[libvirt] [PATCH] nwfilter: intantiate filters on loading driver

Nikolay Shirokovskiy nshirokovskiy at virtuozzo.com
Tue Oct 30 07:24:36 UTC 2018 


On 29.10.2018 22:37, John Ferlan wrote:
> 
> 
> On 10/15/18 4:26 AM, Nikolay Shirokovskiy wrote:
>> Before using filters binding filters instantiation was done by hypervisors
>> drivers initialization code (qemu was the only such hypervisor). Now qemu
>> reconnection done supposes it should be done by nwfilter driver probably.
>> Let's add this missing step.
>>
>> Signed-off-by: Nikolay Shirokovskiy <nshirokovskiy at virtuozzo.com>
>> ---
>>  src/nwfilter/nwfilter_driver.c | 3 +++
>>  1 file changed, 3 insertions(+)
>>
> 
> If there's research you've done where the instantiation was done before
> introduction of the nwfilter bindings that would be really helpful...
> 
> I found that virNWFilterBuildAll was introduced in commit 3df907bfff.
> There were 2 callers for it:
> 
>    1. virNWFilterTriggerRebuildImpl
>    2. nwfilterStateReload
> 
> The former called as part of the virNWFilterConfLayerInit callback
> during nwfilterStateInitialize (about 50 lines earlier).

Right but virNWFilterTriggerRebuildImpl is not actually called, it
is set as rebuild callback. This rebuild callback can be called in 
virNWFilterObjTestUnassignDef and virNWFilterObjListAssignDef.
The former is not called during nwfilter driver init. The latter
is called as part of virNWFilterObjListLoadAllConfigs but rebuild
callback is never called on this path because the list is empty
(callback is called only on updates when filter with same name
is already present in the list). So virNWFilterBuildAll is
not called on nwfilter driver init.

> 
> So how does calling this now w/ @false help things during the state
> initialize processing?

Before filters bindings nwfilter driver only loads filters on it's
init function. Then qemu driver for example on reconnection called:

qemuProcessFiltersInstantiate
 virDomainConfNWFilterInstantiate
  nwfilterInstantiateFilter
   virNWFilterInstantiateFilter

and filter rules gets [re]instantiated.

Now virNWFilterInstantiateFilter returns without actual instantiating
because virNWFilterBindingLookupByPortDev finds binding which is loaded
on nwfilter driver initialization.

The consequences is that if somebody cleans rules between libvirtd stop
and start then rules won't get instantiated again.

The fix is to [re]instantiate bindings in nwfilter driver init right
after binding and filters are loaded. With @false argument virNWFilterBuildAll
call virNWFilterInstantiateFilter for each binding - just what we need
to. @true is used by virNWFilterObjListAssignDef/virNWFilterObjTestUnassignDef
to use @newDef of object filter during instantiation etc.

Nikolay 

> 
> John
> 
>> diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c
>> index 1ee5162..1ab906f 100644
>> --- a/src/nwfilter/nwfilter_driver.c
>> +++ b/src/nwfilter/nwfilter_driver.c
>> @@ -264,6 +264,9 @@ nwfilterStateInitialize(bool privileged,
>>      if (virNWFilterBindingObjListLoadAllConfigs(driver->bindings, driver->bindingDir) < 0)
>>          goto error;
>>  
>> +    if (virNWFilterBuildAll(driver, false) < 0)
>> +        goto error;
>> +
>>      nwfilterDriverUnlock();
>>  
>>      return 0;
>>

More information about the libvir-list mailing list