[libvirt] [PATCH 2/2] network: split setup of ipv4 and ipv6 top level chains

Michal Privoznik mprivozn at redhat.com
Tue Mar 19 07:56:26 UTC 2019


On 3/18/19 6:47 PM, Daniel P. Berrangé wrote:
> During startup libvirtd creates top level chains for both ipv4
> and ipv6 protocols. If this fails for any reason then startup
> of virtual networks is blocked.
> 
> The default virtual network, however, only requires use of ipv4
> and some servers have ipv6 disabled so it is expected that ipv6
> chain creation will fail. There could equally be servers with
> no ipv4, only ipv6.
> 
> This patch thus makes error reporting a little more fine grained
> so that it works more sensibly when either ipv4 or ipv6 is
> disabled on the server. Only the protocols that are actually
> used by the virtual network have errors reported.
> 
> Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> ---
>   src/network/bridge_driver_linux.c | 36 +++++++++++++++++++++++++------
>   src/util/viriptables.c            | 14 ++++--------
>   src/util/viriptables.h            |  2 +-
>   3 files changed, 34 insertions(+), 18 deletions(-)
> 
> diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
> index 04b9c079ff..4e2320ea0a 100644
> --- a/src/network/bridge_driver_linux.c
> +++ b/src/network/bridge_driver_linux.c
> @@ -35,10 +35,12 @@ VIR_LOG_INIT("network.bridge_driver_linux");
>   
>   #define PROC_NET_ROUTE "/proc/net/route"
>   
> -static virErrorPtr errInit;
> +static virErrorPtr errInitV4;
> +static virErrorPtr errInitV6;
>   
> -void networkPreReloadFirewallRules(bool startup)
> +int networkPreReloadFirewallRules(bool startup)

I guess you didn't mean to do this change.

>   {
> +    bool created = false;
>       int ret;
>   
>       /* We create global rules upfront as we don't want
> @@ -49,11 +51,21 @@ void networkPreReloadFirewallRules(bool startup)
>        * of starting the network though as that makes them
>        * more likely to be seen by a human
>        */
> -    ret = iptablesSetupPrivateChains();
> +    ret = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV4);
>       if (ret < 0) {
> -        errInit = virSaveLastError();
> +        errInitV4 = virSaveLastError();
>           virResetLastError();
>       }
> +    if (ret)

Again, small nitpick, if (ret > 0).

> +        created = true;
> +
> +    ret = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV6);
> +    if (ret < 0) {
> +        errInitV6 = virSaveLastError();
> +        virResetLastError();
> +    }
> +    if (ret)
> +        created = true;
>   

This fixes my usecase, so ACK

Michal




More information about the libvir-list mailing list