Long ago we tried to use Fedora's lokkit utility in order to register
our iptables rules so that 'service iptables restart' would
automatically load our rules.
There was one fatal flaw - if the user had configured iptables without
lokkit, then we would clobber that configuration by running lokkit.
We quickly disabled lokkit support, but never removed it. Let's do
that now.
The 'my virtual network stops working when I restart iptables' still
remains. For all the background on this saga, see:
https://bugzilla.redhat.com/227011
* src/util/iptables.c: remove lokkit support
* configure.in: remove --enable-lokkit
* libvirt.spec.in: remove the dirs used only for saving rules for lokkit
* src/Makefile.am: ditto
* src/libvirt_private.syms, src/network/bridge_driver.c,
src/util/iptables.h: remove references to iptablesSaveRules
---
configure.in | 21 ----
libvirt.spec.in | 3 -
src/Makefile.am | 4 -
src/libvirt_private.syms | 1 -
src/network/bridge_driver.c | 3 -
src/util/iptables.c | 218 -------------------------------------------
src/util/iptables.h | 1 -
7 files changed, 0 insertions(+), 251 deletions(-)
diff --git a/configure.in b/configure.in
index 8d21207..fe9834d 100644
--- a/configure.in
+++ b/configure.in
@@ -269,27 +269,6 @@ if test x"$with_rhel5_api" = x"yes"; then
AC_DEFINE([WITH_RHEL5_API], [1], [whether building for the RHEL-5 API])
fi
-dnl
-dnl ensure that Fedora's system-config-firewall knows
-dnl about libvirt's iptables rules
-dnl
-AC_ARG_ENABLE([iptables-lokkit],
- [AC_HELP_STRING([--enable-iptables-lokkit=no/yes/check],
- [enable registering libvirt's iptables rules with Fedora's lokkit])],
- [],[enable_iptables_lokkit=check])
-if test x"$enable_iptables_lokkit" != x"no"; then
- AC_PATH_PROG([LOKKIT_PATH],[lokkit], [], [/usr/sbin:$PATH])
-fi
-
-if test x"$enable_iptables_lokkit" = x"yes" -a
x"$LOKKIT_PATH" = x; then
- AC_MSG_ERROR([Cannot find lokkit and --enable-iptables-lokkit specified])
-fi
-
-if test x"$LOKKIT_PATH" != x; then
- AC_DEFINE([ENABLE_IPTABLES_LOKKIT], [], [whether support for Fedora's lokkit is
enabled])
- AC_DEFINE_UNQUOTED([LOKKIT_PATH], "$LOKKIT_PATH", [path to lokkit binary])
-fi
-
AC_PATH_PROG([IPTABLES_PATH], [iptables], /sbin/iptables, [/usr/sbin:$PATH])
AC_DEFINE_UNQUOTED([IPTABLES_PATH], "$IPTABLES_PATH", [path to iptables
binary])
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 408ad05..dd067ad 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -710,9 +710,6 @@ fi
%if %{with_network}
%dir %{_localstatedir}/run/libvirt/network/
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/network/
-%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/iptables/
-%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/iptables/filter/
-%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/iptables/nat/
%endif
%if %{with_qemu}
diff --git a/src/Makefile.am b/src/Makefile.am
index e5d8933..b639915 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -883,8 +883,6 @@ if WITH_UML
$(MKDIR_P) "$(DESTDIR)$(localstatedir)/run/libvirt/uml"
endif
if WITH_NETWORK
- $(MKDIR_P) "$(DESTDIR)$(localstatedir)/lib/libvirt/iptables/filter"
- $(MKDIR_P) "$(DESTDIR)$(localstatedir)/lib/libvirt/iptables/nat"
$(MKDIR_P) "$(DESTDIR)$(localstatedir)/lib/libvirt/network"
$(MKDIR_P) "$(DESTDIR)$(localstatedir)/run/libvirt/network"
$(MKDIR_P) "$(DESTDIR)$(sysconfdir)/libvirt/qemu/networks/autostart"
@@ -921,8 +919,6 @@ if WITH_NETWORK
rm -f $(DESTDIR)$(sysconfdir)/libvirt/qemu/networks/default.xml
rmdir "$(DESTDIR)$(sysconfdir)/libvirt/qemu/networks/autostart" || :
rmdir "$(DESTDIR)$(sysconfdir)/libvirt/qemu/networks" || :
- rmdir "$(DESTDIR)$(localstatedir)/lib/libvirt/iptables/filter" ||:
- rmdir "$(DESTDIR)$(localstatedir)/lib/libvirt/iptables/nat" ||:
rmdir "$(DESTDIR)$(localstatedir)/lib/libvirt/network" ||:
rmdir "$(DESTDIR)$(localstatedir)/run/libvirt/network" ||:
endif
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 58f99fb..8d64b15 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -247,7 +247,6 @@ iptablesRemoveForwardRejectIn;
iptablesRemoveForwardRejectOut;
iptablesRemoveTcpInput;
iptablesRemoveUdpInput;
-iptablesSaveRules;
# libvirt_internal.h
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index d5cab71..abee78c 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -752,8 +752,6 @@ networkAddIptablesRules(virConnectPtr conn,
!networkAddRoutingIptablesRules(conn, driver, network))
goto err8;
- iptablesSaveRules(driver->iptables);
-
return 1;
err8:
@@ -807,7 +805,6 @@ networkRemoveIptablesRules(struct network_driver *driver,
iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 53);
iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 67);
iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 67);
- iptablesSaveRules(driver->iptables);
}
static void
diff --git a/src/util/iptables.c b/src/util/iptables.c
index 36d65e4..8ac7786 100644
--- a/src/util/iptables.c
+++ b/src/util/iptables.c
@@ -66,14 +66,6 @@ typedef struct
int nrules;
iptRule *rules;
-
-#ifdef ENABLE_IPTABLES_LOKKIT
-
- char dir[PATH_MAX];
- char path[PATH_MAX];
-
-#endif /* ENABLE_IPTABLES_LOKKIT */
-
} iptRules;
struct _iptablesContext
@@ -83,186 +75,6 @@ struct _iptablesContext
iptRules *nat_postrouting;
};
-#ifdef ENABLE_IPTABLES_LOKKIT
-static void
-notifyRulesUpdated(const char *table,
- const char *path)
-{
- char arg[PATH_MAX];
- const char *argv[4];
-
- snprintf(arg, sizeof(arg), "--custom-rules=ipv4:%s:%s", table, path);
-
- argv[0] = (char *) LOKKIT_PATH;
- argv[1] = (char *) "--nostart";
- argv[2] = arg;
- argv[3] = NULL;
-
- char ebuf[1024];
- if (virRun(NULL, argv, NULL) < 0)
- VIR_WARN(_("Failed to run '%s %s': %s"),
- LOKKIT_PATH, arg, virStrerror(errno, ebuf, sizeof ebuf));
-}
-
-static int
-stripLine(char *str, int len, const char *line)
-{
- char *s, *p;
- int changed;
-
- changed = 0;
- s = str;
-
- while ((p = strchr(s, '\n'))) {
- if (p == s || STRNEQLEN(s, line, p - s)) {
- s = ++p;
- continue;
- }
-
- ++p;
- memmove(s, p, len - (p - str) + 1);
- len -= p - s;
- changed = 1;
- }
-
- if (STREQ(s, line)) {
- *s = '\0';
- changed = 1;
- }
-
- return changed;
-}
-
-static void
-notifyRulesRemoved(const char *table,
- const char *path)
-{
-/* 10 MB limit on config file size as a sanity check */
-#define MAX_FILE_LEN (1024*1024*10)
-
- char arg[PATH_MAX];
- char *content;
- int len;
- FILE *f = NULL;
-
- len = virFileReadAll(SYSCONF_DIR "/sysconfig/system-config-firewall",
- MAX_FILE_LEN, &content);
- if (len < 0) {
- VIR_WARN("%s", _("Failed to read " SYSCONF_DIR
- "/sysconfig/system-config-firewall"));
- return;
- }
-
- snprintf(arg, sizeof(arg), "--custom-rules=ipv4:%s:%s", table, path);
-
- if (!stripLine(content, len, arg)) {
- VIR_FREE(content);
- return;
- }
-
- if (!(f = fopen(SYSCONF_DIR "/sysconfig/system-config-firewall",
"w")))
- goto write_error;
-
- if (fputs(content, f) == EOF)
- goto write_error;
-
- if (fclose(f) == EOF) {
- f = NULL;
- goto write_error;
- }
-
- VIR_FREE(content);
-
- return;
-
- write_error:;
- char ebuf[1024];
- VIR_WARN(_("Failed to write to " SYSCONF_DIR
- "/sysconfig/system-config-firewall : %s"),
- virStrerror(errno, ebuf, sizeof ebuf));
- if (f)
- fclose(f);
- VIR_FREE(content);
-
-#undef MAX_FILE_LEN
-}
-
-static int
-writeRules(const char *path,
- const iptRule *rules,
- int nrules)
-{
- char tmp[PATH_MAX];
- FILE *f;
- int istmp;
- int i;
-
- if (nrules == 0 && unlink(path) == 0)
- return 0;
-
- if (snprintf(tmp, PATH_MAX, "%s.new", path) >= PATH_MAX)
- return EINVAL;
-
- istmp = 1;
-
- if (!(f = fopen(tmp, "w"))) {
- istmp = 0;
- if (!(f = fopen(path, "w")))
- return errno;
- }
-
- for (i = 0; i < nrules; i++) {
- if (fputs(rules[i].rule, f) == EOF ||
- fputc('\n', f) == EOF) {
- fclose(f);
- if (istmp)
- unlink(tmp);
- return errno;
- }
- }
-
- fclose(f);
-
- if (istmp && rename(tmp, path) < 0) {
- unlink(tmp);
- return errno;
- }
-
- if (istmp)
- unlink(tmp);
-
- return 0;
-}
-#endif /* ENABLE_IPTABLES_LOKKIT */
-
-static void
-iptRulesSave(iptRules *rules)
-{
-#ifdef ENABLE_IPTABLES_LOKKIT
- int err;
-
- char ebuf[1024];
- if ((err = virFileMakePath(rules->dir))) {
- VIR_WARN(_("Failed to create directory %s : %s"),
- rules->dir, virStrerror(err, ebuf, sizeof ebuf));
- return;
- }
-
- if ((err = writeRules(rules->path, rules->rules, rules->nrules))) {
- VIR_WARN(_("Failed to saves iptables rules to %s : %s"),
- rules->path, virStrerror(err, ebuf, sizeof ebuf));
- return;
- }
-
- if (rules->nrules > 0)
- notifyRulesUpdated(rules->table, rules->path);
- else
- notifyRulesRemoved(rules->table, rules->path);
-#else
- (void) rules;
-#endif /* ENABLE_IPTABLES_LOKKIT */
-}
-
static void
iptRuleFree(iptRule *rule)
{
@@ -340,11 +152,6 @@ iptRulesFree(iptRules *rules)
rules->nrules = 0;
}
-#ifdef ENABLE_IPTABLES_LOKKIT
- rules->dir[0] = '\0';
- rules->path[0] = '\0';
-#endif /* ENABLE_IPTABLES_LOKKIT */
-
VIR_FREE(rules);
}
@@ -366,15 +173,6 @@ iptRulesNew(const char *table,
rules->rules = NULL;
rules->nrules = 0;
-#ifdef ENABLE_IPTABLES_LOKKIT
- if (virFileBuildPath(LOCAL_STATE_DIR "/lib/libvirt/iptables", table, NULL,
- rules->dir, sizeof(rules->dir)) < 0)
- goto error;
-
- if (virFileBuildPath(rules->dir, chain, ".chain", rules->path,
sizeof(rules->path)) < 0)
- goto error;
-#endif /* ENABLE_IPTABLES_LOKKIT */
-
return rules;
error:
@@ -520,22 +318,6 @@ iptablesContextFree(iptablesContext *ctx)
VIR_FREE(ctx);
}
-/**
- * iptablesSaveRules:
- * @ctx: pointer to the IP table context
- *
- * Saves all the IP table rules associated with a context
- * to disk so that if iptables is restarted, the rules
- * will automatically be reload.
- */
-void
-iptablesSaveRules(iptablesContext *ctx)
-{
- iptRulesSave(ctx->input_filter);
- iptRulesSave(ctx->forward_filter);
- iptRulesSave(ctx->nat_postrouting);
-}
-
static void
iptRulesReload(iptRules *rules)
{
diff --git a/src/util/iptables.h b/src/util/iptables.h
index fbe9b5d..826f4f8 100644
--- a/src/util/iptables.h
+++ b/src/util/iptables.h
@@ -27,7 +27,6 @@ typedef struct _iptablesContext iptablesContext;
iptablesContext *iptablesContextNew (void);
void iptablesContextFree (iptablesContext *ctx);
-void iptablesSaveRules (iptablesContext *ctx);
void iptablesReloadRules (iptablesContext *ctx);
int iptablesAddTcpInput (iptablesContext *ctx,
--
1.6.5.2