[libvirt] [PATCH] Re-add use of locking with iptables/ip6tables/ebtables
Serge Hallyn
serge.hallyn at ubuntu.com
Tue Nov 11 21:10:06 UTC 2014
Quoting Daniel P. Berrange (berrange at redhat.com):
> A previous commit introduced use of locking with invocation
> of iptables in the viriptables.c module
>
> commit ba95426d6f39aec1da6e069dd7222f7a8c6a5862
> Author: Serge Hallyn <serge.hallyn at ubuntu.com>
> Date: Fri Nov 1 12:36:59 2013 -0500
>
> util: use -w flag when calling iptables
>
> This only ever had effect with the virtual network driver,
> as it was not wired up into the nwfilter driver. Unfortunately
> in the firewall refactoring the use of the -w flag was
> accidentally lost.
>
> This patch introduces it to the virfirewall.c module so that
> both the virtual network and nwfilter drivers will be using
> it. It also ensures that the equivalent --concurrent flag
> to ebtables is used.
> ---
Thanks, that looks very nice.
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> src/util/virfirewall.c | 67 +++++++++++++++++++++++++++++++++++++++++++++++---
> src/util/viriptables.c | 2 --
> 2 files changed, 63 insertions(+), 6 deletions(-)
>
> diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
> index bab1634..c83fdc6 100644
> --- a/src/util/virfirewall.c
> +++ b/src/util/virfirewall.c
> @@ -104,6 +104,44 @@ virFirewallOnceInit(void)
>
> VIR_ONCE_GLOBAL_INIT(virFirewall)
>
> +static bool iptablesUseLock;
> +static bool ip6tablesUseLock;
> +static bool ebtablesUseLock;
> +
> +static void
> +virFirewallCheckUpdateLock(bool *lockflag,
> + const char *const*args)
> +{
> + virCommandPtr cmd = virCommandNewArgs(args);
> + if (virCommandRun(cmd, NULL) < 0) {
> + VIR_INFO("locking not supported by %s", args[0]);
> + } else {
> + VIR_INFO("using locking for %s", args[0]);
> + *lockflag = true;
> + }
> + virCommandFree(cmd);
> +}
> +
> +static void
> +virFirewallCheckUpdateLocking(void)
> +{
> + const char *iptablesArgs[] = {
> + IPTABLES_PATH, "-w", "-L", "-n", NULL,
> + };
> + const char *ip6tablesArgs[] = {
> + IP6TABLES_PATH, "-w", "-L", "-n", NULL,
> + };
> + const char *ebtablesArgs[] = {
> + EBTABLES_PATH, "--concurrent", "-L", NULL,
> + };
> + virFirewallCheckUpdateLock(&iptablesUseLock,
> + iptablesArgs);
> + virFirewallCheckUpdateLock(&ip6tablesUseLock,
> + ip6tablesArgs);
> + virFirewallCheckUpdateLock(&ebtablesUseLock,
> + ebtablesArgs);
> +}
> +
> static int
> virFirewallValidateBackend(virFirewallBackend backend)
> {
> @@ -161,6 +199,9 @@ virFirewallValidateBackend(virFirewallBackend backend)
> }
>
> currentBackend = backend;
> +
> + virFirewallCheckUpdateLocking();
> +
> return 0;
> }
>
> @@ -201,6 +242,9 @@ virFirewallPtr virFirewallNew(void)
> {
> virFirewallPtr firewall;
>
> + if (virFirewallInitialize() < 0)
> + return NULL;
> +
> if (VIR_ALLOC(firewall) < 0)
> return NULL;
>
> @@ -321,6 +365,23 @@ virFirewallAddRuleFullV(virFirewallPtr firewall,
> rule->queryOpaque = opaque;
> rule->ignoreErrors = ignoreErrors;
>
> + switch (rule->layer) {
> + case VIR_FIREWALL_LAYER_ETHERNET:
> + if (ebtablesUseLock)
> + ADD_ARG(rule, "--concurrent");
> + break;
> + case VIR_FIREWALL_LAYER_IPV4:
> + if (iptablesUseLock)
> + ADD_ARG(rule, "-w");
> + break;
> + case VIR_FIREWALL_LAYER_IPV6:
> + if (ip6tablesUseLock)
> + ADD_ARG(rule, "-w");
> + break;
> + case VIR_FIREWALL_LAYER_LAST:
> + break;
> + }
> +
> while ((str = va_arg(args, char *)) != NULL) {
> ADD_ARG(rule, str);
> }
> @@ -840,8 +901,8 @@ virFirewallApplyGroup(virFirewallPtr firewall,
> bool ignoreErrors = (group->actionFlags & VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
> size_t i;
>
> - VIR_INFO("Starting transaction for %p flags=%x",
> - group, group->actionFlags);
> + VIR_INFO("Starting transaction for firewall=%p group=%p flags=%x",
> + firewall, group, group->actionFlags);
> firewall->currentGroup = idx;
> group->addingRollback = false;
> for (i = 0; i < group->naction; i++) {
> @@ -879,8 +940,6 @@ virFirewallApply(virFirewallPtr firewall)
> int ret = -1;
>
> virMutexLock(&ruleLock);
> - if (virFirewallInitialize() < 0)
> - goto cleanup;
>
> if (!firewall || firewall->err == ENOMEM) {
> virReportOOMError();
> diff --git a/src/util/viriptables.c b/src/util/viriptables.c
> index 4f3ac9c..46b4017 100644
> --- a/src/util/viriptables.c
> +++ b/src/util/viriptables.c
> @@ -52,8 +52,6 @@
>
> VIR_LOG_INIT("util.iptables");
>
> -bool iptables_supports_xlock = false;
> -
> #define VIR_FROM_THIS VIR_FROM_NONE
>
> enum {
> --
> 2.1.0
>
More information about the libvir-list
mailing list