|
 |
397dc2 |
From d7703d11a44505d1a17001d8cfd36bf74d20b710 Mon Sep 17 00:00:00 2001
|
|
|
397dc2 |
Message-Id: <d7703d11a44505d1a17001d8cfd36bf74d20b710@dist-git>
|
|
|
397dc2 |
From: Laine Stump <laine@redhat.com>
|
|
|
397dc2 |
Date: Fri, 15 Jan 2021 22:51:46 -0500
|
|
|
397dc2 |
Subject: [PATCH] util/tests: enable locking on iptables/ebtables commandlines
|
|
|
397dc2 |
by default
|
|
|
397dc2 |
|
|
|
397dc2 |
iptables and ip6tables have had a "-w" commandline option to grab a
|
|
|
397dc2 |
systemwide lock that prevents two iptables invocations from modifying
|
|
|
397dc2 |
the iptables chains since 2013 (upstream commit 93587a04 in
|
|
|
397dc2 |
iptables-1.4.20). Similarly, ebtables has had a "--concurrent"
|
|
|
397dc2 |
commandline option for the same purpose since 2011 (in the upstream
|
|
|
397dc2 |
ebtables commit f9b4bcb93, which was present in ebtables-2.0.10.4).
|
|
|
397dc2 |
|
|
|
397dc2 |
Libvirt added code to conditionally use the commandline option for
|
|
|
397dc2 |
iptables/ip6tables in upstream commit ba95426d6f (libvirt-1.2.0,
|
|
|
397dc2 |
November 2013), and for ebtables in upstream commit dc33e6e4a5
|
|
|
397dc2 |
(libvirt-1.2.11, November 2014) (the latter actually *re*-added the
|
|
|
397dc2 |
locking for iptables/ip6tables, as it had accidentally been removed
|
|
|
397dc2 |
during a refactor of firewall code in the interim).
|
|
|
397dc2 |
|
|
|
397dc2 |
I say "conditionally" because a check was made during firewall module
|
|
|
397dc2 |
initialization that tried executing a test command with the
|
|
|
397dc2 |
-w/--concurrent option, and only continued using it for actual
|
|
|
397dc2 |
commands if that test command completed successfully. At the time the
|
|
|
397dc2 |
code was added this was a reasonable thing to do, as it had been less
|
|
|
397dc2 |
than a year since introduction of -w to iptables, so many distros
|
|
|
397dc2 |
supported by libvirt were still using iptables (and possibly even
|
|
|
397dc2 |
ebtables) versions too old to have the new commandline options.
|
|
|
397dc2 |
|
|
|
397dc2 |
It is now 2020, and as far as I can discern from repology.org (and
|
|
|
397dc2 |
manually examining a RHEL7.9 system), every version of every distro
|
|
|
397dc2 |
that is supported by libvirt now uses new enough versions of both
|
|
|
397dc2 |
iptables and ebtables that they all have support for -w/--concurrent.
|
|
|
397dc2 |
That means we can finally remove the conditional code and simply
|
|
|
397dc2 |
always use them.
|
|
|
397dc2 |
|
|
|
397dc2 |
https://bugzilla.redhat.com/1607929
|
|
|
397dc2 |
|
|
|
397dc2 |
Signed-off-by: Laine Stump <laine@redhat.com>
|
|
|
397dc2 |
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
|
397dc2 |
(cherry picked from commit 0a867cd895f06134d24eb27070285bb4b50c088f)
|
|
|
397dc2 |
Message-Id: <20210116035151.1066734-4-laine@redhat.com>
|
|
|
397dc2 |
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
|
|
|
397dc2 |
---
|
|
|
397dc2 |
src/libvirt_private.syms | 1 -
|
|
|
397dc2 |
src/util/virfirewall.c | 64 ++------------------------------
|
|
|
397dc2 |
src/util/virfirewall.h | 2 -
|
|
|
397dc2 |
tests/networkxml2firewalltest.c | 2 -
|
|
|
397dc2 |
tests/nwfilterebiptablestest.c | 2 -
|
|
|
397dc2 |
tests/nwfilterxml2firewalltest.c | 2 -
|
|
|
397dc2 |
tests/virfirewalltest.c | 2 -
|
|
|
397dc2 |
7 files changed, 3 insertions(+), 72 deletions(-)
|
|
|
397dc2 |
|
|
|
397dc2 |
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
|
|
|
397dc2 |
index d6598c2514..edc53ce899 100644
|
|
|
397dc2 |
--- a/src/libvirt_private.syms
|
|
|
397dc2 |
+++ b/src/libvirt_private.syms
|
|
|
397dc2 |
@@ -2089,7 +2089,6 @@ virFirewallRuleAddArgList;
|
|
|
397dc2 |
virFirewallRuleAddArgSet;
|
|
|
397dc2 |
virFirewallRuleGetArgCount;
|
|
|
397dc2 |
virFirewallSetBackend;
|
|
|
397dc2 |
-virFirewallSetLockOverride;
|
|
|
397dc2 |
virFirewallStartRollback;
|
|
|
397dc2 |
virFirewallStartTransaction;
|
|
|
397dc2 |
|
|
|
397dc2 |
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
|
|
|
397dc2 |
index c2de2bccae..2e3b02402e 100644
|
|
|
397dc2 |
--- a/src/util/virfirewall.c
|
|
|
397dc2 |
+++ b/src/util/virfirewall.c
|
|
|
397dc2 |
@@ -97,59 +97,6 @@ virFirewallOnceInit(void)
|
|
|
397dc2 |
|
|
|
397dc2 |
VIR_ONCE_GLOBAL_INIT(virFirewall);
|
|
|
397dc2 |
|
|
|
397dc2 |
-static bool iptablesUseLock;
|
|
|
397dc2 |
-static bool ip6tablesUseLock;
|
|
|
397dc2 |
-static bool ebtablesUseLock;
|
|
|
397dc2 |
-static bool lockOverride; /* true to avoid lock probes */
|
|
|
397dc2 |
-
|
|
|
397dc2 |
-void
|
|
|
397dc2 |
-virFirewallSetLockOverride(bool avoid)
|
|
|
397dc2 |
-{
|
|
|
397dc2 |
- lockOverride = avoid;
|
|
|
397dc2 |
- if (avoid) {
|
|
|
397dc2 |
- /* add the lock option to all commands */
|
|
|
397dc2 |
- iptablesUseLock = true;
|
|
|
397dc2 |
- ip6tablesUseLock = true;
|
|
|
397dc2 |
- ebtablesUseLock = true;
|
|
|
397dc2 |
- }
|
|
|
397dc2 |
-}
|
|
|
397dc2 |
-
|
|
|
397dc2 |
-static void
|
|
|
397dc2 |
-virFirewallCheckUpdateLock(bool *lockflag,
|
|
|
397dc2 |
- const char *const*args)
|
|
|
397dc2 |
-{
|
|
|
397dc2 |
- int status; /* Ignore failed commands without logging them */
|
|
|
397dc2 |
- g_autoptr(virCommand) cmd = virCommandNewArgs(args);
|
|
|
397dc2 |
- if (virCommandRun(cmd, &status) < 0 || status) {
|
|
|
397dc2 |
- VIR_INFO("locking not supported by %s", args[0]);
|
|
|
397dc2 |
- } else {
|
|
|
397dc2 |
- VIR_INFO("using locking for %s", args[0]);
|
|
|
397dc2 |
- *lockflag = true;
|
|
|
397dc2 |
- }
|
|
|
397dc2 |
-}
|
|
|
397dc2 |
-
|
|
|
397dc2 |
-static void
|
|
|
397dc2 |
-virFirewallCheckUpdateLocking(void)
|
|
|
397dc2 |
-{
|
|
|
397dc2 |
- const char *iptablesArgs[] = {
|
|
|
397dc2 |
- IPTABLES_PATH, "-w", "-L", "-n", NULL,
|
|
|
397dc2 |
- };
|
|
|
397dc2 |
- const char *ip6tablesArgs[] = {
|
|
|
397dc2 |
- IP6TABLES_PATH, "-w", "-L", "-n", NULL,
|
|
|
397dc2 |
- };
|
|
|
397dc2 |
- const char *ebtablesArgs[] = {
|
|
|
397dc2 |
- EBTABLES_PATH, "--concurrent", "-L", NULL,
|
|
|
397dc2 |
- };
|
|
|
397dc2 |
- if (lockOverride)
|
|
|
397dc2 |
- return;
|
|
|
397dc2 |
- virFirewallCheckUpdateLock(&iptablesUseLock,
|
|
|
397dc2 |
- iptablesArgs);
|
|
|
397dc2 |
- virFirewallCheckUpdateLock(&ip6tablesUseLock,
|
|
|
397dc2 |
- ip6tablesArgs);
|
|
|
397dc2 |
- virFirewallCheckUpdateLock(&ebtablesUseLock,
|
|
|
397dc2 |
- ebtablesArgs);
|
|
|
397dc2 |
-}
|
|
|
397dc2 |
-
|
|
|
397dc2 |
static int
|
|
|
397dc2 |
virFirewallValidateBackend(virFirewallBackend backend)
|
|
|
397dc2 |
{
|
|
|
397dc2 |
@@ -197,8 +144,6 @@ virFirewallValidateBackend(virFirewallBackend backend)
|
|
|
397dc2 |
|
|
|
397dc2 |
currentBackend = backend;
|
|
|
397dc2 |
|
|
|
397dc2 |
- virFirewallCheckUpdateLocking();
|
|
|
397dc2 |
-
|
|
|
397dc2 |
return 0;
|
|
|
397dc2 |
}
|
|
|
397dc2 |
|
|
|
397dc2 |
@@ -363,16 +308,13 @@ virFirewallAddRuleFullV(virFirewallPtr firewall,
|
|
|
397dc2 |
|
|
|
397dc2 |
switch (rule->layer) {
|
|
|
397dc2 |
case VIR_FIREWALL_LAYER_ETHERNET:
|
|
|
397dc2 |
- if (ebtablesUseLock)
|
|
|
397dc2 |
- ADD_ARG(rule, "--concurrent");
|
|
|
397dc2 |
+ ADD_ARG(rule, "--concurrent");
|
|
|
397dc2 |
break;
|
|
|
397dc2 |
case VIR_FIREWALL_LAYER_IPV4:
|
|
|
397dc2 |
- if (iptablesUseLock)
|
|
|
397dc2 |
- ADD_ARG(rule, "-w");
|
|
|
397dc2 |
+ ADD_ARG(rule, "-w");
|
|
|
397dc2 |
break;
|
|
|
397dc2 |
case VIR_FIREWALL_LAYER_IPV6:
|
|
|
397dc2 |
- if (ip6tablesUseLock)
|
|
|
397dc2 |
- ADD_ARG(rule, "-w");
|
|
|
397dc2 |
+ ADD_ARG(rule, "-w");
|
|
|
397dc2 |
break;
|
|
|
397dc2 |
case VIR_FIREWALL_LAYER_LAST:
|
|
|
397dc2 |
break;
|
|
|
397dc2 |
diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h
|
|
|
397dc2 |
index 6148f46827..fda3cdec01 100644
|
|
|
397dc2 |
--- a/src/util/virfirewall.h
|
|
|
397dc2 |
+++ b/src/util/virfirewall.h
|
|
|
397dc2 |
@@ -111,6 +111,4 @@ void virFirewallStartRollback(virFirewallPtr firewall,
|
|
|
397dc2 |
|
|
|
397dc2 |
int virFirewallApply(virFirewallPtr firewall);
|
|
|
397dc2 |
|
|
|
397dc2 |
-void virFirewallSetLockOverride(bool avoid);
|
|
|
397dc2 |
-
|
|
|
397dc2 |
G_DEFINE_AUTOPTR_CLEANUP_FUNC(virFirewall, virFirewallFree);
|
|
|
397dc2 |
diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c
|
|
|
397dc2 |
index 0ad5e2303b..886b268319 100644
|
|
|
397dc2 |
--- a/tests/networkxml2firewalltest.c
|
|
|
397dc2 |
+++ b/tests/networkxml2firewalltest.c
|
|
|
397dc2 |
@@ -152,8 +152,6 @@ mymain(void)
|
|
|
397dc2 |
ret = -1; \
|
|
|
397dc2 |
} while (0)
|
|
|
397dc2 |
|
|
|
397dc2 |
- virFirewallSetLockOverride(true);
|
|
|
397dc2 |
-
|
|
|
397dc2 |
if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) {
|
|
|
397dc2 |
if (!hasNetfilterTools()) {
|
|
|
397dc2 |
fprintf(stderr, "iptables/ip6tables/ebtables tools not present");
|
|
|
397dc2 |
diff --git a/tests/nwfilterebiptablestest.c b/tests/nwfilterebiptablestest.c
|
|
|
397dc2 |
index e70f0e2400..adce7430a9 100644
|
|
|
397dc2 |
--- a/tests/nwfilterebiptablestest.c
|
|
|
397dc2 |
+++ b/tests/nwfilterebiptablestest.c
|
|
|
397dc2 |
@@ -510,8 +510,6 @@ mymain(void)
|
|
|
397dc2 |
{
|
|
|
397dc2 |
int ret = 0;
|
|
|
397dc2 |
|
|
|
397dc2 |
- virFirewallSetLockOverride(true);
|
|
|
397dc2 |
-
|
|
|
397dc2 |
if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) {
|
|
|
397dc2 |
if (!hasNetfilterTools()) {
|
|
|
397dc2 |
fprintf(stderr, "iptables/ip6tables/ebtables tools not present");
|
|
|
397dc2 |
diff --git a/tests/nwfilterxml2firewalltest.c b/tests/nwfilterxml2firewalltest.c
|
|
|
397dc2 |
index c97f83b24a..73f7991a96 100644
|
|
|
397dc2 |
--- a/tests/nwfilterxml2firewalltest.c
|
|
|
397dc2 |
+++ b/tests/nwfilterxml2firewalltest.c
|
|
|
397dc2 |
@@ -459,8 +459,6 @@ mymain(void)
|
|
|
397dc2 |
ret = -1; \
|
|
|
397dc2 |
} while (0)
|
|
|
397dc2 |
|
|
|
397dc2 |
- virFirewallSetLockOverride(true);
|
|
|
397dc2 |
-
|
|
|
397dc2 |
if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) {
|
|
|
397dc2 |
if (!hasNetfilterTools()) {
|
|
|
397dc2 |
fprintf(stderr, "iptables/ip6tables/ebtables tools not present");
|
|
|
397dc2 |
diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c
|
|
|
397dc2 |
index 195163a985..1ec768d302 100644
|
|
|
397dc2 |
--- a/tests/virfirewalltest.c
|
|
|
397dc2 |
+++ b/tests/virfirewalltest.c
|
|
|
397dc2 |
@@ -1141,8 +1141,6 @@ mymain(void)
|
|
|
397dc2 |
RUN_TEST_DIRECT(name, method)
|
|
|
397dc2 |
# endif /* ! WITH_DBUS */
|
|
|
397dc2 |
|
|
|
397dc2 |
- virFirewallSetLockOverride(true);
|
|
|
397dc2 |
-
|
|
|
397dc2 |
RUN_TEST("single group", testFirewallSingleGroup);
|
|
|
397dc2 |
RUN_TEST("remove rule", testFirewallRemoveRule);
|
|
|
397dc2 |
RUN_TEST("many groups", testFirewallManyGroups);
|
|
|
397dc2 |
--
|
|
|
397dc2 |
2.30.0
|
|
|
397dc2 |
|