From nobody Fri Oct 18 06:24:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1717782707933561.9104623979442; Fri, 7 Jun 2024 10:51:47 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 832502690; Fri, 7 Jun 2024 13:51:46 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 673C92660; Fri, 7 Jun 2024 13:50:01 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 07DFE265F; Fri, 7 Jun 2024 13:49:58 -0400 (EDT) Received: from mx1.osci.io (polly.osci.io [8.43.85.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id DFE0C25C3 for ; Fri, 7 Jun 2024 13:49:51 -0400 (EDT) Received: by mx1.osci.io (Postfix, from userid 994) id AFDFA2254E; Fri, 7 Jun 2024 13:49:51 -0400 (EDT) Received: from mx3.osci.io (carla.osci.io [IPv6:2607:f0d0:1e02:35::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits)) (No client certificate requested) by mx1.osci.io (Postfix) with ESMTPS id 8D86322543 for ; Fri, 7 Jun 2024 13:49:45 -0400 (EDT) Received: by mx3.osci.io (Postfix, from userid 990) id E22DD30721D2; Fri, 7 Jun 2024 12:40:19 -0500 (CDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits)) (No client certificate requested) by mx3.osci.io (Postfix) with ESMTPS id 92FA330721D1 for ; Fri, 7 Jun 2024 12:40:18 -0500 (CDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-385-aip5k5QEMO6yzvCEhOpfjQ-1; Fri, 07 Jun 2024 13:33:44 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 29AE7101A528 for ; Fri, 7 Jun 2024 17:33:44 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.41]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0BE9151BF for ; Fri, 7 Jun 2024 17:33:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.4 X-Greylist: delayed 535 seconds by postgrey-1.37 at polly.osci.io; Fri, 07 Jun 2024 13:49:45 EDT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717781625; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CT85XqLl5MX6DgYXFJnPlcweKguk+m4xqsmIk3Tg0T8=; b=YB9/8wfBrCNKOvHI4wS7ugfSxeBR/le8hof5n6Y+Ys6ZX265kibE+UgoccH4vNGwLqunaA 2mAFl5CV4+s2eywFVXQaR//gExowvMST4b+OCSeJIIOhXLyb2EwVu1IVUcUBlxrUKFAels ylcqfdrCku7T0GTu8YCsXCA3twlU38s= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717781755; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CT85XqLl5MX6DgYXFJnPlcweKguk+m4xqsmIk3Tg0T8=; b=ZlBlBKC1bc0gyuI0YDtBDzbZ3UypWTtI1k49laQ7XVEw2Iyr9R8hzF1nc67+XCLFTi5jAJ R9eBKKfc2xmi2ZyJS4ANaz/xg+CwyM97Mh4BaiC8NiUbJoTUOrohHqvdZjZxowirQ3Eycw pjy8U39E1b+nuGZNOVwlXpZ/aI0VfqQ= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717781887; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CT85XqLl5MX6DgYXFJnPlcweKguk+m4xqsmIk3Tg0T8=; b=PyMNJyH7GxvnksUbOrZsLpdP/+S2dXTCAeRQ/qVI3wn3T+O70vbh+8VOV3nbg9wSa6ZWlV yjSCiH8jQDVnw/2r8/KcfVPvnmuUP1Zgob2NSeGOvbK8rRYKHwPZYVLpYNxwIJboa5pnGP DB2sBSVyU3/7g35XMe/AiwVJO2HE01A= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717782018; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CT85XqLl5MX6DgYXFJnPlcweKguk+m4xqsmIk3Tg0T8=; b=ILNbciW5+nxOoSLqn7yPP6/jzBzMetERZ+V/FXQrunnw7AXLY4B+ObuFUfo5qGBExjufY8 cf0WVB2INtFYFq0PlX3phgUe70LfU8yPoEnsFWQQ7QAlhx59RLBXfP1E2YhtLnZCGVKLCe J3GHecMFOhyo7I2gl58/JQgz++0BpmM= X-MC-Unique: aip5k5QEMO6yzvCEhOpfjQ-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH] network: allow for forward dev to be a transient interface Date: Fri, 7 Jun 2024 13:33:30 -0400 Message-ID: <20240607173343.117623-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.5 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: O52YNPMOM2FAVKFEGGJ5ZVAVUO75G5FZ X-Message-ID-Hash: O52YNPMOM2FAVKFEGGJ5ZVAVUO75G5FZ X-MailFrom: SRS0=kQh0=NJ=redhat.com=laine@osci.io X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (found 4 invalid signatures) X-ZM-MESSAGEID: 1717782710212100001 Content-Type: text/plain; charset="utf-8"; x-default="true" A user reported that if they set starting the network would fail if the device 'blah' didn't already exist. This is caused by using "iif" and "oif" in nftables rules to check for the forwarding device - these two commands work by saving the named interface's ifindex (an unsigned integer) when the rule is added, and comparing it to the ifindex associated with the packet's path at runtime. This works great if the interface both 1) exists when the rule is added, and 2) is never deleted and re-created after the rule is added (since it would end up with a different ifindex). When checking for the network's bridge device, it is okay for us to use "iif" and "oif", because the bridge device is created before the firewall rules are added, and will continue to exist until just after the firewall rules are deleted when the network is shutdown. But since the forward device might be deleted/re-added during the lifetime of the network's firewall rules, we must instead us "oifname" and "iifname" - these are much less efficient than "Xif" because they do a string compare of the interface's name rather than just comparing two integers (ifindex), but they don't require the interface to exist when the rule is added, and they can properly cope with the named interface being deleted and re-added later. Fixes: a4f38f6ffe6a9edc001d18890ccfc3f38e72fb94 Signed-off-by: Laine Stump --- src/network/network_nftables.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c index 59ab231a06..268d1f12ca 100644 --- a/src/network/network_nftables.c +++ b/src/network/network_nftables.c @@ -362,7 +362,7 @@ nftablesAddForwardAllowOut(virFirewall *fw, "iif", iface, NULL); =20 if (physdev && physdev[0]) - virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL); + virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL); =20 virFirewallCmdAddArgList(fw, fwCmd, "counter", "accept", NULL); =20 @@ -398,7 +398,7 @@ nftablesAddForwardAllowRelatedIn(virFirewall *fw, VIR_NFTABLES_FWD_IN_CHAIN, NULL); =20 if (physdev && physdev[0]) - virFirewallCmdAddArgList(fw, fwCmd, "iif", physdev, NULL); + virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL); =20 virFirewallCmdAddArgList(fw, fwCmd, "oif", iface, layerStr, "daddr", networkstr, @@ -437,7 +437,7 @@ nftablesAddForwardAllowIn(virFirewall *fw, layerStr, "daddr", networkstr, NULL); =20 if (physdev && physdev[0]) - virFirewallCmdAddArgList(fw, fwCmd, "iif", physdev, NULL); + virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL); =20 virFirewallCmdAddArgList(fw, fwCmd, "oif", iface, "counter", "accept", NULL); @@ -566,7 +566,7 @@ nftablesAddForwardMasquerade(virFirewall *fw, layerStr, "daddr", "!=3D", networkstr, NULL); =20 if (physdev && physdev[0]) - virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL); + virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL); =20 if (protocol && protocol[0]) { if (port->start =3D=3D 0 && port->end =3D=3D 0) { @@ -634,7 +634,7 @@ nftablesAddDontMasquerade(virFirewall *fw, VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL); =20 if (physdev && physdev[0]) - virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL); + virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL); =20 virFirewallCmdAddArgList(fw, fwCmd, layerStr, "saddr", networkstr, --=20 2.45.1