[libvirt] [PATCH 2/2] network: split setup of ipv4 and ipv6 top level chains
Michal Privoznik
mprivozn at redhat.com
Tue Mar 19 07:56:26 UTC 2019
On 3/18/19 6:47 PM, Daniel P. Berrangé wrote:
> During startup libvirtd creates top level chains for both ipv4
> and ipv6 protocols. If this fails for any reason then startup
> of virtual networks is blocked.
>
> The default virtual network, however, only requires use of ipv4
> and some servers have ipv6 disabled so it is expected that ipv6
> chain creation will fail. There could equally be servers with
> no ipv4, only ipv6.
>
> This patch thus makes error reporting a little more fine grained
> so that it works more sensibly when either ipv4 or ipv6 is
> disabled on the server. Only the protocols that are actually
> used by the virtual network have errors reported.
>
> Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> ---
> src/network/bridge_driver_linux.c | 36 +++++++++++++++++++++++++------
> src/util/viriptables.c | 14 ++++--------
> src/util/viriptables.h | 2 +-
> 3 files changed, 34 insertions(+), 18 deletions(-)
>
> diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
> index 04b9c079ff..4e2320ea0a 100644
> --- a/src/network/bridge_driver_linux.c
> +++ b/src/network/bridge_driver_linux.c
> @@ -35,10 +35,12 @@ VIR_LOG_INIT("network.bridge_driver_linux");
>
> #define PROC_NET_ROUTE "/proc/net/route"
>
> -static virErrorPtr errInit;
> +static virErrorPtr errInitV4;
> +static virErrorPtr errInitV6;
>
> -void networkPreReloadFirewallRules(bool startup)
> +int networkPreReloadFirewallRules(bool startup)
I guess you didn't mean to do this change.
> {
> + bool created = false;
> int ret;
>
> /* We create global rules upfront as we don't want
> @@ -49,11 +51,21 @@ void networkPreReloadFirewallRules(bool startup)
> * of starting the network though as that makes them
> * more likely to be seen by a human
> */
> - ret = iptablesSetupPrivateChains();
> + ret = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV4);
> if (ret < 0) {
> - errInit = virSaveLastError();
> + errInitV4 = virSaveLastError();
> virResetLastError();
> }
> + if (ret)
Again, small nitpick, if (ret > 0).
> + created = true;
> +
> + ret = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV6);
> + if (ret < 0) {
> + errInitV6 = virSaveLastError();
> + virResetLastError();
> + }
> + if (ret)
> + created = true;
>
This fixes my usecase, so ACK
Michal
More information about the libvir-list
mailing list