render / rpms / libvirt

Forked from rpms/libvirt 11 months ago
Clone
79b470
From d7703d11a44505d1a17001d8cfd36bf74d20b710 Mon Sep 17 00:00:00 2001
79b470
Message-Id: <d7703d11a44505d1a17001d8cfd36bf74d20b710@dist-git>
79b470
From: Laine Stump <laine@redhat.com>
79b470
Date: Fri, 15 Jan 2021 22:51:46 -0500
79b470
Subject: [PATCH] util/tests: enable locking on iptables/ebtables commandlines
79b470
 by default
79b470
79b470
iptables and ip6tables have had a "-w" commandline option to grab a
79b470
systemwide lock that prevents two iptables invocations from modifying
79b470
the iptables chains since 2013 (upstream commit 93587a04 in
79b470
iptables-1.4.20).  Similarly, ebtables has had a "--concurrent"
79b470
commandline option for the same purpose since 2011 (in the upstream
79b470
ebtables commit f9b4bcb93, which was present in ebtables-2.0.10.4).
79b470
79b470
Libvirt added code to conditionally use the commandline option for
79b470
iptables/ip6tables in upstream commit ba95426d6f (libvirt-1.2.0,
79b470
November 2013), and for ebtables in upstream commit dc33e6e4a5
79b470
(libvirt-1.2.11, November 2014) (the latter actually *re*-added the
79b470
locking for iptables/ip6tables, as it had accidentally been removed
79b470
during a refactor of firewall code in the interim).
79b470
79b470
I say "conditionally" because a check was made during firewall module
79b470
initialization that tried executing a test command with the
79b470
-w/--concurrent option, and only continued using it for actual
79b470
commands if that test command completed successfully. At the time the
79b470
code was added this was a reasonable thing to do, as it had been less
79b470
than a year since introduction of -w to iptables, so many distros
79b470
supported by libvirt were still using iptables (and possibly even
79b470
ebtables) versions too old to have the new commandline options.
79b470
79b470
It is now 2020, and as far as I can discern from repology.org (and
79b470
manually examining a RHEL7.9 system), every version of every distro
79b470
that is supported by libvirt now uses new enough versions of both
79b470
iptables and ebtables that they all have support for -w/--concurrent.
79b470
That means we can finally remove the conditional code and simply
79b470
always use them.
79b470
79b470
https://bugzilla.redhat.com/1607929
79b470
79b470
Signed-off-by: Laine Stump <laine@redhat.com>
79b470
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
79b470
(cherry picked from commit 0a867cd895f06134d24eb27070285bb4b50c088f)
79b470
Message-Id: <20210116035151.1066734-4-laine@redhat.com>
79b470
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
79b470
---
79b470
 src/libvirt_private.syms         |  1 -
79b470
 src/util/virfirewall.c           | 64 ++------------------------------
79b470
 src/util/virfirewall.h           |  2 -
79b470
 tests/networkxml2firewalltest.c  |  2 -
79b470
 tests/nwfilterebiptablestest.c   |  2 -
79b470
 tests/nwfilterxml2firewalltest.c |  2 -
79b470
 tests/virfirewalltest.c          |  2 -
79b470
 7 files changed, 3 insertions(+), 72 deletions(-)
79b470
79b470
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
79b470
index d6598c2514..edc53ce899 100644
79b470
--- a/src/libvirt_private.syms
79b470
+++ b/src/libvirt_private.syms
79b470
@@ -2089,7 +2089,6 @@ virFirewallRuleAddArgList;
79b470
 virFirewallRuleAddArgSet;
79b470
 virFirewallRuleGetArgCount;
79b470
 virFirewallSetBackend;
79b470
-virFirewallSetLockOverride;
79b470
 virFirewallStartRollback;
79b470
 virFirewallStartTransaction;
79b470
 
79b470
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
79b470
index c2de2bccae..2e3b02402e 100644
79b470
--- a/src/util/virfirewall.c
79b470
+++ b/src/util/virfirewall.c
79b470
@@ -97,59 +97,6 @@ virFirewallOnceInit(void)
79b470
 
79b470
 VIR_ONCE_GLOBAL_INIT(virFirewall);
79b470
 
79b470
-static bool iptablesUseLock;
79b470
-static bool ip6tablesUseLock;
79b470
-static bool ebtablesUseLock;
79b470
-static bool lockOverride; /* true to avoid lock probes */
79b470
-
79b470
-void
79b470
-virFirewallSetLockOverride(bool avoid)
79b470
-{
79b470
-    lockOverride = avoid;
79b470
-    if (avoid) {
79b470
-        /* add the lock option to all commands */
79b470
-        iptablesUseLock = true;
79b470
-        ip6tablesUseLock = true;
79b470
-        ebtablesUseLock = true;
79b470
-    }
79b470
-}
79b470
-
79b470
-static void
79b470
-virFirewallCheckUpdateLock(bool *lockflag,
79b470
-                           const char *const*args)
79b470
-{
79b470
-    int status; /* Ignore failed commands without logging them */
79b470
-    g_autoptr(virCommand) cmd = virCommandNewArgs(args);
79b470
-    if (virCommandRun(cmd, &status) < 0 || status) {
79b470
-        VIR_INFO("locking not supported by %s", args[0]);
79b470
-    } else {
79b470
-        VIR_INFO("using locking for %s", args[0]);
79b470
-        *lockflag = true;
79b470
-    }
79b470
-}
79b470
-
79b470
-static void
79b470
-virFirewallCheckUpdateLocking(void)
79b470
-{
79b470
-    const char *iptablesArgs[] = {
79b470
-        IPTABLES_PATH, "-w", "-L", "-n", NULL,
79b470
-    };
79b470
-    const char *ip6tablesArgs[] = {
79b470
-        IP6TABLES_PATH, "-w", "-L", "-n", NULL,
79b470
-    };
79b470
-    const char *ebtablesArgs[] = {
79b470
-        EBTABLES_PATH, "--concurrent", "-L", NULL,
79b470
-    };
79b470
-    if (lockOverride)
79b470
-        return;
79b470
-    virFirewallCheckUpdateLock(&iptablesUseLock,
79b470
-                               iptablesArgs);
79b470
-    virFirewallCheckUpdateLock(&ip6tablesUseLock,
79b470
-                               ip6tablesArgs);
79b470
-    virFirewallCheckUpdateLock(&ebtablesUseLock,
79b470
-                               ebtablesArgs);
79b470
-}
79b470
-
79b470
 static int
79b470
 virFirewallValidateBackend(virFirewallBackend backend)
79b470
 {
79b470
@@ -197,8 +144,6 @@ virFirewallValidateBackend(virFirewallBackend backend)
79b470
 
79b470
     currentBackend = backend;
79b470
 
79b470
-    virFirewallCheckUpdateLocking();
79b470
-
79b470
     return 0;
79b470
 }
79b470
 
79b470
@@ -363,16 +308,13 @@ virFirewallAddRuleFullV(virFirewallPtr firewall,
79b470
 
79b470
     switch (rule->layer) {
79b470
     case VIR_FIREWALL_LAYER_ETHERNET:
79b470
-        if (ebtablesUseLock)
79b470
-            ADD_ARG(rule, "--concurrent");
79b470
+        ADD_ARG(rule, "--concurrent");
79b470
         break;
79b470
     case VIR_FIREWALL_LAYER_IPV4:
79b470
-        if (iptablesUseLock)
79b470
-            ADD_ARG(rule, "-w");
79b470
+        ADD_ARG(rule, "-w");
79b470
         break;
79b470
     case VIR_FIREWALL_LAYER_IPV6:
79b470
-        if (ip6tablesUseLock)
79b470
-            ADD_ARG(rule, "-w");
79b470
+        ADD_ARG(rule, "-w");
79b470
         break;
79b470
     case VIR_FIREWALL_LAYER_LAST:
79b470
         break;
79b470
diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h
79b470
index 6148f46827..fda3cdec01 100644
79b470
--- a/src/util/virfirewall.h
79b470
+++ b/src/util/virfirewall.h
79b470
@@ -111,6 +111,4 @@ void virFirewallStartRollback(virFirewallPtr firewall,
79b470
 
79b470
 int virFirewallApply(virFirewallPtr firewall);
79b470
 
79b470
-void virFirewallSetLockOverride(bool avoid);
79b470
-
79b470
 G_DEFINE_AUTOPTR_CLEANUP_FUNC(virFirewall, virFirewallFree);
79b470
diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c
79b470
index 0ad5e2303b..886b268319 100644
79b470
--- a/tests/networkxml2firewalltest.c
79b470
+++ b/tests/networkxml2firewalltest.c
79b470
@@ -152,8 +152,6 @@ mymain(void)
79b470
             ret = -1; \
79b470
     } while (0)
79b470
 
79b470
-    virFirewallSetLockOverride(true);
79b470
-
79b470
     if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) {
79b470
         if (!hasNetfilterTools()) {
79b470
             fprintf(stderr, "iptables/ip6tables/ebtables tools not present");
79b470
diff --git a/tests/nwfilterebiptablestest.c b/tests/nwfilterebiptablestest.c
79b470
index e70f0e2400..adce7430a9 100644
79b470
--- a/tests/nwfilterebiptablestest.c
79b470
+++ b/tests/nwfilterebiptablestest.c
79b470
@@ -510,8 +510,6 @@ mymain(void)
79b470
 {
79b470
     int ret = 0;
79b470
 
79b470
-    virFirewallSetLockOverride(true);
79b470
-
79b470
     if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) {
79b470
         if (!hasNetfilterTools()) {
79b470
             fprintf(stderr, "iptables/ip6tables/ebtables tools not present");
79b470
diff --git a/tests/nwfilterxml2firewalltest.c b/tests/nwfilterxml2firewalltest.c
79b470
index c97f83b24a..73f7991a96 100644
79b470
--- a/tests/nwfilterxml2firewalltest.c
79b470
+++ b/tests/nwfilterxml2firewalltest.c
79b470
@@ -459,8 +459,6 @@ mymain(void)
79b470
             ret = -1; \
79b470
     } while (0)
79b470
 
79b470
-    virFirewallSetLockOverride(true);
79b470
-
79b470
     if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) {
79b470
         if (!hasNetfilterTools()) {
79b470
             fprintf(stderr, "iptables/ip6tables/ebtables tools not present");
79b470
diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c
79b470
index 195163a985..1ec768d302 100644
79b470
--- a/tests/virfirewalltest.c
79b470
+++ b/tests/virfirewalltest.c
79b470
@@ -1141,8 +1141,6 @@ mymain(void)
79b470
     RUN_TEST_DIRECT(name, method)
79b470
 # endif /* ! WITH_DBUS */
79b470
 
79b470
-    virFirewallSetLockOverride(true);
79b470
-
79b470
     RUN_TEST("single group", testFirewallSingleGroup);
79b470
     RUN_TEST("remove rule", testFirewallRemoveRule);
79b470
     RUN_TEST("many groups", testFirewallManyGroups);
79b470
-- 
79b470
2.30.0
79b470