From nobody Thu Apr 25 13:41:03 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1552931245546659.0463461822862; Mon, 18 Mar 2019 10:47:25 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 51EBD3083391; Mon, 18 Mar 2019 17:47:23 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2207E1850A; Mon, 18 Mar 2019 17:47:23 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id C2ACD181A13E; Mon, 18 Mar 2019 17:47:22 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x2IHlIjL017527 for ; Mon, 18 Mar 2019 13:47:18 -0400 Received: by smtp.corp.redhat.com (Postfix) id 30ADF5D9C8; Mon, 18 Mar 2019 17:47:18 +0000 (UTC) Received: from dhcp-16-102.lcy.redhat.com (unknown [10.42.16.102]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5C1135D9C6; Mon, 18 Mar 2019 17:47:17 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Mon, 18 Mar 2019 17:47:11 +0000 Message-Id: <20190318174711.28591-3-berrange@redhat.com> In-Reply-To: <20190318174711.28591-1-berrange@redhat.com> References: <20190318174711.28591-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: libvir-list@redhat.com Cc: Michal Privoznik , Andrea Bolognani Subject: [libvirt] [PATCH 2/2] network: split setup of ipv4 and ipv6 top level chains X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.44]); Mon, 18 Mar 2019 17:47:24 +0000 (UTC) During startup libvirtd creates top level chains for both ipv4 and ipv6 protocols. If this fails for any reason then startup of virtual networks is blocked. The default virtual network, however, only requires use of ipv4 and some servers have ipv6 disabled so it is expected that ipv6 chain creation will fail. There could equally be servers with no ipv4, only ipv6. This patch thus makes error reporting a little more fine grained so that it works more sensibly when either ipv4 or ipv6 is disabled on the server. Only the protocols that are actually used by the virtual network have errors reported. Signed-off-by: Daniel P. Berrang=C3=A9 --- src/network/bridge_driver_linux.c | 36 +++++++++++++++++++++++++------ src/util/viriptables.c | 14 ++++-------- src/util/viriptables.h | 2 +- 3 files changed, 34 insertions(+), 18 deletions(-) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index 04b9c079ff..4e2320ea0a 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -35,10 +35,12 @@ VIR_LOG_INIT("network.bridge_driver_linux"); =20 #define PROC_NET_ROUTE "/proc/net/route" =20 -static virErrorPtr errInit; +static virErrorPtr errInitV4; +static virErrorPtr errInitV6; =20 -void networkPreReloadFirewallRules(bool startup) +int networkPreReloadFirewallRules(bool startup) { + bool created =3D false; int ret; =20 /* We create global rules upfront as we don't want @@ -49,11 +51,21 @@ void networkPreReloadFirewallRules(bool startup) * of starting the network though as that makes them * more likely to be seen by a human */ - ret =3D iptablesSetupPrivateChains(); + ret =3D iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV4); if (ret < 0) { - errInit =3D virSaveLastError(); + errInitV4 =3D virSaveLastError(); virResetLastError(); } + if (ret) + created =3D true; + + ret =3D iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV6); + if (ret < 0) { + errInitV6 =3D virSaveLastError(); + virResetLastError(); + } + if (ret) + created =3D true; =20 /* * If this is initial startup, and we just created the @@ -68,7 +80,7 @@ void networkPreReloadFirewallRules(bool startup) * rules will be present. Thus we can safely just tell it * to always delete from the builin chain */ - if (startup && ret =3D=3D 1) + if (startup && created) iptablesSetDeletePrivate(false); } =20 @@ -683,8 +695,18 @@ int networkAddFirewallRules(virNetworkDefPtr def) virFirewallPtr fw =3D NULL; int ret =3D -1; =20 - if (errInit) { - virSetError(errInit); + if (errInitV4 && + (virNetworkDefGetIPByIndex(def, AF_INET, 0) || + virNetworkDefGetRouteByIndex(def, AF_INET, 0))) { + virSetError(errInitV4); + return -1; + } + + if (errInitV6 && + (virNetworkDefGetIPByIndex(def, AF_INET6, 0) || + virNetworkDefGetRouteByIndex(def, AF_INET6, 0) || + def->ipv6nogw)) { + virSetError(errInitV6); return -1; } =20 diff --git a/src/util/viriptables.c b/src/util/viriptables.c index d67b640a3b..0e3c0ad73a 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -127,7 +127,7 @@ iptablesPrivateChainCreate(virFirewallPtr fw, =20 =20 int -iptablesSetupPrivateChains(void) +iptablesSetupPrivateChains(virFirewallLayer layer) { virFirewallPtr fw =3D NULL; int ret =3D -1; @@ -143,17 +143,11 @@ iptablesSetupPrivateChains(void) }; bool changed =3D false; iptablesGlobalChainData data[] =3D { - { VIR_FIREWALL_LAYER_IPV4, "filter", + { layer, "filter", filter_chains, ARRAY_CARDINALITY(filter_chains), &changed }, - { VIR_FIREWALL_LAYER_IPV4, "nat", + { layer, "nat", natmangle_chains, ARRAY_CARDINALITY(natmangle_chains), &changed = }, - { VIR_FIREWALL_LAYER_IPV4, "mangle", - natmangle_chains, ARRAY_CARDINALITY(natmangle_chains), &changed = }, - { VIR_FIREWALL_LAYER_IPV6, "filter", - filter_chains, ARRAY_CARDINALITY(filter_chains), &changed }, - { VIR_FIREWALL_LAYER_IPV6, "nat", - natmangle_chains, ARRAY_CARDINALITY(natmangle_chains), &changed = }, - { VIR_FIREWALL_LAYER_IPV6, "mangle", + { layer, "mangle", natmangle_chains, ARRAY_CARDINALITY(natmangle_chains), &changed = }, }; size_t i; diff --git a/src/util/viriptables.h b/src/util/viriptables.h index 903f390f89..e680407ec8 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -24,7 +24,7 @@ # include "virsocketaddr.h" # include "virfirewall.h" =20 -int iptablesSetupPrivateChains (void); +int iptablesSetupPrivateChains (virFirewallLayer layer); =20 void iptablesSetDeletePrivate (bool pvt); =20 --=20 2.20.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list