From nobody Mon May 20 16:07:50 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) client-ip=207.211.31.120; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1591404061; cv=none; d=zohomail.com; s=zohoarc; b=A3yH6KQihxJaEt3vitMNtRcWNIxiNrA35LQ8yDr3W/rSKwE7kGr8hYMPpFp2opUfQEBmkUtM8OIbisVVioud3vmIREEyemcXeU7POot0FJ/Xhxj3fKmfbQyd9DBPLNh8XArGP8KV/nAIZPeuzLj164Vz24UkMjH9LSyFGq8C25A= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1591404061; h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=F3KUPVwX8Kmbm8dU84nBfxOAZp+TDe/wk21lYnjezpg=; b=ajC4WEpwC/052ghX0bNr+JBgrCwDwuJ7tl3FPHlT0PijzEU3nUGM6nwpWLfG3fApR0AXYJmZ9KGEKZtjo6M7AEuJMepBGplRoLS5GjX5d3Z6sMjB4fzfPoHFuixTN+OkF/XAhKyk97XUm0mJaC0tZ0hAHCkLw7SKa2NNZN1tC94= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) by mx.zohomail.com with SMTPS id 1591404061045867.9303780743733; Fri, 5 Jun 2020 17:41:01 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-436-aUdHYu5QNJC3V6iMq966yg-1; Fri, 05 Jun 2020 20:24:05 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8733C1853581; Sat, 6 Jun 2020 00:23:58 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 64C1219D71; Sat, 6 Jun 2020 00:23:58 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 36581180203B; Sat, 6 Jun 2020 00:23:58 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 055HuBgV026918 for ; Fri, 5 Jun 2020 13:56:11 -0400 Received: by smtp.corp.redhat.com (Postfix) id 55D2B108BA; Fri, 5 Jun 2020 17:56:11 +0000 (UTC) Received: from vhost2.laine.org (ovpn-113-82.phx2.redhat.com [10.3.113.82]) by smtp.corp.redhat.com (Postfix) with ESMTP id 03C3D1972B for ; Fri, 5 Jun 2020 17:56:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1591404059; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=F3KUPVwX8Kmbm8dU84nBfxOAZp+TDe/wk21lYnjezpg=; b=NG4lEMk2FlWFBUEvcDTog/1IbsQYTE6WjXKg92muE4HMRCw59hc1MZNpS1sJX+kmxfoTvt kr5YElu/Nh1FxWxPaKflCE3BYpcdGGqyYWNRU9UjzhFmNGVi+NnqTJsZpImMEvpxz4GbBV YDrbki1iHpej604icv9wO27XvUmPFRw= X-MC-Unique: aUdHYu5QNJC3V6iMq966yg-1 From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH] network: add private chains only if there are networks adding iptables rules Date: Fri, 5 Jun 2020 13:56:03 -0400 Message-Id: <20200605175603.423515-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" Juan Quintela noticed that when he restarted libvirt he was getting extra iptables rules added by libvirt even though he didn't have any libvirt networks that used iptables rules. It turns out this also happens if the firewalld service is restarted. The extra rules are just the private chains, and they're sometimes being added unnecessarily because they are added separately in a global networkPreReloadFirewallRules() that does the init if there are any active networks, regardless of whether or not any of those networks will actually add rules to the host firewall. The fix is to change the check for "any active networks" to instead check for "any active networks that add firewall rules". (NB: although the timing seems suspicious, this isn't a new regression caused by the recently pushed f5418b427 (which forces recreation of private chains when firewalld is restarted); it was an existing bug since iptables rules were first put into private chains, even after commit c6cbe18771 delayed creation of the private chains. The implication is that any downstream based on v5.1.0 or later that cares about these extraneous (but harmless) private chains would want to backport this patch (along with the other two if they aren't already there)) Signed-off-by: Laine Stump Reviewed-by: Daniel Henrique Barboza --- src/network/bridge_driver_linux.c | 49 ++++++++++++++++++++++++------- 1 file changed, 38 insertions(+), 11 deletions(-) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index b0bd207250..4145411b4b 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -91,28 +91,55 @@ static void networkSetupPrivateChains(void) =20 =20 static int -networkHasRunningNetworksHelper(virNetworkObjPtr obj, +networkHasRunningNetworksWithFWHelper(virNetworkObjPtr obj, void *opaque) { - bool *running =3D opaque; + bool *activeWithFW =3D opaque; =20 virObjectLock(obj); - if (virNetworkObjIsActive(obj)) - *running =3D true; + if (virNetworkObjIsActive(obj)) { + virNetworkDefPtr def =3D virNetworkObjGetDef(obj); + + switch ((virNetworkForwardType) def->forward.type) { + case VIR_NETWORK_FORWARD_NONE: + case VIR_NETWORK_FORWARD_NAT: + case VIR_NETWORK_FORWARD_ROUTE: + *activeWithFW =3D true; + break; + + case VIR_NETWORK_FORWARD_OPEN: + case VIR_NETWORK_FORWARD_BRIDGE: + case VIR_NETWORK_FORWARD_PRIVATE: + case VIR_NETWORK_FORWARD_VEPA: + case VIR_NETWORK_FORWARD_PASSTHROUGH: + case VIR_NETWORK_FORWARD_HOSTDEV: + case VIR_NETWORK_FORWARD_LAST: + break; + } + } + virObjectUnlock(obj); =20 + /* + * terminate ForEach early once we find an active network that + * adds Firewall rules (return status is ignored) + */ + if (*activeWithFW) + return -1; + return 0; } =20 =20 static bool -networkHasRunningNetworks(virNetworkDriverStatePtr driver) +networkHasRunningNetworksWithFW(virNetworkDriverStatePtr driver) { - bool running =3D false; + bool activeWithFW =3D false; + virNetworkObjListForEach(driver->networks, - networkHasRunningNetworksHelper, - &running); - return running; + networkHasRunningNetworksWithFWHelper, + &activeWithFW); + return activeWithFW; } =20 =20 @@ -150,8 +177,8 @@ networkPreReloadFirewallRules(virNetworkDriverStatePtr = driver, networkSetupPrivateChains(); =20 } else { - if (!networkHasRunningNetworks(driver)) { - VIR_DEBUG("Delayed global rule setup as no networks are runnin= g"); + if (!networkHasRunningNetworksWithFW(driver)) { + VIR_DEBUG("Delayed global rule setup as no networks with firew= all rules are running"); return; } =20 --=20 2.25.4