Juan Quintela noticed that when he restarted libvirt he was getting
extra iptables rules added by libvirt even though he didn't have any
libvirt networks that used iptables rules. It turns out this also
happens if the firewalld service is restarted. The extra rules are
just the private chains, and they're sometimes being added
unnecessarily because they are added separately in a global
networkPreReloadFirewallRules() that does the init if there are any
active networks, regardless of whether or not any of those networks
will actually add rules to the host firewall.

The fix is to change the check for "any active networks" to instead
check for "any active networks that add firewall rules".

(NB: although the timing seems suspicious, this isn't a new regression
caused by the recently pushed f5418b427 (which forces recreation of
private chains when firewalld is restarted); it was an existing bug
since iptables rules were first put into private chains, even after
commit c6cbe18771 delayed creation of the private chains. The
implication is that any downstream based on v5.1.0 or later that cares
about these extraneous (but harmless) private chains would want to
backport this patch (along with the other two if they aren't already
there))

Signed-off-by: Laine Stump <la...@redhat.com>
---
 src/network/bridge_driver_linux.c | 49 ++++++++++++++++++++++++-------
 1 file changed, 38 insertions(+), 11 deletions(-)

diff --git a/src/network/bridge_driver_linux.c 
b/src/network/bridge_driver_linux.c
index b0bd207250..4145411b4b 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -91,28 +91,55 @@ static void networkSetupPrivateChains(void)
 
 
 static int
-networkHasRunningNetworksHelper(virNetworkObjPtr obj,
+networkHasRunningNetworksWithFWHelper(virNetworkObjPtr obj,
                                 void *opaque)
 {
-    bool *running = opaque;
+    bool *activeWithFW = opaque;
 
     virObjectLock(obj);
-    if (virNetworkObjIsActive(obj))
-        *running = true;
+    if (virNetworkObjIsActive(obj)) {
+        virNetworkDefPtr def = virNetworkObjGetDef(obj);
+
+        switch ((virNetworkForwardType) def->forward.type) {
+        case VIR_NETWORK_FORWARD_NONE:
+        case VIR_NETWORK_FORWARD_NAT:
+        case VIR_NETWORK_FORWARD_ROUTE:
+            *activeWithFW = true;
+            break;
+
+        case VIR_NETWORK_FORWARD_OPEN:
+        case VIR_NETWORK_FORWARD_BRIDGE:
+        case VIR_NETWORK_FORWARD_PRIVATE:
+        case VIR_NETWORK_FORWARD_VEPA:
+        case VIR_NETWORK_FORWARD_PASSTHROUGH:
+        case VIR_NETWORK_FORWARD_HOSTDEV:
+        case VIR_NETWORK_FORWARD_LAST:
+            break;
+        }
+    }
+
     virObjectUnlock(obj);
 
+    /*
+     * terminate ForEach early once we find an active network that
+     * adds Firewall rules (return status is ignored)
+     */
+    if (*activeWithFW)
+        return -1;
+
     return 0;
 }
 
 
 static bool
-networkHasRunningNetworks(virNetworkDriverStatePtr driver)
+networkHasRunningNetworksWithFW(virNetworkDriverStatePtr driver)
 {
-    bool running = false;
+    bool activeWithFW = false;
+
     virNetworkObjListForEach(driver->networks,
-                             networkHasRunningNetworksHelper,
-                             &running);
-    return running;
+                             networkHasRunningNetworksWithFWHelper,
+                             &activeWithFW);
+    return activeWithFW;
 }
 
 
@@ -150,8 +177,8 @@ networkPreReloadFirewallRules(virNetworkDriverStatePtr 
driver,
         networkSetupPrivateChains();
 
     } else {
-        if (!networkHasRunningNetworks(driver)) {
-            VIR_DEBUG("Delayed global rule setup as no networks are running");
+        if (!networkHasRunningNetworksWithFW(driver)) {
+            VIR_DEBUG("Delayed global rule setup as no networks with firewall 
rules are running");
             return;
         }
 
-- 
2.25.4

Reply via email to