From nobody Mon Feb  9 17:05:08 2026
Delivered-To: importer@patchew.org
Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied
 by domain of lists.libvirt.org) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain
 of lists.libvirt.org)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1713755208452462.4248651321757;
 Sun, 21 Apr 2024 20:06:48 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 722A6218F; Sun, 21 Apr 2024 23:06:47 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id 9A8211EDB;
	Sun, 21 Apr 2024 22:54:32 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 5D6EB1DE9; Sun, 21 Apr 2024 22:53:48 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 6E9AB1DEF
	for <devel@lists.libvirt.org>; Sun, 21 Apr 2024 22:53:40 -0400 (EDT)
Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73])
 by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-280-uwP119bCOiGbmRW5kEzqxQ-1; Sun,
 21 Apr 2024 22:53:38 -0400
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com
 [10.11.54.3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 9290E380009B
	for <devel@lists.libvirt.org>; Mon, 22 Apr 2024 02:53:38 +0000 (UTC)
Received: from vhost3.router.laine.org (unknown [10.22.8.35])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 7BFAD1121306
	for <devel@lists.libvirt.org>; Mon, 22 Apr 2024 02:53:38 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No,
 score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,
	RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable
	autolearn_force=no version=3.4.4
X-MC-Unique: uwP119bCOiGbmRW5kEzqxQ-1
From: Laine Stump <laine@redhat.com>
To: devel@lists.libvirt.org
Subject: [PATCH v2 16/27] network: turn on auto-rollback for the rules added
 for virtual networks
Date: Sun, 21 Apr 2024 22:53:24 -0400
Message-ID: <20240422025335.923272-17-laine@redhat.com>
In-Reply-To: <20240422025335.923272-1-laine@redhat.com>
References: <20240422025335.923272-1-laine@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Message-ID-Hash: SHNI33JADWUPVGFTESDBHPHV26VW2HTD
X-Message-ID-Hash: SHNI33JADWUPVGFTESDBHPHV26VW2HTD
X-MailFrom: laine@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/SHNI33JADWUPVGFTESDBHPHV26VW2HTD/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
Content-Type: text/plain; charset="utf-8"; x-default="true"
Content-Transfer-Encoding: quoted-printable
X-ZM-MESSAGEID: 1713755209008100001

So far this will only affect what happens if there is some failure
while applying the firewall rules; the rollback rules aren't yet
persistent beyond that time. More work is needed to remember the
rollback rules while the network is active, and use those rules to
remove the firewall for the network when it is destroyed.

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/network/network_iptables.c  | 15 +++------------
 tests/networkxml2firewalltest.c |  9 ++++++++-
 2 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c
index db35a4c5a0..467d43c1e9 100644
--- a/src/network/network_iptables.c
+++ b/src/network/network_iptables.c
@@ -1599,7 +1599,7 @@ iptablesAddFirewallRules(virNetworkDef *def)
     virNetworkIPDef *ipdef;
     g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA=
BLES);
=20
-    virFirewallStartTransaction(fw, 0);
+    virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK=
);
=20
     iptablesAddGeneralFirewallRules(fw, def);
=20
@@ -1610,17 +1610,8 @@ iptablesAddFirewallRules(virNetworkDef *def)
             return -1;
     }
=20
-    virFirewallStartRollback(fw, 0);
-
-    for (i =3D 0;
-         (ipdef =3D virNetworkDefGetIPByIndex(def, AF_UNSPEC, i));
-         i++) {
-        if (iptablesRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0)
-            return -1;
-    }
-    iptablesRemoveGeneralFirewallRules(fw, def);
-
-    virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS=
);
+    virFirewallStartTransaction(fw, (VIR_FIREWALL_TRANSACTION_IGNORE_ERROR=
S |
+                                     VIR_FIREWALL_TRANSACTION_AUTO_ROLLBAC=
K));
     iptablesAddChecksumFirewallRules(fw, def);
=20
     return virFirewallApply(fw);
diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltes=
t.c
index 3a9f409e2a..e61787daec 100644
--- a/tests/networkxml2firewalltest.c
+++ b/tests/networkxml2firewalltest.c
@@ -79,7 +79,14 @@ testCommandDryRun(const char *const*args G_GNUC_UNUSED,
                   void *opaque G_GNUC_UNUSED)
 {
     *status =3D 0;
-    *output =3D g_strdup("");
+    /* if arg[1] is -ae then this is an nft command,
+     * and the caller requested to get the handle
+     * of the newly added object in stdout
+     */
+    if (STREQ_NULLABLE(args[1], "-ae"))
+        *output =3D g_strdup("# handle 5309");
+    else
+        *output =3D g_strdup("");
     *error =3D g_strdup("");
 }
=20
--=20
2.44.0
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org