Re: [libvirt] [TCK] [PATCH] Add --physdev-is-bridged to test cases
On 01/24/2013 11:34 AM, Stefan Berger wrote: Follow recent changes in libvirt and add --physdev-is-bridged to test cases where needed. This gets a lot of test cases passing again after the change in libvirt. Anyone got a spare ACK? Stefan -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [TCK] [PATCH] Add --physdev-is-bridged to test cases
On 02/14/2013 03:04 PM, Stefan Berger wrote: On 01/24/2013 11:34 AM, Stefan Berger wrote: Follow recent changes in libvirt and add --physdev-is-bridged to test cases where needed. This gets a lot of test cases passing again after the change in libvirt. Anyone got a spare ACK? Looks like Laine gave it an ack in January: https://www.redhat.com/archives/libvir-list/2013-January/msg01812.html I also agree with the patch. -- Eric Blake eblake redhat com+1-919-301-3266 Libvirt virtualization library http://libvirt.org signature.asc Description: OpenPGP digital signature -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [TCK] [PATCH] Add --physdev-is-bridged to test cases
On 01/24/2013 12:48 PM, Laine Stump wrote: On 01/24/2013 11:34 AM, Stefan Berger wrote: Follow recent changes in libvirt and add --physdev-is-bridged to test cases where needed. ACK. (Does this mean that new libvirt-tck will fail when run against an older libvirt, though?) I hadn't seen this message. Yes, due to other rules now being generated the effect will be that previous version of libvirt will fail that test. By the way, when the patch went into libvirt, the person who posted it mentioned that when restarting libvirtd after the first upgrade with that patch, the existing rules wouldn't get removed because they wouldn't be an exact match to what libvirt was trying to remove: On 01/18/2013 02:44 AM, Reinier Schoof wrote: On a side note, please be aware that when upgrading to a libvirt version with this patch included, libvirt will not be able to remove the earlier ip(6)tables rules without the '--physdev-is-bridged' addition. When restarting libvirt, it will look for rules that match with '--physdev-is-bridged' and since that wasn't there before, you'll end up with a duplicate/malfunctioning ruleset. You'll have to remove these rules/chains manually. Is this actually a problem? I had thought that nwfilter always removed entire chains instead of individual rules. It will leave a stray rule and a user-defined table behind. I hadn't tested an update and didn't think of this problem. Let me see how I can solve this... Stefan -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [TCK] [PATCH] Add --physdev-is-bridged to test cases
On 02/14/2013 05:25 PM, Stefan Berger wrote: On 01/24/2013 12:48 PM, Laine Stump wrote: On 01/24/2013 11:34 AM, Stefan Berger wrote: Follow recent changes in libvirt and add --physdev-is-bridged to test cases where needed. ACK. (Does this mean that new libvirt-tck will fail when run against an older libvirt, though?) I hadn't seen this message. Yes, due to other rules now being generated the effect will be that previous version of libvirt will fail that test. By the way, when the patch went into libvirt, the person who posted it mentioned that when restarting libvirtd after the first upgrade with that patch, the existing rules wouldn't get removed because they wouldn't be an exact match to what libvirt was trying to remove: On 01/18/2013 02:44 AM, Reinier Schoof wrote: On a side note, please be aware that when upgrading to a libvirt version with this patch included, libvirt will not be able to remove the earlier ip(6)tables rules without the '--physdev-is-bridged' addition. When restarting libvirt, it will look for rules that match with '--physdev-is-bridged' and since that wasn't there before, you'll end up with a duplicate/malfunctioning ruleset. You'll have to remove these rules/chains manually. Is this actually a problem? I had thought that nwfilter always removed entire chains instead of individual rules. It will leave a stray rule and a user-defined table behind. I hadn't tested an update and didn't think of this problem. Let me see how I can solve this... Ok, so here is a solution: --- src/nwfilter/nwfilter_ebiptables_driver.c | 22 ++ 1 file changed, 22 insertions(+) Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c === --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c @@ -167,16 +167,24 @@ static const char ebiptables_script_set_ #define PHYSDEV_IN --physdev-in #define PHYSDEV_OUT --physdev-is-bridged --physdev-out +/* + * Previous versions of libvirt only used --physdev-out. + * To be able to upgrade with running VMs we need to be able + * to remove rules generated by older versions of libvirt. + */ +#define PHYSDEV_OUT_OLD --physdev-out static const char *m_state_out_str = -m state --state NEW,ESTABLISHED; static const char *m_state_in_str= -m state --state ESTABLISHED; static const char *m_physdev_in_str = -m physdev PHYSDEV_IN; static const char *m_physdev_out_str = -m physdev PHYSDEV_OUT; +static const char *m_physdev_out_old_str = -m physdev PHYSDEV_OUT_OLD; #define MATCH_STATE_OUTm_state_out_str #define MATCH_STATE_IN m_state_in_str #define MATCH_PHYSDEV_IN m_physdev_in_str #define MATCH_PHYSDEV_OUT m_physdev_out_str +#define MATCH_PHYSDEV_OUT_OLD m_physdev_out_old_str #define COMMENT_VARNAME comment @@ -821,6 +829,8 @@ _iptablesUnlinkRootChain(virBufferPtr bu : CHAINPREFIX_HOST_OUT; const char *match = (incoming) ? MATCH_PHYSDEV_IN : MATCH_PHYSDEV_OUT; +const char *old_match = (incoming) ? NULL + : MATCH_PHYSDEV_OUT_OLD; PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); @@ -830,6 +840,18 @@ _iptablesUnlinkRootChain(virBufferPtr bu basechain, match, ifname, chain); +/* + * Previous versions of libvirt may have created a rule + * with the --physdev-is-bridged missing. Remove this one + * as well. + */ +if (old_match) +virBufferAsprintf(buf, + $IPT -D %s + %s %s -g %s CMD_SEPARATOR, + basechain, + old_match, ifname, chain); + return 0; } I am guilty of breaking the upgrade path. I'll try this patch some more and then post it separately... Stefan -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [TCK] [PATCH] Add --physdev-is-bridged to test cases
Follow recent changes in libvirt and add --physdev-is-bridged to test cases where needed. --- scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall |2 +- scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall |2 +- scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall|2 +- scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall |2 +- scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall |8 scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall |2 +- scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall|2 +- scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall |2 +- scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall|8 scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall |2 +- scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall |2 +- scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall |2 +- scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall|2 +- scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall |2 +- scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall|2 +- scripts/nwfilter/nwfilterxml2fwallout/ipset-test.fwall |2 +- scripts/nwfilter/nwfilterxml2fwallout/ipt-no-macspoof-test.fwall |2 +- scripts/nwfilter/nwfilterxml2fwallout/iter-test1.fwall |2 +- scripts/nwfilter/nwfilterxml2fwallout/iter-test2.fwall |2 +- scripts/nwfilter/nwfilterxml2fwallout/iter-test3.fwall |2 +- scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall |2 +- scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall|2 +- scripts/nwfilter/nwfilterxml2fwallout/target-test.fwall |2 +- scripts/nwfilter/nwfilterxml2fwallout/target-test2.fwall |2 +- scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall|2 +- scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall |2 +- scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat |4 ++-- scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall|2 +- scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall |2 +- scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall|2 +- scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall |2 +- 31 files changed, 38 insertions(+), 38 deletions(-) Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall === --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall @@ -25,4 +25,4 @@ FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV ma #ip6tables -L libvirt-in-post -n | grep vnet0 ACCEPT all ::/0 ::/0PHYSDEV match --physdev-in vnet0 #ip6tables -L libvirt-out -n | grep vnet0 | tr -s -FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 --physdev-is-bridged Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall === --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall @@ -23,4 +23,4 @@ FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [got #iptables -L libvirt-in-post -n | grep vnet0 ACCEPT all -- 0.0.0.0/00.0.0.0/0 PHYSDEV match --physdev-in vnet0 #iptables -L libvirt-out -n | grep vnet0 | tr -s -FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 --physdev-is-bridged Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall === --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall @@ -25,7 +25,7 @@ FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV ma #ip6tables -L libvirt-in-post -n | grep vnet0 ACCEPT all ::/0 ::/0PHYSDEV match --physdev-in vnet0 #ip6tables -L libvirt-out -n | grep vnet0 | tr -s -FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 --physdev-is-bridged #ip6tables -L FORWARD --line-number | grep libvirt 1libvirt-in all anywhere anywhere 2libvirt-out all anywhere anywhere Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall === ---
Re: [libvirt] [TCK] [PATCH] Add --physdev-is-bridged to test cases
On 01/24/2013 11:34 AM, Stefan Berger wrote: Follow recent changes in libvirt and add --physdev-is-bridged to test cases where needed. ACK. (Does this mean that new libvirt-tck will fail when run against an older libvirt, though?) By the way, when the patch went into libvirt, the person who posted it mentioned that when restarting libvirtd after the first upgrade with that patch, the existing rules wouldn't get removed because they wouldn't be an exact match to what libvirt was trying to remove: On 01/18/2013 02:44 AM, Reinier Schoof wrote: On a side note, please be aware that when upgrading to a libvirt version with this patch included, libvirt will not be able to remove the earlier ip(6)tables rules without the '--physdev-is-bridged' addition. When restarting libvirt, it will look for rules that match with '--physdev-is-bridged' and since that wasn't there before, you'll end up with a duplicate/malfunctioning ruleset. You'll have to remove these rules/chains manually. Is this actually a problem? I had thought that nwfilter always removed entire chains instead of individual rules. -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
