[libvirt PATCH] network: add private chains only if there are networks adding iptables rules

Daniel Henrique Barboza danielhb413 at gmail.com
Mon Jun 8 20:37:51 UTC 2020

On 6/5/20 2:56 PM, Laine Stump wrote:
> Juan Quintela noticed that when he restarted libvirt he was getting
> extra iptables rules added by libvirt even though he didn't have any
> libvirt networks that used iptables rules. It turns out this also
> happens if the firewalld service is restarted. The extra rules are
> just the private chains, and they're sometimes being added
> unnecessarily because they are added separately in a global
> networkPreReloadFirewallRules() that does the init if there are any
> active networks, regardless of whether or not any of those networks
> will actually add rules to the host firewall.
> The fix is to change the check for "any active networks" to instead
> check for "any active networks that add firewall rules".
> (NB: although the timing seems suspicious, this isn't a new regression
> caused by the recently pushed f5418b427 (which forces recreation of
> private chains when firewalld is restarted); it was an existing bug
> since iptables rules were first put into private chains, even after
> commit c6cbe18771 delayed creation of the private chains. The
> implication is that any downstream based on v5.1.0 or later that cares
> about these extraneous (but harmless) private chains would want to
> backport this patch (along with the other two if they aren't already
> there))
> Signed-off-by: Laine Stump <laine at redhat.com>
> ---

Reviewed-by: Daniel Henrique Barboza <danielhb413 at gmail.com>

More information about the libvir-list mailing list