If an SRIOV PF is offline, the kernel won't complain if you set the mac address and vlan tag for a VF via this PF, and it will even let you assign the VF to a guest using PCI device assignment or macvtap passthrough. But in this case (the PF isn't online), the device won't be usable in the guest. Silently setting the PF online would solve the connectivity problem, but as pointed out by Dan Berrange, when an interface is set online with no associated config, the kernel will by default turn on IPv6 autoconf, which could create unexpected security problems for the host. For this reason, this patch instead logs an error and fails the operation. This resolves: https://bugzilla.redhat.com/show_bug.cgi?id=893738 Originally filed against RHEL6, but present in every version of libvirt until today. --- src/util/virnetdev.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/src/util/virnetdev.c b/src/util/virnetdev.c index e14b401..98ce152 100644 --- a/src/util/virnetdev.c +++ b/src/util/virnetdev.c @@ -2258,6 +2258,28 @@ virNetDevReplaceVfConfig(const char *pflinkdev, int vf, char macstr[VIR_MAC_STRING_BUFLEN]; char *fileData = NULL; int ifindex = -1; + bool pfIsOnline; + + /* Assure that PF is online prior to twiddling with the VF. It + * *should* be, but if the PF isn't online the changes made to the + * VF via the PF won't take effect, yet there will be no error + * reported. In the case that it isn't online, fail and report the + * error, since setting an unconfigured interface online + * automatically turns on IPv6 autoconfig, which may not be what + * the admin expects, so we want them to explicitly enable the PF + * in the host system network config. + */ + if (virNetDevGetOnline(pflinkdev, &pfIsOnline) < 0) + goto cleanup; + if (!pfIsOnline) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Unable to configure VF %d of PF '%s' " + "because the PF is not online. Please " + "change host network config to put the " + "PF online."), + vf, pflinkdev); + goto cleanup; + } if (virNetDevGetVfConfig(pflinkdev, vf, &oldmac, &oldvlanid) < 0) goto cleanup; -- 2.1.0

If the firewalld backend wasn't available and libvirt decides to try setting up a "direct" backend, it checks for the presence of iptables, ip6tables, and ebtables. If they are not found, a message like this is logged: error : virFirewallValidateBackend:193 : direct firewall backend requested, but /usr/sbin/ip6tables is not available: No such file or directory But then at a later time if an attempt is made to use the virFirewall API, failure will be indicated with: error : virFirewallApply:936 : out of memory This patch changes virFirewallApply to first check if a firewall backend hadn't been successfully setup, and logs a slightly more informative message in that case: error : virFirewallApply:940 : internal error: Failed to initialize a valid firewall backend This resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1223876 --- src/util/virfirewall.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 2251f97..a972c05 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -1,7 +1,7 @@ /* * virfirewall.c: integration with firewalls * - * Copyright (C) 2013, 2014 Red Hat, Inc. + * Copyright (C) 2013-2015 Red Hat, Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -932,6 +932,14 @@ virFirewallApply(virFirewallPtr firewall) virMutexLock(&ruleLock); + if (currentBackend == VIR_FIREWALL_BACKEND_AUTOMATIC) { + /* a specific backend should have been set when the firewall + * object was created. If not, it means none was found. + */ + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Failed to initialize a valid firewall backend")); + goto cleanup; + } if (!firewall || firewall->err == ENOMEM) { virReportOOMError(); goto cleanup; -- 2.1.0