[libvirt] [PATCH] Re-add use of locking with iptables/ip6tables/ebtables

Boris Fiuczynski fiuczy at linux.vnet.ibm.com
Tue Nov 25 14:55:24 UTC 2014


On 11/25/2014 03:20 PM, Boris Fiuczynski wrote:
> On 11/11/2014 01:42 PM, Daniel P. Berrange wrote:
>> A previous commit introduced use of locking with invocation
>> of iptables in the viriptables.c module
>>
>>    commit ba95426d6f39aec1da6e069dd7222f7a8c6a5862
>>    Author: Serge Hallyn <serge.hallyn at ubuntu.com>
>>    Date:   Fri Nov 1 12:36:59 2013 -0500
>>
>>      util: use -w flag when calling iptables
>>
>> This only ever had effect with the virtual network driver,
>> as it was not wired up into the nwfilter driver. Unfortunately
>> in the firewall refactoring the use of the -w flag was
>> accidentally lost.
>>
>> This patch introduces it to the virfirewall.c module so that
>> both the virtual network and nwfilter drivers will be using
>> it. It also ensures that the equivalent --concurrent flag
>> to ebtables is used.
>> ---
>>   src/util/virfirewall.c | 67
>> +++++++++++++++++++++++++++++++++++++++++++++++---
>>   src/util/viriptables.c |  2 --
>>   2 files changed, 63 insertions(+), 6 deletions(-)
>>
>> diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
>> index bab1634..c83fdc6 100644
>> --- a/src/util/virfirewall.c
>> +++ b/src/util/virfirewall.c
>> @@ -104,6 +104,44 @@ virFirewallOnceInit(void)
>>
>>   VIR_ONCE_GLOBAL_INIT(virFirewall)
>>
>> +static bool iptablesUseLock;
>> +static bool ip6tablesUseLock;
>> +static bool ebtablesUseLock;
>> +
>> +static void
>> +virFirewallCheckUpdateLock(bool *lockflag,
>> +                           const char *const*args)
>> +{
>> +    virCommandPtr cmd = virCommandNewArgs(args);
>> +    if (virCommandRun(cmd, NULL) < 0) {
>> +        VIR_INFO("locking not supported by %s", args[0]);
>> +    } else {
>> +        VIR_INFO("using locking for %s", args[0]);
>> +        *lockflag = true;
>> +    }
>> +    virCommandFree(cmd);
>> +}
>> +
>> +static void
>> +virFirewallCheckUpdateLocking(void)
>> +{
>> +    const char *iptablesArgs[] = {
>> +        IPTABLES_PATH, "-w", "-L", "-n", NULL,
>> +    };
>> +    const char *ip6tablesArgs[] = {
>> +        IP6TABLES_PATH, "-w", "-L", "-n", NULL,
>> +    };
>> +    const char *ebtablesArgs[] = {
>> +        EBTABLES_PATH, "--concurrent", "-L", NULL,
>> +    };
>> +    virFirewallCheckUpdateLock(&iptablesUseLock,
>> +                               iptablesArgs);
>> +    virFirewallCheckUpdateLock(&ip6tablesUseLock,
>> +                               ip6tablesArgs);
>> +    virFirewallCheckUpdateLock(&ebtablesUseLock,
>> +                               ebtablesArgs);
>> +}
>> +
>>   static int
>>   virFirewallValidateBackend(virFirewallBackend backend)
>>   {
>> @@ -161,6 +199,9 @@ virFirewallValidateBackend(virFirewallBackend
>> backend)
>>       }
>>
>>       currentBackend = backend;
>> +
>> +    virFirewallCheckUpdateLocking();
>> +
>>       return 0;
>>   }
>>
>> @@ -201,6 +242,9 @@ virFirewallPtr virFirewallNew(void)
>>   {
>>       virFirewallPtr firewall;
>>
>> +    if (virFirewallInitialize() < 0)
>> +        return NULL;
>> +
>>       if (VIR_ALLOC(firewall) < 0)
>>           return NULL;
>>
>> @@ -321,6 +365,23 @@ virFirewallAddRuleFullV(virFirewallPtr firewall,
>>       rule->queryOpaque = opaque;
>>       rule->ignoreErrors = ignoreErrors;
>>
>> +    switch (rule->layer) {
>> +    case VIR_FIREWALL_LAYER_ETHERNET:
>> +        if (ebtablesUseLock)
>> +            ADD_ARG(rule, "--concurrent");
>> +        break;
>> +    case VIR_FIREWALL_LAYER_IPV4:
>> +        if (iptablesUseLock)
>> +            ADD_ARG(rule, "-w");
>> +        break;
>> +    case VIR_FIREWALL_LAYER_IPV6:
>> +        if (ip6tablesUseLock)
>> +            ADD_ARG(rule, "-w");
>> +        break;
>> +    case VIR_FIREWALL_LAYER_LAST:
>> +        break;
>> +    }
>> +
> By adding these parameters dynamically based on the above added support
> checking logic will the network filter tests still work without any code
> change?
>
OK, just saw that a fix was posted today.


-- 
Mit freundlichen Grüßen/Kind regards
    Boris Fiuczynski

IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Martina Köderitz
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294




More information about the libvir-list mailing list