[libvirt] [PATCH] iptablesSetupPrivateChains: Be forgiving if a table does not exist
Daniel P. Berrangé
berrange at redhat.com
Mon Mar 11 11:59:01 UTC 2019
On Mon, Mar 11, 2019 at 12:55:33PM +0100, Michal Privoznik wrote:
> On 3/11/19 11:43 AM, Daniel P. Berrangé wrote:
>
> >
> > What I mean is that this transaction is checking the filter, nat and
> > mangle tables of both ipv4 and ipv6. You have a missing mangle table
> > for ipv6, but this "ignore errors" policy means we'll even ignore
> > the missing "filter" table for ipv4 for example which is something we
> > have previously considered mandatory.
> >
> > We will still get a failure later when the network is started though
> > I guess.
>
> I know, and to me that's acceptable. It will not be any worse with this
> patch. Only better. Because right now we fail even for IPv6 even though you
> might not use it.
Yes, my main real concern is how well this works from POV of debugging
failures users report. With the current behaviour we'll see an error
that the main iptables mangle chain doesn't exist, which is accurate.
With the new behaviour we'll see an error that the libvirt chain
doesn't exist. It isn't as obvious then that the problem is actually
the kernel missing its built-in chain, rather than a bug in libvirt.
Perhaps we could just issue a VIR_WARN in startup if we see one of
the built-in chains missing. That would encourage people to enable
all the kernel features, without forcing it & help with diagnosis.
> But fair enough. I'll post a patch documenting that IPv6 tables are
> required.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list