Re: [libvirt] [PATCH 2/2] network: split setup of ipv4 and ipv6 top level chains
On 3/18/19 6:47 PM, Daniel P. Berrangé wrote:
During startup libvirtd creates top level chains for both ipv4
and ipv6 protocols. If this fails for any reason then startup
of virtual networks is blocked.
The default virtual network, however, only requires use of ipv4
and some servers have ipv6 disabled so it is expected that ipv6
chain creation will fail. There could equally be servers with
no ipv4, only ipv6.
This patch thus makes error reporting a little more fine grained
so that it works more sensibly when either ipv4 or ipv6 is
disabled on the server. Only the protocols that are actually
used by the virtual network have errors reported.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/network/bridge_driver_linux.c | 36 +++++++++++++++++++++++++------
src/util/viriptables.c | 14 ++++--------
src/util/viriptables.h | 2 +-
3 files changed, 34 insertions(+), 18 deletions(-)
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index 04b9c079ff..4e2320ea0a 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -35,10 +35,12 @@ VIR_LOG_INIT("network.bridge_driver_linux");
#define PROC_NET_ROUTE "/proc/net/route"
-static virErrorPtr errInit;
+static virErrorPtr errInitV4;
+static virErrorPtr errInitV6;
-void networkPreReloadFirewallRules(bool startup)
+int networkPreReloadFirewallRules(bool startup)
I guess you didn't mean to do this change.
{
+ bool created = false;
int ret;
/* We create global rules upfront as we don't want
@@ -49,11 +51,21 @@ void networkPreReloadFirewallRules(bool startup)
* of starting the network though as that makes them
* more likely to be seen by a human
*/
- ret = iptablesSetupPrivateChains();
+ ret = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV4);
if (ret < 0) {
- errInit = virSaveLastError();
+ errInitV4 = virSaveLastError();
virResetLastError();
}
+ if (ret)
Again, small nitpick, if (ret > 0).
+ created = true;
+
+ ret = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV6);
+ if (ret < 0) {
+ errInitV6 = virSaveLastError();
+ virResetLastError();
+ }
+ if (ret)
+ created = true;
This fixes my usecase, so ACK
Michal