[libvirt] [PATCH] Re-add use of locking with iptables/ip6tables/ebtables

Eric Blake eblake at redhat.com
Tue Nov 18 13:26:54 UTC 2014 

On 11/11/2014 05:42 AM, Daniel P. Berrange wrote:
> A previous commit introduced use of locking with invocation
> of iptables in the viriptables.c module
> 
>   commit ba95426d6f39aec1da6e069dd7222f7a8c6a5862
>   Author: Serge Hallyn <serge.hallyn at ubuntu.com>
>   Date:   Fri Nov 1 12:36:59 2013 -0500
> 
>     util: use -w flag when calling iptables
> 
> This only ever had effect with the virtual network driver,
> as it was not wired up into the nwfilter driver. Unfortunately
> in the firewall refactoring the use of the -w flag was
> accidentally lost.
> 
> This patch introduces it to the virfirewall.c module so that
> both the virtual network and nwfilter drivers will be using
> it. It also ensures that the equivalent --concurrent flag
> to ebtables is used.
> ---
>  src/util/virfirewall.c | 67 +++++++++++++++++++++++++++++++++++++++++++++++---
>  src/util/viriptables.c |  2 --
>  2 files changed, 63 insertions(+), 6 deletions(-)

With this patch applied, and testing on Fedora 20, I see the following
messages at startup of libvirtd:

2014-11-18 13:22:49.979+0000: 31329: info : libvirt version: 1.2.11
2014-11-18 13:22:49.979+0000: 31329: error : virCommandWait:2532 :
internal error: Child process (/usr/sbin/iptables -w -L -n) unexpected
exit status 2: iptables v1.4.19.1: unknown option "-w"
Try `iptables -h' or 'iptables --help' for more information.

2014-11-18 13:22:49.982+0000: 31329: error : virCommandWait:2532 :
internal error: Child process (/usr/sbin/ip6tables -w -L -n) unexpected
exit status 2: ip6tables v1.4.19.1: unknown option "-w"
Try `ip6tables -h' or 'ip6tables --help' for more information.

Do we need a followup patch to avoid logging failures when probing for
whether -w works?


> +
> +static void
> +virFirewallCheckUpdateLock(bool *lockflag,
> +                           const char *const*args)
> +{
> +    virCommandPtr cmd = virCommandNewArgs(args);
> +    if (virCommandRun(cmd, NULL) < 0) {
> +        VIR_INFO("locking not supported by %s", args[0]);

Generally, it would be done by passing a non-NULL parameter to
virCommandRun and checking the status ourselves (since virCommandRun
with a NULL argument logs all non-zero exit).

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 539 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20141118/cda11108/attachment-0001.sig>

More information about the libvir-list mailing list