From nobody Fri May 3 18:24:27 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1558528325; cv=none; d=zoho.com; s=zohoarc; b=S6RU75fzVLuMaEhAiq2yhuH7Fz3eru/f9bIYG2nNsABQxpc3o2ASe+9IYqN6lbEUOWflSq0AYTe+zFVskXzKUH7sxStlps7FRAJP2bKyyaojym/NbPlN3vMZqnHQc6+fuzcunUmSuRvSCUzJJFerzC2kEFvmcPBfqB16WiqoPA4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1558528325; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=8yW4iye26Uuybeo/j+gHz3+TrxDDWzICgwRDtijAMAE=; b=iIuJyVeXH1tQUVpNsB5/ZrTRh1T0YF6Y7g+UPsyvpm3cpiOQsby/aqpqA/J3uTi2IraoA8wyjrZ+pH458C6/hS97c7I1n4LjQ4WMhaUj7jhGo2jFgjED1qM7Vq163+TOPpRHtR1hZ9q2Y1ARqv7V1oevWvjHxm0Mz2PSDhT6AiM= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1558528325084577.2226089367726; Wed, 22 May 2019 05:32:05 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DD96C301E12F; Wed, 22 May 2019 12:31:48 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 07FEA2D1AB; Wed, 22 May 2019 12:31:47 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id B226E5B425; Wed, 22 May 2019 12:31:41 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x4MCTAcp021308 for ; Wed, 22 May 2019 08:29:10 -0400 Received: by smtp.corp.redhat.com (Postfix) id 9A19B648D9; Wed, 22 May 2019 12:29:10 +0000 (UTC) Received: from dhcp-17-248.lcy.redhat.com (unknown [10.42.17.248]) by smtp.corp.redhat.com (Postfix) with ESMTP id 197CC66066; Wed, 22 May 2019 12:29:07 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Wed, 22 May 2019 13:29:01 +0100 Message-Id: <20190522122903.18763-2-berrange@redhat.com> In-Reply-To: <20190522122903.18763-1-berrange@redhat.com> References: <20190522122903.18763-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 1/3] network: pull global chain init into separate method X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.41]); Wed, 22 May 2019 12:31:59 +0000 (UTC) Pull the logic for creating global iptables chains into a separate method and protect its invokation with virOnce, to make it possible to reuse it in non-startup paths. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Jim Fehlig --- src/network/bridge_driver_linux.c | 39 +++++++++++++++++++------------ 1 file changed, 24 insertions(+), 15 deletions(-) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index f2827543ca..0d849173b2 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -35,22 +35,18 @@ VIR_LOG_INIT("network.bridge_driver_linux"); =20 #define PROC_NET_ROUTE "/proc/net/route" =20 +static virOnceControl createdOnce; +static bool createdChains; static virErrorPtr errInitV4; static virErrorPtr errInitV6; =20 -void networkPreReloadFirewallRules(bool startup) +/* Only call via virOnce */ +static void networkSetupPrivateChains(void) { - bool created =3D false; int rc; =20 - /* We create global rules upfront as we don't want - * the perf hit of conditionally figuring out whether - * to create them each time a network is started. - * - * Any errors here are saved to be reported at time - * of starting the network though as that makes them - * more likely to be seen by a human - */ + createdChains =3D false; + rc =3D iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV4); if (rc < 0) { errInitV4 =3D virSaveLastError(); @@ -58,9 +54,9 @@ void networkPreReloadFirewallRules(bool startup) } else { virFreeError(errInitV4); errInitV4 =3D NULL; + if (rc) + createdChains =3D true; } - if (rc) - created =3D true; =20 rc =3D iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV6); if (rc < 0) { @@ -69,9 +65,22 @@ void networkPreReloadFirewallRules(bool startup) } else { virFreeError(errInitV6); errInitV6 =3D NULL; + if (rc) + createdChains =3D true; } - if (rc) - created =3D true; +} + +void networkPreReloadFirewallRules(bool startup) +{ + /* We create global rules upfront as we don't want + * the perf hit of conditionally figuring out whether + * to create them each time a network is started. + * + * Any errors here are saved to be reported at time + * of starting the network though as that makes them + * more likely to be seen by a human + */ + ignore_value(virOnce(&createdOnce, networkSetupPrivateChains)); =20 /* * If this is initial startup, and we just created the @@ -86,7 +95,7 @@ void networkPreReloadFirewallRules(bool startup) * rules will be present. Thus we can safely just tell it * to always delete from the builin chain */ - if (startup && created) + if (startup && createdChains) iptablesSetDeletePrivate(false); } =20 --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Fri May 3 18:24:27 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1558528310; cv=none; d=zoho.com; s=zohoarc; b=Jr3CKsiyXUfsI0h4FfRM/clhJ7iArrn8urChgxdxA/1WwFzCvPe3d+AmoMSwS4trXro2XENfVRvSztLwpIi81vuWyXvumZZN4AUfN5YzUHM6DVGJISeNqoRRzVq/2baShvGM3S0RXAfAUF9g7/MSZOiDmjz6nFp8JvJD3PDZoLg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1558528310; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=D3G+f6+FFZEL5Vjuk6/BDqZPRDCiOQZrbWLwi2uie2Y=; b=Y0TNkUJyTCslpR97wUzLl34iXcBP9ZFFZJ27NCXNuC7IxJXpdeC+RsCXhqAMRVFOeoKK03VucUxDGYNAt7L8gwc8m3GIguUBXxLck5zcxdwcvYN8bOQNEiHe+oE7s+KeZOoBIF6j0CPiGjRYibfSLK8jfq/QXGKXkNJ8qmoBm+I= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1558528310696660.3474089524847; Wed, 22 May 2019 05:31:50 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C64EE3001828; Wed, 22 May 2019 12:31:26 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 95FAC8A54B; Wed, 22 May 2019 12:31:23 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 584C25B424; Wed, 22 May 2019 12:31:18 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x4MCTC96021316 for ; Wed, 22 May 2019 08:29:12 -0400 Received: by smtp.corp.redhat.com (Postfix) id 97958648D0; Wed, 22 May 2019 12:29:12 +0000 (UTC) Received: from dhcp-17-248.lcy.redhat.com (unknown [10.42.17.248]) by smtp.corp.redhat.com (Postfix) with ESMTP id DA6F0648D9; Wed, 22 May 2019 12:29:10 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Wed, 22 May 2019 13:29:02 +0100 Message-Id: <20190522122903.18763-3-berrange@redhat.com> In-Reply-To: <20190522122903.18763-1-berrange@redhat.com> References: <20190522122903.18763-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 2/3] network: add more debugging of firewall chain creation X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Wed, 22 May 2019 12:31:44 +0000 (UTC) Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Jim Fehlig --- src/network/bridge_driver_linux.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index 0d849173b2..2b29363f3c 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -45,28 +45,42 @@ static void networkSetupPrivateChains(void) { int rc; =20 + VIR_DEBUG("Setting up global firewall chains"); + createdChains =3D false; =20 rc =3D iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV4); if (rc < 0) { + VIR_DEBUG("Failed to create global IPv4 chains: %s", + virGetLastErrorMessage()); errInitV4 =3D virSaveLastError(); virResetLastError(); } else { virFreeError(errInitV4); errInitV4 =3D NULL; - if (rc) + if (rc) { + VIR_DEBUG("Created global IPv4 chains"); createdChains =3D true; + } else { + VIR_DEBUG("Global IPv4 chains already exist"); + } } =20 rc =3D iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV6); if (rc < 0) { + VIR_DEBUG("Failed to create global IPv6 chains: %s", + virGetLastErrorMessage()); errInitV6 =3D virSaveLastError(); virResetLastError(); } else { virFreeError(errInitV6); errInitV6 =3D NULL; - if (rc) + if (rc) { + VIR_DEBUG("Created global IPv6 chains"); createdChains =3D true; + } else { + VIR_DEBUG("Global IPv6 chains already exist"); + } } } =20 --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Fri May 3 18:24:27 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1558528260; cv=none; d=zoho.com; s=zohoarc; b=gy9JEvY93aVbf/70BHo2BhfM26Likzj9gBp9XY/NlVY0uaHmbtQgO/593tCGwAvMQUUrPPxHZo0GPSQIk4M+4JhkfQgIJOwsMH3eDaylCmCsTtK0194k7KoKIvv6JFdwshssWPk7OUj+nInpLkFD7PXRWlp9Y80/XJwWpKGn898= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1558528260; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=PK/56uGAzRjEKP4toaMDgsKVQmtI8a8K7Ip86ThvuWo=; b=F/aDzwxXHMYMF/Ef96TOMpfrejQ58LjU5DzYa5zXS/q0nfQ4wOGvzNlYxBDpfTVJzQ+AeAj6M5dimsmCuOoRQTP5d3zvq1yRsbQOJkpanAzwO3A/YQlQ52ABxNfoDPm3rTinD4iMTLG6D8s2VSNrFsKbOz0HTk2IwTPrCWVg1CI= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1558528260143418.4538608434691; Wed, 22 May 2019 05:31:00 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id CADF23003C7F; Wed, 22 May 2019 12:30:25 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C7163891B6; Wed, 22 May 2019 12:30:20 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 1DC565B425; Wed, 22 May 2019 12:30:15 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x4MCTEr6021330 for ; Wed, 22 May 2019 08:29:14 -0400 Received: by smtp.corp.redhat.com (Postfix) id 93616648D9; Wed, 22 May 2019 12:29:14 +0000 (UTC) Received: from dhcp-17-248.lcy.redhat.com (unknown [10.42.17.248]) by smtp.corp.redhat.com (Postfix) with ESMTP id DE29F66064; Wed, 22 May 2019 12:29:12 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Wed, 22 May 2019 13:29:03 +0100 Message-Id: <20190522122903.18763-4-berrange@redhat.com> In-Reply-To: <20190522122903.18763-1-berrange@redhat.com> References: <20190522122903.18763-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 3/3] network: delay global firewall setup if no networks are running X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.44]); Wed, 22 May 2019 12:30:54 +0000 (UTC) Creating firewall rules for the virtual networks causes the kernel to load the conntrack module. This imposes a significant performance penalty on Linux network traffic. Thus we want to only take that hit if we actually have virtual networks running. We need to create global firewall rules during startup in order to "upgrade" rules for any running networks created by older libvirt. If no running networks are present though, we can safely delay setup until the time we actually start a network. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Jim Fehlig --- src/network/bridge_driver.c | 2 +- src/network/bridge_driver_linux.c | 56 ++++++++++++++++++++++--- src/network/bridge_driver_nop.c | 3 +- src/network/bridge_driver_platform.h | 2 +- tests/networkxml2firewalldata/base.args | 34 +++++++++++++++ tests/networkxml2firewalltest.c | 36 +++++++++++++--- 6 files changed, 119 insertions(+), 14 deletions(-) create mode 100644 tests/networkxml2firewalldata/base.args diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 0e9bb78c32..c0c026e242 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -2122,7 +2122,7 @@ networkReloadFirewallRules(virNetworkDriverStatePtr d= river, bool startup) * but until we untangle the virt driver that's not viable */ if (!driver->privileged) return; - networkPreReloadFirewallRules(startup); + networkPreReloadFirewallRules(driver, startup); virNetworkObjListForEach(driver->networks, networkReloadFirewallRulesHelper, NULL); diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index 2b29363f3c..fdd5d7066e 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -84,16 +84,57 @@ static void networkSetupPrivateChains(void) } } =20 -void networkPreReloadFirewallRules(bool startup) + +static int +networkHasRunningNetworksHelper(virNetworkObjPtr obj, + void *opaque) { - /* We create global rules upfront as we don't want - * the perf hit of conditionally figuring out whether - * to create them each time a network is started. + bool *running =3D opaque; + + virObjectLock(obj); + if (virNetworkObjIsActive(obj)) + *running =3D true; + virObjectUnlock(obj); + + return 0; +} + + +static bool +networkHasRunningNetworks(virNetworkDriverStatePtr driver) +{ + bool running =3D false; + virNetworkObjListForEach(driver->networks, + networkHasRunningNetworksHelper, + &running); + return running; +} + + +void networkPreReloadFirewallRules(virNetworkDriverStatePtr driver, bool s= tartup) +{ + /* + * If there are any running networks, we need to + * create the global rules upfront. This allows us + * convert rules created by old libvirt into the new + * format. + * + * If there are not any running networks, then we + * must not create rules, because the rules will + * cause the contrack kernel module to be loaded. + * This imposes a significant performance hit on + * the networking stack. Thus we will only create + * rules if a network is later startup. * * Any errors here are saved to be reported at time * of starting the network though as that makes them * more likely to be seen by a human */ + if (!networkHasRunningNetworks(driver)) { + VIR_DEBUG("Delayed global rule setup as no networks are running"); + return; + } + ignore_value(virOnce(&createdOnce, networkSetupPrivateChains)); =20 /* @@ -109,8 +150,10 @@ void networkPreReloadFirewallRules(bool startup) * rules will be present. Thus we can safely just tell it * to always delete from the builin chain */ - if (startup && createdChains) + if (startup && createdChains) { + VIR_DEBUG("Requesting cleanup of legacy firewall rules"); iptablesSetDeletePrivate(false); + } } =20 =20 @@ -724,6 +767,9 @@ int networkAddFirewallRules(virNetworkDefPtr def) virFirewallPtr fw =3D NULL; int ret =3D -1; =20 + if (virOnce(&createdOnce, networkSetupPrivateChains) < 0) + return -1; + if (errInitV4 && (virNetworkDefGetIPByIndex(def, AF_INET, 0) || virNetworkDefGetRouteByIndex(def, AF_INET, 0))) { diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_no= p.c index ea9db338cb..ec7b1ed8b7 100644 --- a/src/network/bridge_driver_nop.c +++ b/src/network/bridge_driver_nop.c @@ -19,7 +19,8 @@ =20 #include =20 -void networkPreReloadFirewallRules(bool startup ATTRIBUTE_UNUSED) +void networkPreReloadFirewallRules(virNetworkDriverStatePtr driver ATTRIBU= TE_UNUSED, + bool startup ATTRIBUTE_UNUSED) { } =20 diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driv= er_platform.h index 95fd64bdc7..5f534fc132 100644 --- a/src/network/bridge_driver_platform.h +++ b/src/network/bridge_driver_platform.h @@ -58,7 +58,7 @@ struct _virNetworkDriverState { typedef struct _virNetworkDriverState virNetworkDriverState; typedef virNetworkDriverState *virNetworkDriverStatePtr; =20 -void networkPreReloadFirewallRules(bool startup); +void networkPreReloadFirewallRules(virNetworkDriverStatePtr driver, bool s= tartup); void networkPostReloadFirewallRules(bool startup); =20 int networkCheckRouteCollision(virNetworkDefPtr def); diff --git a/tests/networkxml2firewalldata/base.args b/tests/networkxml2fir= ewalldata/base.args new file mode 100644 index 0000000000..f76ce87b50 --- /dev/null +++ b/tests/networkxml2firewalldata/base.args @@ -0,0 +1,34 @@ +iptables --table filter --list-rules +iptables --table nat --list-rules +iptables --table mangle --list-rules +iptables --table filter --new-chain LIBVIRT_INP +iptables --table filter --insert INPUT --jump LIBVIRT_INP +iptables --table filter --new-chain LIBVIRT_OUT +iptables --table filter --insert OUTPUT --jump LIBVIRT_OUT +iptables --table filter --new-chain LIBVIRT_FWO +iptables --table filter --insert FORWARD --jump LIBVIRT_FWO +iptables --table filter --new-chain LIBVIRT_FWI +iptables --table filter --insert FORWARD --jump LIBVIRT_FWI +iptables --table filter --new-chain LIBVIRT_FWX +iptables --table filter --insert FORWARD --jump LIBVIRT_FWX +iptables --table nat --new-chain LIBVIRT_PRT +iptables --table nat --insert POSTROUTING --jump LIBVIRT_PRT +iptables --table mangle --new-chain LIBVIRT_PRT +iptables --table mangle --insert POSTROUTING --jump LIBVIRT_PRT +ip6tables --table filter --list-rules +ip6tables --table nat --list-rules +ip6tables --table mangle --list-rules +ip6tables --table filter --new-chain LIBVIRT_INP +ip6tables --table filter --insert INPUT --jump LIBVIRT_INP +ip6tables --table filter --new-chain LIBVIRT_OUT +ip6tables --table filter --insert OUTPUT --jump LIBVIRT_OUT +ip6tables --table filter --new-chain LIBVIRT_FWO +ip6tables --table filter --insert FORWARD --jump LIBVIRT_FWO +ip6tables --table filter --new-chain LIBVIRT_FWI +ip6tables --table filter --insert FORWARD --jump LIBVIRT_FWI +ip6tables --table filter --new-chain LIBVIRT_FWX +ip6tables --table filter --insert FORWARD --jump LIBVIRT_FWX +ip6tables --table nat --new-chain LIBVIRT_PRT +ip6tables --table nat --insert POSTROUTING --jump LIBVIRT_PRT +ip6tables --table mangle --new-chain LIBVIRT_PRT +ip6tables --table mangle --insert POSTROUTING --jump LIBVIRT_PRT diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltes= t.c index 575b68379a..c25282ebb1 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -22,6 +22,7 @@ #include =20 #include "testutils.h" +#include "viralloc.h" =20 #if defined (__linux__) =20 @@ -57,13 +58,15 @@ testCommandDryRun(const char *const*args ATTRIBUTE_UNUS= ED, } =20 static int testCompareXMLToArgvFiles(const char *xml, - const char *cmdline) + const char *cmdline, + const char *baseargs) { char *expectargv =3D NULL; char *actualargv =3D NULL; virBuffer buf =3D VIR_BUFFER_INITIALIZER; virNetworkDefPtr def =3D NULL; int ret =3D -1; + char *actual; =20 virCommandSetDryRun(&buf, testCommandDryRun, NULL); =20 @@ -76,11 +79,18 @@ static int testCompareXMLToArgvFiles(const char *xml, if (virBufferError(&buf)) goto cleanup; =20 - actualargv =3D virBufferContentAndReset(&buf); + actual =3D actualargv =3D virBufferContentAndReset(&buf); virTestClearCommandPath(actualargv); virCommandSetDryRun(NULL, NULL, NULL); =20 - if (virTestCompareToFile(actualargv, cmdline) < 0) + /* The first network to be created populates the + * libvirt global chains. We must skip args for + * that if present + */ + if (STRPREFIX(actual, baseargs)) + actual +=3D strlen(baseargs); + + if (virTestCompareToFile(actual, cmdline) < 0) goto cleanup; =20 ret =3D 0; @@ -95,6 +105,7 @@ static int testCompareXMLToArgvFiles(const char *xml, =20 struct testInfo { const char *name; + const char *baseargs; }; =20 =20 @@ -112,7 +123,7 @@ testCompareXMLToIPTablesHelper(const void *data) abs_srcdir, info->name, RULESTYPE) < 0) goto cleanup; =20 - result =3D testCompareXMLToArgvFiles(xml, args); + result =3D testCompareXMLToArgvFiles(xml, args, info->baseargs); =20 cleanup: VIR_FREE(xml); @@ -133,11 +144,13 @@ static int mymain(void) { int ret =3D 0; + VIR_AUTOFREE(char *)basefile =3D NULL; + VIR_AUTOFREE(char *)baseargs =3D NULL; =20 # define DO_TEST(name) \ do { \ - static struct testInfo info =3D { \ - name, \ + struct testInfo info =3D { \ + name, baseargs, \ }; \ if (virTestRun("Network XML-2-iptables " name, \ testCompareXMLToIPTablesHelper, &info) < 0) \ @@ -156,6 +169,17 @@ mymain(void) goto cleanup; } =20 + if (virAsprintf(&basefile, "%s/networkxml2firewalldata/base.args", + abs_srcdir) < 0) { + ret =3D -1; + goto cleanup; + } + + if (virTestLoadFile(basefile, &baseargs) < 0) { + ret =3D -1; + goto cleanup; + } + DO_TEST("nat-default"); DO_TEST("nat-tftp"); DO_TEST("nat-many-ips"); --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list