From nobody Tue Feb 10 12:57:32 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) client-ip=63.128.21.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1606188657; cv=none; d=zohomail.com; s=zohoarc; b=UzEUnlQ11rAepov2sdc9wJ+MYavlX8knG0xC3bUKpECepD1rvWMeGRCLbMfSyBReBCy1Bzc9m+JiojlKrFZ2ksgLXUScaMqRUHQp+NC+DV7IMTrE3wtQWImHRiKN1ThllQ+1uv6su3GI/ZxcmAs53p+b3yIscnkGcLEOjGs2upY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1606188657; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=wxwo8MbuoJ24+ncc9QjiMGN+idHGwGidNSqXPEHnW8w=; b=TlYm6ZaRnquxxqh2M1wBzvO8tazpPYhTK/ygVAm5vv3VpRoZsNZrCypuoLjtFMwisVIcs8SMeMzBZutYaHP1Y7fUHZaGli35RD3+lBcJh2eyKDelrFYTtMC9du48nLLS1ZsqnRxAXhnpwBgMnAVMmq/ds9OGsr7dxvS8i3Ug5+M= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.zohomail.com with SMTPS id 1606188657298774.0518157498758; Mon, 23 Nov 2020 19:30:57 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-484-ISHRVN7DO-y6YcVyuDcVlQ-1; Mon, 23 Nov 2020 22:30:53 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 9639780364D; Tue, 24 Nov 2020 03:30:47 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 764A360C43; Tue, 24 Nov 2020 03:30:47 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 3FFB11809CA8; Tue, 24 Nov 2020 03:30:47 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0AO3UD7x007381 for ; Mon, 23 Nov 2020 22:30:13 -0500 Received: by smtp.corp.redhat.com (Postfix) id 7891C5D705; Tue, 24 Nov 2020 03:30:13 +0000 (UTC) Received: from vhost2.laine.org (ovpn-112-35.phx2.redhat.com [10.3.112.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 409165D6A1 for ; Tue, 24 Nov 2020 03:30:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1606188656; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=wxwo8MbuoJ24+ncc9QjiMGN+idHGwGidNSqXPEHnW8w=; b=D83EZnTNeO+ztHEwJYtL7D4OHbgvO0QyzpFGAGwNWO8CzP+VqD7g6asVvGCpzR3c7ZWD9/ wPwMQSV3cvc16642H/qRAL+vvJnpggdbwYfirzltrE9fwxED6mpOcLfr3aimt0cE/RmsTU vYHXzwFXWo35apTfZGuPbSMjtzAjAIU= X-MC-Unique: ISHRVN7DO-y6YcVyuDcVlQ-1 From: Laine Stump To: libvir-list@redhat.com Subject: [PATCH 3/8] util/tests: enable locking on iptables/ebtables commandlines by default Date: Mon, 23 Nov 2020 22:29:59 -0500 Message-Id: <20201124033004.1163126-4-laine@redhat.com> In-Reply-To: <20201124033004.1163126-1-laine@redhat.com> References: <20201124033004.1163126-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" iptables and ip6tables have had a "-w" commandline option to grab a systemwide lock that prevents two iptables invocations from modifying the iptables chains since 2013 (upstream commit 93587a04 in iptables-1.4.20). Similarly, ebtables has had a "--concurrent" commandline option for the same purpose since 2011 (in the upstream ebtables commit f9b4bcb93, which was present in ebtables-2.0.10.4). Libvirt added code to conditionally use the commandline option for iptables/ip6tables in upstream commit ba95426d6f (libvirt-1.2.0, November 2013), and for ebtables in upstream commit dc33e6e4a5 (libvirt-1.2.11, November 2014) (the latter actually *re*-added the locking for iptables/ip6tables, as it had accidentally been removed during a refactor of firewall code in the interim). I say "conditionally" because a check was made during firewall module initialization that tried executing a test command with the -w/--concurrent option, and only continued using it for actual commands if that test command completed successfully. At the time the code was added this was a reasonable thing to do, as it had been less than a year since introduction of -w to iptables, so many distros supported by libvirt were still using iptables (and possibly even ebtables) versions too old to have the new commandline options. It is now 2020, and as far as I can discern from repology.org (and manually examining a RHEL7.9 system), every version of every distro that is supported by libvirt now uses new enough versions of both iptables and ebtables that they all have support for -w/--concurrent. That means we can finally remove the conditional code and simply always use them. Signed-off-by: Laine Stump --- src/libvirt_private.syms | 1 - src/util/virfirewall.c | 64 ++------------------------------ src/util/virfirewall.h | 2 - tests/networkxml2firewalltest.c | 2 - tests/nwfilterebiptablestest.c | 2 - tests/nwfilterxml2firewalltest.c | 2 - tests/virfirewalltest.c | 2 - 7 files changed, 3 insertions(+), 72 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 79a23f34cb..5684cd3316 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2157,7 +2157,6 @@ virFirewallRuleAddArgList; virFirewallRuleAddArgSet; virFirewallRuleGetArgCount; virFirewallSetBackend; -virFirewallSetLockOverride; virFirewallStartRollback; virFirewallStartTransaction; =20 diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 5f30c34483..694bb32f62 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -96,59 +96,6 @@ virFirewallOnceInit(void) =20 VIR_ONCE_GLOBAL_INIT(virFirewall); =20 -static bool iptablesUseLock; -static bool ip6tablesUseLock; -static bool ebtablesUseLock; -static bool lockOverride; /* true to avoid lock probes */ - -void -virFirewallSetLockOverride(bool avoid) -{ - lockOverride =3D avoid; - if (avoid) { - /* add the lock option to all commands */ - iptablesUseLock =3D true; - ip6tablesUseLock =3D true; - ebtablesUseLock =3D true; - } -} - -static void -virFirewallCheckUpdateLock(bool *lockflag, - const char *const*args) -{ - int status; /* Ignore failed commands without logging them */ - g_autoptr(virCommand) cmd =3D virCommandNewArgs(args); - if (virCommandRun(cmd, &status) < 0 || status) { - VIR_INFO("locking not supported by %s", args[0]); - } else { - VIR_INFO("using locking for %s", args[0]); - *lockflag =3D true; - } -} - -static void -virFirewallCheckUpdateLocking(void) -{ - const char *iptablesArgs[] =3D { - IPTABLES_PATH, "-w", "-L", "-n", NULL, - }; - const char *ip6tablesArgs[] =3D { - IP6TABLES_PATH, "-w", "-L", "-n", NULL, - }; - const char *ebtablesArgs[] =3D { - EBTABLES_PATH, "--concurrent", "-L", NULL, - }; - if (lockOverride) - return; - virFirewallCheckUpdateLock(&iptablesUseLock, - iptablesArgs); - virFirewallCheckUpdateLock(&ip6tablesUseLock, - ip6tablesArgs); - virFirewallCheckUpdateLock(&ebtablesUseLock, - ebtablesArgs); -} - static int virFirewallValidateBackend(virFirewallBackend backend) { @@ -196,8 +143,6 @@ virFirewallValidateBackend(virFirewallBackend backend) =20 currentBackend =3D backend; =20 - virFirewallCheckUpdateLocking(); - return 0; } =20 @@ -359,16 +304,13 @@ virFirewallAddRuleFullV(virFirewallPtr firewall, =20 switch (rule->layer) { case VIR_FIREWALL_LAYER_ETHERNET: - if (ebtablesUseLock) - ADD_ARG(rule, "--concurrent"); + ADD_ARG(rule, "--concurrent"); break; case VIR_FIREWALL_LAYER_IPV4: - if (iptablesUseLock) - ADD_ARG(rule, "-w"); + ADD_ARG(rule, "-w"); break; case VIR_FIREWALL_LAYER_IPV6: - if (ip6tablesUseLock) - ADD_ARG(rule, "-w"); + ADD_ARG(rule, "-w"); break; case VIR_FIREWALL_LAYER_LAST: break; diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index 6148f46827..fda3cdec01 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -111,6 +111,4 @@ void virFirewallStartRollback(virFirewallPtr firewall, =20 int virFirewallApply(virFirewallPtr firewall); =20 -void virFirewallSetLockOverride(bool avoid); - G_DEFINE_AUTOPTR_CLEANUP_FUNC(virFirewall, virFirewallFree); diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltes= t.c index 3496445f0d..d358f12897 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -179,8 +179,6 @@ mymain(void) ret =3D -1; \ } while (0) =20 - virFirewallSetLockOverride(true); - if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) { if (!hasNetfilterTools()) { fprintf(stderr, "iptables/ip6tables/ebtables tools not present= "); diff --git a/tests/nwfilterebiptablestest.c b/tests/nwfilterebiptablestest.c index 5562682e9a..f47b4f1dfd 100644 --- a/tests/nwfilterebiptablestest.c +++ b/tests/nwfilterebiptablestest.c @@ -503,8 +503,6 @@ mymain(void) { int ret =3D 0; =20 - virFirewallSetLockOverride(true); - if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) { if (!hasNetfilterTools()) { fprintf(stderr, "iptables/ip6tables/ebtables tools not present= "); diff --git a/tests/nwfilterxml2firewalltest.c b/tests/nwfilterxml2firewallt= est.c index 7427108e39..0901250aaf 100644 --- a/tests/nwfilterxml2firewalltest.c +++ b/tests/nwfilterxml2firewalltest.c @@ -457,8 +457,6 @@ mymain(void) ret =3D -1; \ } while (0) =20 - virFirewallSetLockOverride(true); - if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) { if (!hasNetfilterTools()) { fprintf(stderr, "iptables/ip6tables/ebtables tools not present= "); diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c index bf1d325017..fac7e20c06 100644 --- a/tests/virfirewalltest.c +++ b/tests/virfirewalltest.c @@ -1076,8 +1076,6 @@ mymain(void) RUN_TEST_DIRECT(name, method); \ RUN_TEST_FIREWALLD(name, method) =20 - virFirewallSetLockOverride(true); - RUN_TEST("single group", testFirewallSingleGroup); RUN_TEST("remove rule", testFirewallRemoveRule); RUN_TEST("many groups", testFirewallManyGroups); --=20 2.28.0