From nobody Thu Sep 19 02:06:12 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1715968110396217.48580599465265; Fri, 17 May 2024 10:48:30 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 5AAD81810; Fri, 17 May 2024 13:48:29 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 142E41D9F; Fri, 17 May 2024 13:31:15 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 80E801A40; Fri, 17 May 2024 13:30:17 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 3941B19CB for ; Fri, 17 May 2024 13:30:12 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-468-hDduhxUCMOaD2QSGXq1p7w-1; Fri, 17 May 2024 13:30:10 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 351533C025BA for ; Fri, 17 May 2024 17:30:10 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.16.223]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1EDA340C6EB7 for ; Fri, 17 May 2024 17:30:10 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1715967011; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5C4jy9svi0vt2rZu1AIThX3Os19rj/AgMITQxjlZRlI=; b=RD6gSTMjD6kXSlp00SjCcqp0wJUoItStxRZYz6St91Xz8IIw3Vim7bPGyT7ctgZbTPVPCg zLdBFS84oVRYhYiWJt2PvaAeew9Due03Y5YkOlv03QJ9rKjbzRKkcv+k31dtTEhQQtcm+d G7its+UZ995QpXzVxKCfx076zgDMJ2I= X-MC-Unique: hDduhxUCMOaD2QSGXq1p7w-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v5 16/30] network: turn on auto-rollback for the rules added for virtual networks Date: Fri, 17 May 2024 13:29:53 -0400 Message-ID: <20240517173007.8125-17-laine@redhat.com> In-Reply-To: <20240517173007.8125-1-laine@redhat.com> References: <20240517173007.8125-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: T5RIM7MN6EZDWCSJWJS3ATIBRH4YMANM X-Message-ID-Hash: T5RIM7MN6EZDWCSJWJS3ATIBRH4YMANM X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1715968112254100001 Content-Type: text/plain; charset="utf-8" So far this will only affect what happens if there is some failure while applying the firewall rules; the rollback rules aren't yet persistent beyond that time. More work is needed to remember the rollback rules while the network is active, and use those rules to remove the firewall for the network when it is destroyed. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- src/network/network_iptables.c | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index db35a4c5a0..467d43c1e9 100644 --- a/src/network/network_iptables.c +++ b/src/network/network_iptables.c @@ -1599,7 +1599,7 @@ iptablesAddFirewallRules(virNetworkDef *def) virNetworkIPDef *ipdef; g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 - virFirewallStartTransaction(fw, 0); + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK= ); =20 iptablesAddGeneralFirewallRules(fw, def); =20 @@ -1610,17 +1610,8 @@ iptablesAddFirewallRules(virNetworkDef *def) return -1; } =20 - virFirewallStartRollback(fw, 0); - - for (i =3D 0; - (ipdef =3D virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); - i++) { - if (iptablesRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0) - return -1; - } - iptablesRemoveGeneralFirewallRules(fw, def); - - virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); + virFirewallStartTransaction(fw, (VIR_FIREWALL_TRANSACTION_IGNORE_ERROR= S | + VIR_FIREWALL_TRANSACTION_AUTO_ROLLBAC= K)); iptablesAddChecksumFirewallRules(fw, def); =20 return virFirewallApply(fw); --=20 2.45.0