run iptables directly rather than via firewalld

[PATCH 0/8] run iptables directly rather than via firewalld

Laine Stump posted 8 patches 3 years, 4 months ago

Download series mbox

Test syntax-check failed

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20201124033004.1163126-1-laine@redhat.com

src/libvirt_private.syms                      |   2 +-
src/network/bridge_driver.c                   |  10 +-
src/util/virfirewall.c                        | 155 +++---
src/util/virfirewall.h                        |   2 +-
src/util/viriptables.c                        |   7 +
tests/networkxml2firewalldata/base.args       |  34 ++
.../nat-default-linux.args                    |  19 +
.../nat-ipv6-linux.args                       |  30 ++
.../nat-ipv6-masquerade-linux.args            |  34 ++
.../nat-many-ips-linux.args                   |  33 ++
.../nat-no-dhcp-linux.args                    |  29 ++
.../nat-tftp-linux.args                       |  21 +
.../route-default-linux.args                  |  14 +
tests/networkxml2firewalltest.c               |   2 -
tests/nwfilterebiptablestest.c                | 466 +++++++++---------
.../ah-ipv6-linux.args                        |   9 +
tests/nwfilterxml2firewalldata/ah-linux.args  |   9 +
.../all-ipv6-linux.args                       |   9 +
tests/nwfilterxml2firewalldata/all-linux.args |   9 +
tests/nwfilterxml2firewalldata/arp-linux.args |   5 +
.../comment-linux.args                        |  19 +
.../conntrack-linux.args                      |   7 +
.../esp-ipv6-linux.args                       |   9 +
tests/nwfilterxml2firewalldata/esp-linux.args |   9 +
.../example-1-linux.args                      |  12 +
.../example-2-linux.args                      |  10 +
.../hex-data-linux.args                       |  10 +
.../icmp-direction-linux.args                 |   6 +
.../icmp-direction2-linux.args                |   6 +
.../icmp-direction3-linux.args                |   6 +
.../nwfilterxml2firewalldata/icmp-linux.args  |   3 +
.../icmpv6-linux.args                         |   4 +
.../nwfilterxml2firewalldata/igmp-linux.args  |   9 +
tests/nwfilterxml2firewalldata/ip-linux.args  |   3 +
.../nwfilterxml2firewalldata/ipset-linux.args |  18 +
.../ipt-no-macspoof-linux.args                |   2 +
.../nwfilterxml2firewalldata/ipv6-linux.args  |  15 +
.../nwfilterxml2firewalldata/iter1-linux.args |   9 +
.../nwfilterxml2firewalldata/iter2-linux.args | 171 +++++++
.../nwfilterxml2firewalldata/iter3-linux.args |  15 +
tests/nwfilterxml2firewalldata/mac-linux.args |   4 +
.../nwfilterxml2firewalldata/rarp-linux.args  |   6 +
.../sctp-ipv6-linux.args                      |   9 +
.../nwfilterxml2firewalldata/sctp-linux.args  |   9 +
tests/nwfilterxml2firewalldata/stp-linux.args |  11 +
.../target-linux.args                         |  33 ++
.../target2-linux.args                        |  12 +
.../tcp-ipv6-linux.args                       |   9 +
tests/nwfilterxml2firewalldata/tcp-linux.args |  13 +
.../udp-ipv6-linux.args                       |   9 +
tests/nwfilterxml2firewalldata/udp-linux.args |   9 +
.../udplite-ipv6-linux.args                   |   9 +
.../udplite-linux.args                        |   9 +
.../nwfilterxml2firewalldata/vlan-linux.args  |   7 +
tests/nwfilterxml2firewalltest.c              | 146 +++---
tests/virfirewalltest.c                       | 236 ++++-----
56 files changed, 1259 insertions(+), 514 deletions(-)

Expand all Fold all

[PATCH 0/8] run iptables directly rather than via firewalld

Posted by Laine Stump 3 years, 4 months ago

The reasoning for this is explained in Patch 8/8

Laine Stump (8):
  util: fix typo in VIR_MOCK_WRAP_RET_ARGS()
  util/tests: enable locking on iptables/ebtables commandlines in unit
    tests
  util/tests: enable locking on iptables/ebtables commandlines by
    default
  tests: fix iptables test case commandline options in virfirewalltest.c
  network: be more verbose about the reason for a firewall reload
  util: always check for ebtables/iptables binaries, even when using
    firewalld
  util: synchronize with firewalld before we start calling iptables
    directly
  util: call iptables directly rather than via firewalld

 src/libvirt_private.syms                      |   2 +-
 src/network/bridge_driver.c                   |  10 +-
 src/util/virfirewall.c                        | 155 +++---
 src/util/virfirewall.h                        |   2 +-
 src/util/viriptables.c                        |   7 +
 tests/networkxml2firewalldata/base.args       |  34 ++
 .../nat-default-linux.args                    |  19 +
 .../nat-ipv6-linux.args                       |  30 ++
 .../nat-ipv6-masquerade-linux.args            |  34 ++
 .../nat-many-ips-linux.args                   |  33 ++
 .../nat-no-dhcp-linux.args                    |  29 ++
 .../nat-tftp-linux.args                       |  21 +
 .../route-default-linux.args                  |  14 +
 tests/networkxml2firewalltest.c               |   2 -
 tests/nwfilterebiptablestest.c                | 466 +++++++++---------
 .../ah-ipv6-linux.args                        |   9 +
 tests/nwfilterxml2firewalldata/ah-linux.args  |   9 +
 .../all-ipv6-linux.args                       |   9 +
 tests/nwfilterxml2firewalldata/all-linux.args |   9 +
 tests/nwfilterxml2firewalldata/arp-linux.args |   5 +
 .../comment-linux.args                        |  19 +
 .../conntrack-linux.args                      |   7 +
 .../esp-ipv6-linux.args                       |   9 +
 tests/nwfilterxml2firewalldata/esp-linux.args |   9 +
 .../example-1-linux.args                      |  12 +
 .../example-2-linux.args                      |  10 +
 .../hex-data-linux.args                       |  10 +
 .../icmp-direction-linux.args                 |   6 +
 .../icmp-direction2-linux.args                |   6 +
 .../icmp-direction3-linux.args                |   6 +
 .../nwfilterxml2firewalldata/icmp-linux.args  |   3 +
 .../icmpv6-linux.args                         |   4 +
 .../nwfilterxml2firewalldata/igmp-linux.args  |   9 +
 tests/nwfilterxml2firewalldata/ip-linux.args  |   3 +
 .../nwfilterxml2firewalldata/ipset-linux.args |  18 +
 .../ipt-no-macspoof-linux.args                |   2 +
 .../nwfilterxml2firewalldata/ipv6-linux.args  |  15 +
 .../nwfilterxml2firewalldata/iter1-linux.args |   9 +
 .../nwfilterxml2firewalldata/iter2-linux.args | 171 +++++++
 .../nwfilterxml2firewalldata/iter3-linux.args |  15 +
 tests/nwfilterxml2firewalldata/mac-linux.args |   4 +
 .../nwfilterxml2firewalldata/rarp-linux.args  |   6 +
 .../sctp-ipv6-linux.args                      |   9 +
 .../nwfilterxml2firewalldata/sctp-linux.args  |   9 +
 tests/nwfilterxml2firewalldata/stp-linux.args |  11 +
 .../target-linux.args                         |  33 ++
 .../target2-linux.args                        |  12 +
 .../tcp-ipv6-linux.args                       |   9 +
 tests/nwfilterxml2firewalldata/tcp-linux.args |  13 +
 .../udp-ipv6-linux.args                       |   9 +
 tests/nwfilterxml2firewalldata/udp-linux.args |   9 +
 .../udplite-ipv6-linux.args                   |   9 +
 .../udplite-linux.args                        |   9 +
 .../nwfilterxml2firewalldata/vlan-linux.args  |   7 +
 tests/nwfilterxml2firewalltest.c              | 146 +++---
 tests/virfirewalltest.c                       | 236 ++++-----
 56 files changed, 1259 insertions(+), 514 deletions(-)

-- 
2.28.0

Re: [PATCH 0/8] run iptables directly rather than via firewalld

Posted by Daniel Henrique Barboza 3 years, 4 months ago


On 11/24/20 12:29 AM, Laine Stump wrote:
> The reasoning for this is explained in Patch 8/8
> 
> Laine Stump (8):
>    util: fix typo in VIR_MOCK_WRAP_RET_ARGS()
>    util/tests: enable locking on iptables/ebtables commandlines in unit
>      tests
>    util/tests: enable locking on iptables/ebtables commandlines by
>      default
>    tests: fix iptables test case commandline options in virfirewalltest.c
>    network: be more verbose about the reason for a firewall reload
>    util: always check for ebtables/iptables binaries, even when using
>      firewalld
>    util: synchronize with firewalld before we start calling iptables
>      directly
>    util: call iptables directly rather than via firewalld


Series LGTM:

Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>


> 
>   src/libvirt_private.syms                      |   2 +-
>   src/network/bridge_driver.c                   |  10 +-
>   src/util/virfirewall.c                        | 155 +++---
>   src/util/virfirewall.h                        |   2 +-
>   src/util/viriptables.c                        |   7 +
>   tests/networkxml2firewalldata/base.args       |  34 ++
>   .../nat-default-linux.args                    |  19 +
>   .../nat-ipv6-linux.args                       |  30 ++
>   .../nat-ipv6-masquerade-linux.args            |  34 ++
>   .../nat-many-ips-linux.args                   |  33 ++
>   .../nat-no-dhcp-linux.args                    |  29 ++
>   .../nat-tftp-linux.args                       |  21 +
>   .../route-default-linux.args                  |  14 +
>   tests/networkxml2firewalltest.c               |   2 -
>   tests/nwfilterebiptablestest.c                | 466 +++++++++---------
>   .../ah-ipv6-linux.args                        |   9 +
>   tests/nwfilterxml2firewalldata/ah-linux.args  |   9 +
>   .../all-ipv6-linux.args                       |   9 +
>   tests/nwfilterxml2firewalldata/all-linux.args |   9 +
>   tests/nwfilterxml2firewalldata/arp-linux.args |   5 +
>   .../comment-linux.args                        |  19 +
>   .../conntrack-linux.args                      |   7 +
>   .../esp-ipv6-linux.args                       |   9 +
>   tests/nwfilterxml2firewalldata/esp-linux.args |   9 +
>   .../example-1-linux.args                      |  12 +
>   .../example-2-linux.args                      |  10 +
>   .../hex-data-linux.args                       |  10 +
>   .../icmp-direction-linux.args                 |   6 +
>   .../icmp-direction2-linux.args                |   6 +
>   .../icmp-direction3-linux.args                |   6 +
>   .../nwfilterxml2firewalldata/icmp-linux.args  |   3 +
>   .../icmpv6-linux.args                         |   4 +
>   .../nwfilterxml2firewalldata/igmp-linux.args  |   9 +
>   tests/nwfilterxml2firewalldata/ip-linux.args  |   3 +
>   .../nwfilterxml2firewalldata/ipset-linux.args |  18 +
>   .../ipt-no-macspoof-linux.args                |   2 +
>   .../nwfilterxml2firewalldata/ipv6-linux.args  |  15 +
>   .../nwfilterxml2firewalldata/iter1-linux.args |   9 +
>   .../nwfilterxml2firewalldata/iter2-linux.args | 171 +++++++
>   .../nwfilterxml2firewalldata/iter3-linux.args |  15 +
>   tests/nwfilterxml2firewalldata/mac-linux.args |   4 +
>   .../nwfilterxml2firewalldata/rarp-linux.args  |   6 +
>   .../sctp-ipv6-linux.args                      |   9 +
>   .../nwfilterxml2firewalldata/sctp-linux.args  |   9 +
>   tests/nwfilterxml2firewalldata/stp-linux.args |  11 +
>   .../target-linux.args                         |  33 ++
>   .../target2-linux.args                        |  12 +
>   .../tcp-ipv6-linux.args                       |   9 +
>   tests/nwfilterxml2firewalldata/tcp-linux.args |  13 +
>   .../udp-ipv6-linux.args                       |   9 +
>   tests/nwfilterxml2firewalldata/udp-linux.args |   9 +
>   .../udplite-ipv6-linux.args                   |   9 +
>   .../udplite-linux.args                        |   9 +
>   .../nwfilterxml2firewalldata/vlan-linux.args  |   7 +
>   tests/nwfilterxml2firewalltest.c              | 146 +++---
>   tests/virfirewalltest.c                       | 236 ++++-----
>   56 files changed, 1259 insertions(+), 514 deletions(-)
>