCheckRouteCollision(virNetworkDefPtr def);
--=20
2.20.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list