Re: [libvirt] [PATCH] network: only reload firewall after firewalld is finished restarting

On Fri, Apr 12, 2019 at 11:35:13AM -0400, Laine Stump wrote: > The network driver used to reload the firewall rules whenever a dbus > NameOwnerChanged message for org.fedoraproject.FirewallD1 was > received. Presumably at some point in the past this was successful at > reloading our rules after a firewalld restart. Recently though I > noticed that once firewalld was restarted, libvirt's logs would get this > message: > > The name org.fedoraproject.FirewallD1 was not provided by any .service files > > After this point, no networks could be started until libvirtd itself > was restarted. > > The problem is that the NameOwnerChanged message is sent twice during > a firewalld restart - once when the old firewalld is stopped, and > again when the new firewalld is started. If we try to reload at the > point the old firewalld is stopped, none of the firewalld dbus calls > will succeed. > > The solution is to check the new_owner field of the message - we > should reload our firewall rules only if new_owner is non-empty (it is > set to "" when firewalld is stopped, and some sort of epoch number > when it is again started). > > Signed-off-by: Laine Stump <laine(a)laine.org&gt; > --- > src/network/bridge_driver.c | 19 +++++++++++++++++-- > 1 file changed, 17 insertions(+), 2 deletions(-) > > diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c > index 4d4ab0f375..167c142ae2 100644 > --- a/src/network/bridge_driver.c > +++ b/src/network/bridge_driver.c > @@ -549,8 +549,23 @@ firewalld_dbus_filter_bridge(DBusConnection *connection ATTRIBUTE_UNUSED, > dbus_message_is_signal(message, "org.fedoraproject.FirewallD1", > "Reloaded")) This code path can be run for 2 different signals. You must only do the Decode step for the NamedOwnerChanged signal, not the Reloaded signal.