From 021167719bebe7fb7a0e366c371b6c7057ebed7e Mon Sep 17 00:00:00 2001

Message-Id: <021167719bebe7fb7a0e366c371b6c7057ebed7e@dist-git>

From: Laine Stump <laine@redhat.com>

Date: Wed, 14 Apr 2021 23:25:34 -0400

Subject: [PATCH] network: force re-creation of iptables private chains on

 firewalld restart

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

When firewalld is stopped, it removes *all* iptables rules and chains,

including those added by libvirt. Since restarting firewalld means

stopping and then starting it, any time it is restarted, libvirt needs

to recreate all the private iptables chains it uses, along with all

the rules it adds.

We already have code in place to call networkReloadFirewallRules() any

time we're notified of a firewalld start, and

networkReloadFirewallRules() will call

networkPreReloadFirewallRules(), which calls

networkSetupPrivateChains(); unfortunately that last call is called

using virOnce(), meaning that it will only be called the first time

through networkPreReloadFirewallRules() after libvirtd starts - so of

course when firewalld is later restarted, the call to

networkSetupPrivateChains() is skipped.

The neat and tidy way to fix this would be if there was a standard way

to reset a pthread_once_t object so that the next time virOnce was

called, it would think the function hadn't been called, and call it

again. Unfortunately, there isn't any official way of doing that (we

*could* just fill it with 0 and hope for the best, but that doesn't

seem very safe.

So instead, this patch just adds a static variable called

chainInitDone, which is set to true after networkSetupPrivateChains()

is called for the first time, and then during calls to

networkPreReloadFirewallRules(), if chainInitDone is set, we call

networkSetupPrivateChains() directly instead of via virOnce().

It may seem unsafe to directly call a function that is meant to be

called only once, but I think in this case we're safe - there's

nothing in the function that is inherently "once only" - it doesn't

initialize anything that can't safely be re-initialized (as long as

two threads don't try to do it at the same time), and it only happens

when responding to a dbus message that firewalld has been started (and

I don't think it's possible for us to be processing two of those at

once), and even then only if the initial call to the function has

already been completed (so we're safe if we receive a firewalld

restart call at a time when we haven't yet called it, or even if

another thread is already in the process of executing it. The only

problematic bit I can think of is if another thread is in the process

of adding an iptable rule at the time we're executing this function,

but 1) none of those threads will be trying to add chains, and 2) if

there was a concurrency problem with other threads adding iptables

rules while firewalld was being restarted, it would still be a problem

even without this change.

This is yet another patch that fixes an occurrence of this error:

COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --insert LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT' failed: iptables: No chain/target/match by that name.

Signed-off-by: Laine Stump <laine@redhat.com>

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

(cherry picked from commit f5418b427e7d2f26803880309478de9103680826)

https://bugzilla.redhat.com/1942805

(cloned from the RHEL-AV version: https://bugzilla.redhat.com/1813830 )

Conflicts:

  src/network/bridge_driver.c:

    In one place a later commit was backported prior to this commit,

    removing a VIR_DEBUG line and some { }. (see upstream commit

    c102bbd3efc35, which was backported for

    https://bugzilla.redhat.com/1607929

Signed-off-by: Laine Stump <laine@redhat.com>

Message-Id: <20210415032534.723202-3-laine@redhat.com>

Reviewed-by: Pavel Hrdina <phrdina@redhat.com>

---

 src/network/bridge_driver.c          | 16 ++++---

 src/network/bridge_driver_linux.c    | 69 ++++++++++++++++++----------

 src/network/bridge_driver_nop.c      |  3 +-

 src/network/bridge_driver_platform.h |  2 +-

 4 files changed, 58 insertions(+), 32 deletions(-)

diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c

index 5995396f78..b8118067d1 100644

--- a/src/network/bridge_driver.c

+++ b/src/network/bridge_driver.c

@@ -271,7 +271,9 @@ static int

 networkShutdownNetworkExternal(virNetworkObjPtr obj);

 static void

-networkReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup);

+networkReloadFirewallRules(virNetworkDriverStatePtr driver,

+                           bool startup,

+                           bool force);

 static void

 networkRefreshDaemons(virNetworkDriverStatePtr driver);

@@ -690,7 +692,7 @@ firewalld_dbus_filter_bridge(DBusConnection *connection G_GNUC_UNUSED,

     }

     if (reload)

-        networkReloadFirewallRules(driver, false);

+        networkReloadFirewallRules(driver, false, true);

     return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;

 }

@@ -791,7 +793,7 @@ networkStateInitialize(bool privileged,

     virNetworkObjListPrune(network_driver->networks,

                            VIR_CONNECT_LIST_NETWORKS_INACTIVE |

                            VIR_CONNECT_LIST_NETWORKS_TRANSIENT);

-    networkReloadFirewallRules(network_driver, true);

+    networkReloadFirewallRules(network_driver, true, false);

     networkRefreshDaemons(network_driver);

     if (virDriverShouldAutostart(network_driver->stateDir, &autostart) < 0)

@@ -861,7 +863,7 @@ networkStateReload(void)

                                 network_driver->networkConfigDir,

                                 network_driver->networkAutostartDir,

                                 network_driver->xmlopt);

-    networkReloadFirewallRules(network_driver, false);

+    networkReloadFirewallRules(network_driver, false, false);

     networkRefreshDaemons(network_driver);

     virNetworkObjListForEach(network_driver->networks,

                              networkAutostartConfig,

@@ -2229,14 +2231,16 @@ networkReloadFirewallRulesHelper(virNetworkObjPtr obj,

 static void

-networkReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup)

+networkReloadFirewallRules(virNetworkDriverStatePtr driver,

+                           bool startup,

+                           bool force)

 {

     VIR_INFO("Reloading iptables rules");

     /* Ideally we'd not even register the driver when unprivilegd

      * but until we untangle the virt driver that's not viable */

     if (!driver->privileged)

         return;

-    networkPreReloadFirewallRules(driver, startup);

+    networkPreReloadFirewallRules(driver, startup, force);

     virNetworkObjListForEach(driver->networks,

                              networkReloadFirewallRulesHelper,

                              NULL);

diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c

index b6b324d1d5..f707bf8e47 100644

--- a/src/network/bridge_driver_linux.c

+++ b/src/network/bridge_driver_linux.c

@@ -36,11 +36,14 @@ VIR_LOG_INIT("network.bridge_driver_linux");

 #define PROC_NET_ROUTE "/proc/net/route"

 static virOnceControl createdOnce;

-static bool createdChains;

+static bool chainInitDone; /* true iff networkSetupPrivateChains was ever called */

+static bool createdChains; /* true iff networkSetupPrivateChains created chains during most recent call */

 static virErrorPtr errInitV4;

 static virErrorPtr errInitV6;

-/* Only call via virOnce */

+/* Usually only called via virOnce, but can also be called directly in

+ * response to firewalld reload (if chainInitDone == true)

+ */

 static void networkSetupPrivateChains(void)

 {

     int rc;

@@ -82,6 +85,8 @@ static void networkSetupPrivateChains(void)

             VIR_DEBUG("Global IPv6 chains already exist");

         }

     }

+

+    chainInitDone = true;

 }

@@ -111,7 +116,10 @@ networkHasRunningNetworks(virNetworkDriverStatePtr driver)

 }

-void networkPreReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup)

+void

+networkPreReloadFirewallRules(virNetworkDriverStatePtr driver,

+                              bool startup,

+                              bool force)

 {

     /*

      * If there are any running networks, we need to

@@ -130,29 +138,42 @@ void networkPreReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup

      * of starting the network though as that makes them

      * more likely to be seen by a human

      */

-    if (!networkHasRunningNetworks(driver)) {

-        VIR_DEBUG("Delayed global rule setup as no networks are running");

-        return;

-    }

+    if (chainInitDone && force) {

+        /* The Private chains have already been initialized once

+         * during this run of libvirtd, so 1) we can't do it again via

+         * virOnce(), and 2) we need to re-add the private chains even

+         * if there are currently no running networks, because the

+         * next time a network is started, libvirt will expect that

+         * the chains have already been added. So we call directly

+         * instead of via virOnce().

+         */

+        networkSetupPrivateChains();

-    ignore_value(virOnce(&createdOnce, networkSetupPrivateChains));

+    } else {

+        if (!networkHasRunningNetworks(driver)) {

+            VIR_DEBUG("Delayed global rule setup as no networks are running");

+            return;

+        }

-    /*

-     * If this is initial startup, and we just created the

-     * top level private chains we either

-     *

-     *   - upgraded from old libvirt

-     *   - freshly booted from clean state

-     *

-     * In the first case we must delete the old rules from

-     * the built-in chains, instead of our new private chains.

-     * In the second case it doesn't matter, since no existing

-     * rules will be present. Thus we can safely just tell it

-     * to always delete from the builin chain

-     */

-    if (startup && createdChains) {

-        VIR_DEBUG("Requesting cleanup of legacy firewall rules");

-        iptablesSetDeletePrivate(false);

+        ignore_value(virOnce(&createdOnce, networkSetupPrivateChains));

+

+        /*

+         * If this is initial startup, and we just created the

+         * top level private chains we either

+         *

+         *   - upgraded from old libvirt

+         *   - freshly booted from clean state

+         *

+         * In the first case we must delete the old rules from

+         * the built-in chains, instead of our new private chains.

+         * In the second case it doesn't matter, since no existing

+         * rules will be present. Thus we can safely just tell it

+         * to always delete from the builin chain

+         */

+        if (startup && createdChains) {

+            VIR_DEBUG("Requesting cleanup of legacy firewall rules");

+            iptablesSetDeletePrivate(false);

+        }

     }

 }

diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_nop.c

index 08d737511f..db89c10023 100644

--- a/src/network/bridge_driver_nop.c

+++ b/src/network/bridge_driver_nop.c

@@ -20,7 +20,8 @@

 #include <config.h>

 void networkPreReloadFirewallRules(virNetworkDriverStatePtr driver G_GNUC_UNUSED,

-                                   bool startup G_GNUC_UNUSED)

+                                   bool startup G_GNUC_UNUSED,

+                                   bool force G_GNUC_UNUSED)

 {

 }

diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driver_platform.h

index 169417a6c0..48ab52c160 100644

--- a/src/network/bridge_driver_platform.h

+++ b/src/network/bridge_driver_platform.h

@@ -62,7 +62,7 @@ struct _virNetworkDriverState {

 typedef struct _virNetworkDriverState virNetworkDriverState;

 typedef virNetworkDriverState *virNetworkDriverStatePtr;

-void networkPreReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup);

+void networkPreReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup, bool force);

 void networkPostReloadFirewallRules(bool startup);

 int networkCheckRouteCollision(virNetworkDefPtr def);

-- 

2.31.1