From nobody Fri Mar 29 08:37:32 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1556656511; cv=none; d=zoho.com; s=zohoarc; b=PrERMMemVy0yEoBLTCcdfjgVRnSQ7MBMn8AlkEW3D/ZL3dsClLyp4MBAVgXYSsvNKdywZ0P8afPfxKKbgbthoDtqj2I0hZlHoyfTsbUIFK9kJZkh7+iI9gpbhNayV5cqMHAG8GO5NTTO7uBlbUMbaAUcz5rCGwVMvXVVwVZ36TI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1556656511; h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To:ARC-Authentication-Results; bh=vlcxpHpa31HvGJtq0HE/GZ5eQ77JO1aMHLP/7Ttej7Y=; b=GEvDRuFMuqVWTUbFYESkiDErbaN2VZ5ezBntSw+hDg7Hmqfdes2qSOcYIWh3cCqmR3wDRb9BKQLPyErylo84fc59GE8+sx5WZVUeucs0Tvsaw5Au3GzjG937/knG39NXPsldUaZy8aKXMDr7zHOsj1i+CiU+py+BZXfuLLHW7Yk= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1556656511205424.19860766548857; Tue, 30 Apr 2019 13:35:11 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0B7CF2C9722; Tue, 30 Apr 2019 20:35:08 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5271410CB3E3; Tue, 30 Apr 2019 20:35:06 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 69D8C41F3D; Tue, 30 Apr 2019 20:35:02 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x3UKZ0BZ026049 for ; Tue, 30 Apr 2019 16:35:00 -0400 Received: by smtp.corp.redhat.com (Postfix) id C29256295B; Tue, 30 Apr 2019 20:35:00 +0000 (UTC) Received: from mx1.redhat.com (ext-mx20.extmail.prod.ext.phx2.redhat.com [10.5.110.49]) by smtp.corp.redhat.com (Postfix) with ESMTPS id ADF8A62480; Tue, 30 Apr 2019 20:34:58 +0000 (UTC) Received: from smtp2.provo.novell.com (smtp2.provo.novell.com [137.65.250.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2143630BBE63; Tue, 30 Apr 2019 20:34:56 +0000 (UTC) Received: from linux-tbji.provo.novell.com (prva10-snat226-2.provo.novell.com [137.65.226.36]) by smtp2.provo.novell.com with ESMTP (NOT encrypted); Tue, 30 Apr 2019 14:34:53 -0600 From: Jim Fehlig To: libvir-list@redhat.com Date: Tue, 30 Apr 2019 14:34:44 -0600 Message-Id: <20190430203444.25432-1-jfehlig@suse.com> MIME-Version: 1.0 X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 216 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.49]); Tue, 30 Apr 2019 20:34:56 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.49]); Tue, 30 Apr 2019 20:34:56 +0000 (UTC) for IP:'137.65.250.81' DOMAIN:'smtp2.provo.novell.com' HELO:'smtp2.provo.novell.com' FROM:'jfehlig@suse.com' RCPT:'' X-RedHat-Spam-Score: -2.301 (RCVD_IN_DNSWL_MED, SPF_PASS) 137.65.250.81 smtp2.provo.novell.com 137.65.250.81 smtp2.provo.novell.com X-Scanned-By: MIMEDefang 2.84 on 10.5.110.49 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH RFC] network: Delay creating private chains until starting network X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Tue, 30 Apr 2019 20:35:09 +0000 (UTC) Content-Type: text/plain; charset="utf-8" Automated performance tests found that network-centric workloads suffered a 20 percent decrease when the host libvirt was updated from 5.0.0 to 5.1.0. On the test hosts libvirtd is enabled to start at boot and the "default" network is defined, but it is not set to autostart. libvirt 5.1.0 introduced private firewall chains with commit 5f1e6a7d. The chains are created at libvirtd start, which triggers loading the conntrack kernel module. Subsequent tracking and processing of connections resulted in the performance hit. Prior to commit 5f1e6a7d the conntrack module would not be loaded until starting a network, when libvirt added rules to the builtin chains. Restore the behavior of previous libvirt versions by delaying the creation of private chains until the first network is started. Signed-off-by: Jim Fehlig --- I briefly discussed this issue with Daniel on IRC and just now finding time to bring it to the list for broader discussion. The adjustment to the test file feels hacky. The whole approach might by hacky, hence the RFC. src/network/bridge_driver_linux.c | 64 +++------- .../nat-default-linux.args | 116 ++++++++++++++++++ 2 files changed, 131 insertions(+), 49 deletions(-) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index f2827543ca..a3a09caeba 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -35,44 +35,10 @@ VIR_LOG_INIT("network.bridge_driver_linux"); =20 #define PROC_NET_ROUTE "/proc/net/route" =20 -static virErrorPtr errInitV4; -static virErrorPtr errInitV6; +static bool pvtChainsCreated; =20 void networkPreReloadFirewallRules(bool startup) { - bool created =3D false; - int rc; - - /* We create global rules upfront as we don't want - * the perf hit of conditionally figuring out whether - * to create them each time a network is started. - * - * Any errors here are saved to be reported at time - * of starting the network though as that makes them - * more likely to be seen by a human - */ - rc =3D iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV4); - if (rc < 0) { - errInitV4 =3D virSaveLastError(); - virResetLastError(); - } else { - virFreeError(errInitV4); - errInitV4 =3D NULL; - } - if (rc) - created =3D true; - - rc =3D iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV6); - if (rc < 0) { - errInitV6 =3D virSaveLastError(); - virResetLastError(); - } else { - virFreeError(errInitV6); - errInitV6 =3D NULL; - } - if (rc) - created =3D true; - /* * If this is initial startup, and we just created the * top level private chains we either @@ -86,8 +52,8 @@ void networkPreReloadFirewallRules(bool startup) * rules will be present. Thus we can safely just tell it * to always delete from the builin chain */ - if (startup && created) - iptablesSetDeletePrivate(false); + if (startup) + iptablesSetDeletePrivate(true); } =20 =20 @@ -701,19 +667,19 @@ int networkAddFirewallRules(virNetworkDefPtr def) virFirewallPtr fw =3D NULL; int ret =3D -1; =20 - if (errInitV4 && - (virNetworkDefGetIPByIndex(def, AF_INET, 0) || - virNetworkDefGetRouteByIndex(def, AF_INET, 0))) { - virSetError(errInitV4); - return -1; - } + if (!pvtChainsCreated) { + if (iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV4) < 0 && + (virNetworkDefGetIPByIndex(def, AF_INET, 0) || + virNetworkDefGetRouteByIndex(def, AF_INET, 0))) + return -1; =20 - if (errInitV6 && - (virNetworkDefGetIPByIndex(def, AF_INET6, 0) || - virNetworkDefGetRouteByIndex(def, AF_INET6, 0) || - def->ipv6nogw)) { - virSetError(errInitV6); - return -1; + if (iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV6) < 0 && + (virNetworkDefGetIPByIndex(def, AF_INET6, 0) || + virNetworkDefGetRouteByIndex(def, AF_INET6, 0) || + def->ipv6nogw)) + return -1; + + pvtChainsCreated =3D true; } =20 if (def->bridgeZone) { diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/n= etworkxml2firewalldata/nat-default-linux.args index c9d523d043..61d620b592 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.args +++ b/tests/networkxml2firewalldata/nat-default-linux.args @@ -1,5 +1,121 @@ iptables \ --table filter \ +--list-rules +iptables \ +--table nat \ +--list-rules +iptables \ +--table mangle \ +--list-rules +iptables \ +--table filter \ +--new-chain LIBVIRT_INP +iptables \ +--table filter \ +--insert INPUT \ +--jump LIBVIRT_INP +iptables \ +--table filter \ +--new-chain LIBVIRT_OUT +iptables \ +--table filter \ +--insert OUTPUT \ +--jump LIBVIRT_OUT +iptables \ +--table filter \ +--new-chain LIBVIRT_FWO +iptables \ +--table filter \ +--insert FORWARD \ +--jump LIBVIRT_FWO +iptables \ +--table filter \ +--new-chain LIBVIRT_FWI +iptables \ +--table filter \ +--insert FORWARD \ +--jump LIBVIRT_FWI +iptables \ +--table filter \ +--new-chain LIBVIRT_FWX +iptables \ +--table filter \ +--insert FORWARD \ +--jump LIBVIRT_FWX +iptables \ +--table nat \ +--new-chain LIBVIRT_PRT +iptables \ +--table nat \ +--insert POSTROUTING \ +--jump LIBVIRT_PRT +iptables \ +--table mangle \ +--new-chain LIBVIRT_PRT +iptables \ +--table mangle \ +--insert POSTROUTING \ +--jump LIBVIRT_PRT +ip6tables \ +--table filter \ +--list-rules +ip6tables \ +--table nat \ +--list-rules +ip6tables \ +--table mangle \ +--list-rules +ip6tables \ +--table filter \ +--new-chain LIBVIRT_INP +ip6tables \ +--table filter \ +--insert INPUT \ +--jump LIBVIRT_INP +ip6tables \ +--table filter \ +--new-chain LIBVIRT_OUT +ip6tables \ +--table filter \ +--insert OUTPUT \ +--jump LIBVIRT_OUT +ip6tables \ +--table filter \ +--new-chain LIBVIRT_FWO +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump LIBVIRT_FWO +ip6tables \ +--table filter \ +--new-chain LIBVIRT_FWI +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump LIBVIRT_FWI +ip6tables \ +--table filter \ +--new-chain LIBVIRT_FWX +ip6tables \ +--table filter \ +--insert FORWARD \ +--jump LIBVIRT_FWX +ip6tables \ +--table nat \ +--new-chain LIBVIRT_PRT +ip6tables \ +--table nat \ +--insert POSTROUTING \ +--jump LIBVIRT_PRT +ip6tables \ +--table mangle \ +--new-chain LIBVIRT_PRT +ip6tables \ +--table mangle \ +--insert POSTROUTING \ +--jump LIBVIRT_PRT +iptables \ +--table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol tcp \ --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list