[libvirt] [PATCH 0/2] network: improve firewall rule creation error handling

Tue Mar 19 08:36:14 UTC 2019

On Mon, 2019-03-18 at 17:47 +0000, Daniel P. Berrangé wrote:
> This is a different approach to solving the problem describd in:
> 
>   https://www.redhat.com/archives/libvir-list/2019-March/msg00584.html
> 
> That patch would treat each chain creation attempt as non-fatal. This
> means ipv4 chains still get created if ipv6 is missing, or if a subset
> of ip[6]tables modules are missing (eg "mangle" chain).
> 
> This series takes a different approach of splitting IPv4 and IPv6
> chain creation. Setup for either address family can succeed/fail
> independently, however, within an address family everything must
> still succeed. Improved error reporting means that users will see
> the root cause error when trying to start an error.
> 
> So with this series, 'mangle' support is still compulsory for
> any address family, but if IPv6 lacks mangle support, this won't
> break IPv4 support. This is good for the default network which
> only does IPv4 out of the box.
> 
> Daniel P. Berrangé (2):
>   network: improve error report when firewall chain creation fails
>   network: split setup of ipv4 and ipv6 top level chains
> 
>  src/network/bridge_driver.c          |  3 +-
>  src/network/bridge_driver_linux.c    | 51 ++++++++++++++++++++++++----
>  src/network/bridge_driver_nop.c      |  3 +-
>  src/network/bridge_driver_platform.h |  2 +-
>  src/util/viriptables.c               | 14 +++-----
>  src/util/viriptables.h               |  2 +-
>  6 files changed, 53 insertions(+), 22 deletions(-)

The changes make sense and they make the issue I was encountering on
my machine go away, so with the tweaks Michal already pointed out

  Reviewed-by: Andrea Bolognani <abologna at redhat.com>

Is this worth backporting to the stable 5.1.0 branch?

-- 
Andrea Bolognani / Red Hat / Virtualization