- 16 4月, 2019 1 次提交
-
-
由 Daniel P. Berrangé 提交于
Since: commit 9f4e35dc Author: Daniel P. Berrangé <berrange@redhat.com> Date: Mon Mar 18 17:31:21 2019 +0000 network: improve error report when firewall chain creation fails We cache an error when failing to create the top level firewall chains. This commit failed to account for fact that we may invoke networkPreReloadFirewallRules() many times while libvirtd is running. For example when firewalld is restarted. When this happens the original failure may no longer occurr and we'll successfully create our top level chains. We failed to clear the cached error resulting in us failing to start virtual networks. Reviewed-by: NLaine Stump <laine@laine.org> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 12 4月, 2019 2 次提交
-
-
由 Andrea Bolognani 提交于
Vim has trouble figuring out the filetype automatically because the name doesn't follow existing conventions; annotations like the ones we already have in Makefile.ci help it out. Signed-off-by: NAndrea Bolognani <abologna@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Cole Robinson 提交于
Standardize on putting the _LAST enum value on the second line of VIR_ENUM_IMPL invocations. Later patches that add string labels to VIR_ENUM_IMPL will push most of these to the second line anyways, so this saves some noise. Signed-off-by: NCole Robinson <crobinso@redhat.com>
-
- 10 4月, 2019 3 次提交
-
-
由 Peter Krempa 提交于
This reverts commit a5e16020. Getting rid of unistd.h from our headers will require more work than just fixing the broken mingw build. Revert it until I have a more complete proposal. Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
-
由 Peter Krempa 提交于
util/virutil.h bogously included unistd.h. Drop it and replace it by including it directly where needed. Signed-off-by: NPeter Krempa <pkrempa@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Peter Krempa 提交于
virutil.(c|h) is a very gross collection of random code. Remove the enum handlers from there so we can limit the scope where virtutil.h is used. Signed-off-by: NPeter Krempa <pkrempa@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
- 19 3月, 2019 3 次提交
-
-
由 Daniel P. Berrangé 提交于
The unprivileged libvirtd does not have permission to create firewall rules, or bridge devices, or do anything to the host network in general. Historically we still activate the network driver though and let the network start API call fail. The startup code path which reloads firewall rules on active networks would thus effectively be a no-op when unprivileged as it is impossible for there to be any active networks With the change to use a global set of firewall chains, however, we now have code that is run unconditionally. Ideally we would not register the network driver at all when unprivileged, but the entanglement with the virt drivers currently makes that impractical. As a temporary hack, we just make the firewall reload into a no-op. Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
During startup libvirtd creates top level chains for both ipv4 and ipv6 protocols. If this fails for any reason then startup of virtual networks is blocked. The default virtual network, however, only requires use of ipv4 and some servers have ipv6 disabled so it is expected that ipv6 chain creation will fail. There could equally be servers with no ipv4, only ipv6. This patch thus makes error reporting a little more fine grained so that it works more sensibly when either ipv4 or ipv6 is disabled on the server. Only the protocols that are actually used by the virtual network have errors reported. Reviewed-by: NAndrea Bolognani <abologna@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
During startup we create some top level chains in which all virtual network firewall rules will be placed. The upfront creation is done to avoid slowing down creation of individual virtual networks by checking for chain existance every time. There are some factors which can cause this upfront creation to fail and while a message will get into the libvirtd log this won't be seen by users who later try to start a virtual network. Instead they'll just get a message saying that the libvirt top level chain does not exist. This message is accurate, but unhelpful for solving the root cause. This patch thus saves any error during daemon startup and reports it when trying to create a virtual network later. Reviewed-by: NAndrea Bolognani <abologna@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 14 3月, 2019 1 次提交
-
-
由 Andrea Bolognani 提交于
According to the official documentation for autoconf[1], the correct names for these variables are abs_top_{src,build}dir rather than abs_top{src,build}dir; in fact, we're already using the correct names in various places, so let's just make everything nice and consistent. [1] https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Preset-Output-Variables.htmlSigned-off-by: NAndrea Bolognani <abologna@redhat.com> Reviewed-by: NMartin Kletzander <mkletzan@redhat.com>
-
- 06 3月, 2019 1 次提交
-
-
由 Michal Privoznik 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=1685151 This reverts commit cefb97fb. The stateAutoStart callback will be removed in the next commit. Therefore move autostarting of domains, networks and storage pools back into stateInitialize callbacks. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
- 22 2月, 2019 1 次提交
-
-
由 Laine Stump 提交于
dnsmasq documentation says that the *IPv4* prefix/network address/broadcast address sent to dhcp clients will be automatically determined by dnsmasq by looking at the interface it's listening on, so the original libvirt code did not add a netmask to the dnsmasq commandline (or later, the dnsmasq conf file). For *IPv6* however, dnsmasq apparently cannot automatically determine the prefix (functionally the same as a netmask), and it must be explicitly provided in the conf file (as a part of the dhcp-range option). So many years after IPv4 DHCP support had been added, when IPv6 dhcp support was added the prefix was included at the end of the dhcp-range setting, but only for IPv6. A user had reported a bug on a host where one of the interfaces was a superset of the libvirt network where dhcp is needed (e.g., the host's ethernet is 10.0.0.20/8, and the libvirt network is 10.10.0.1/24). For some reason dnsmasq was supplying the netmask for the /8 network to clients requesting an address on the /24 interface. This seems like a bug in dnsmasq, but even if/when it gets fixed there, it looks like there is no harm in just always adding the netmask to all IPv4 dhcp-range options similar to how prefix is added to all IPv6 dhcp-range options. Signed-off-by: NLaine Stump <laine@laine.org> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
- 15 2月, 2019 1 次提交
-
-
由 Laine Stump 提交于
The libvirt zonefile for firewalld (added in commit 3b71f2e4) does the following: 1) lists specific services it wants to allow, then 2) uses a lower priority <reject/> rule to block all other services to the host, and then finally, 3) relies on the zone's default "accept" policy to, accept all forwarded traffic (since forwarded traffic is ignored by the slightly higher priority <reject/> rule in (2)). I had assumed that icmp traffic was either being allowed at the top of the rules, or that it would be ignored by the <reject/> rule and passed by the default accept policy (similar to forwarded traffic), but this assumption was incorrect; the <reject/> rule does block icmp traffic. This became apparent when DHCPv6 which requires ICMPv6 in addition to udp/dhcpv6) failed to work. This all means that in order to achieve our original goal of "similar behavior to a default reject policy, but also allowing forwarded traffic", we need to add rules to allow all icmp and icmpv6 traffic to the libvirt zone, and that's what this patch does. This is a further refinement of the resolution to https://bugzilla.redhat.com/1650320Signed-off-by: NLaine Stump <laine@laine.org> Acked-by: NEric Garver <eric@garver.life>
-
- 04 2月, 2019 1 次提交
-
-
由 Cole Robinson 提交于
Missing semicolon at the end of macros can confuse some analyzers (like cppcheck <filename>), and we have a mix of semicolon and non-semicolon usage through the code. Let's standardize on using a semicolon for VIR_ENUM_IMPL calls. Move the verify() statement to the end of the macro and drop the semicolon, so the compiler will require callers to add a semicolon. While we are touching these call sites, standardize on putting the closing parenth on its own line, as discussed here: https://www.redhat.com/archives/libvir-list/2019-January/msg00750.htmlReviewed-by: NJohn Ferlan <jferlan@redhat.com> Signed-off-by: NCole Robinson <crobinso@redhat.com>
-
- 02 2月, 2019 4 次提交
-
-
由 Laine Stump 提交于
Since we're setting the zone anyway, it will be useful to allow setting a different (custom) zone for each network. This will be done by adding a "zone" attribute to the "bridge" element, e.g.: ... <bridge name='virbr0' zone='myzone'/> ... If a zone is specified in the config and it can't be honored, this will be an error. Signed-off-by: NLaine Stump <laine@laine.org> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Laine Stump 提交于
This patch restores broken guest network connectivity after a host firewalld is switched to using an nftables backend. It does this by adding libvirt networks' bridge interfaces to the new "libvirt" zone in firewalld. After this patch, the bridge interface of any network created by libvirt (when firewalld is active) will be added to the firewalld zone called "libvirt" if it exists (regardless of the firewalld backend setting). This behavior does *not* depend on whether or not libvirt has installed the libvirt zone file (set with "--with[out]-firewalld-zone" during the configure phase of the package build). If the libvirt zone doesn't exist (either because the package was configured to not install it, or possibly it was installed, but firewalld doesn't support rule priorities, resulting in a parse error), the bridge will remain in firewalld's default zone, which could be innocuous (in the case that the firewalld backend is iptables, guest networking will still function properly with the bridge in the default zone), or it could be disastrous (if the firewalld backend is nftables, we can be assured that guest networking will fail). In order to be unobtrusive in the former case, and informative in the latter, when the libvirt zone doesn't exist we then check the firewalld version to see if it's new enough to support the nftables backend, and then if the backend is actually set to nftables, before logging an error (and failing the net-start operation, since the network couldn't possibly work anyway). When the libvirt zone is used, network behavior is *slightly* different from behavior of previous libvirt. In the past, libvirt network behavior would be affected by the configuration of firewalld's default zone (usually "public"), but now it is affected only by the "libvirt" zone), and thus almost surely warrants a release note for any distro upgrading to libvirt 5.1 or above. Although it's unfortunate that we have to deal with a mandatory behavior change, the architecture of multiple hooks makes it impossible to *not* change behavior in some way, and the new behavior is arguably better (since it will now be possible to manage access to the host from virtual machines vs from public interfaces separately). Creates-and-Resolves: https://bugzilla.redhat.com/1650320 Resolves: https://bugzilla.redhat.com/1638342Signed-off-by: NLaine Stump <laine@laine.org> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Laine Stump 提交于
In the past (when both libvirt and firewalld used iptables), if either libvirt's rules *OR* firewalld's rules accepted a packet, it would be accepted. This was because libvirt and firewalld rules were processed during the same kernel hook, and a single ACCEPT result would terminate the rule traversal and cause the packet to be accepted. But now firewalld can use nftables for its backend, while libvirt's firewall rules are still using iptables; iptables rules are still processed, but at a different time during packet processing (i.e. during a different hook) than the firewalld nftables rules. The result is that a packet must be accepted by *BOTH* the libvirt iptables rules *AND* the firewalld nftable rules in order to be accepted. This causes pain because 1) libvirt always adds rules to permit DNS and DHCP (and sometimes TFTP) from guests to the host network's bridge interface. But libvirt's bridges are in firewalld's "default" zone (which is usually the zone called "public"). The public zone allows ssh, but doesn't allow DNS, DHCP, or TFTP. So even though libvirt's rules allow the DHCP and DNS traffic, the firewalld rules (now processed during a different hook) dont, thus guests connected to libvirt's bridges can't acquire an IP address from DHCP, nor can they make DNS queries to the DNS server libvirt has setup on the host. (This could be solved by modifying the default firewalld zone to allow DNS and DHCP, but that would open *all* interfaces in the default zone to those services, which is most likely not what the host's admin wants.) 2) Even though libvirt adds iptables rules to allow forwarded traffic to pass the iptables hook, firewalld's higher level "rich rules" don't yet have the ability to configure the acceptance of forwarded traffic (traffic that is going somewhere beyond the host), so any traffic that needs to be forwarded from guests to the network beyond the host is rejected during the nftables hook by the default zone's "default reject" policy (which rejects all traffic in the zone not specifically allowed by the rules in the zone, whether that traffic is destined to be forwarded or locally received by the host). libvirt can't send "direct" nftables rules (firewalld only supports direct/passthrough rules for iptables), so we can't solve this problem by just sending explicit nftables rules instead of explicit iptables rules (which, if it could be done, would place libvirt's rules in the same hook as firewalld's native rules, and thus eliminate the need for packets to be accepted by both libvirt's and firewalld's own rules). However, we can take advantage of a quirk in firewalld zones that have a default policy of "accept" (meaning any packet that doesn't match a specific rule in the zone will be *accepted*) - this default accept will also accept forwarded traffic (not just traffic destined for the host). Of course we don't want to modify firewalld's default zone in that way, because that would affect the filtering of traffic coming into the host from other interfaces using that zone. Instead, we will create a new zone called "libvirt". The libvirt zone will have a default policy of accept so that forwarded traffic can pass and list specific services that will be allowed into the host from guests (DNS, DHCP, SSH, and TFTP). But the same default accept policy that fixes forwarded traffic also causes *all* traffic from guest to host to be accepted. To close this new hole, the libvirt zone can take advantage of a new feature in firewalld (currently slated for firewalld-0.7.0) - priorities for rich rules - to add a low priority rule that rejects all local traffic (but leaves alone all forwarded traffic). So, our new zone will start with a list of services that are allowed (dhcp, dns, tftp, and ssh to start, but configurable via any firewalld management application, or direct editing of the zone file in /etc/firewalld/zones/libvirt.xml), followed by a low priority <reject/> rule (to reject all other traffic from guest to host), and finally with a default policy of accept (to allow forwarded traffic). This patch only creates the zonefile for the new zone, and implements a configure.ac option to selectively enable/disable installation of the new zone. A separate patch contains the necessary code to actually place bridge interfaces in the libvirt zone. Why do we need a configure option to disable installation of the new libvirt zone? It uses a new firewalld attribute that sets the priority of a rich rule; this feature first appears in firewalld-0.7.0 (unless it has been backported to am earlier firewalld by a downstream maintainer). If the file were installed on a system with firewalld that didn't support rule priorities, firewalld would log an error every time it restarted, causing confusion and lots of extra bug reports. So we add two new configure.ac switches to avoid polluting the system logs with this error on systems that don't support rule priorities - "--with-firewalld-zone" and "--without-firewalld-zone". A package builder can use these to include/exclude the libvirt zone file in the installation. If firewalld is enabled (--with-firewalld), the default is --with-firewalld-zone, but it can be disabled during configure (using --without-firewalld-zone). Targets that are using a firewalld version too old to support the rule priority setting in the libvirt zone file can simply add --without-firewalld-zone to their configure commandline. These switches only affect whether or not the libvirt zone file is *installed* in /usr/lib/firewalld/zones, but have no effect on whether or not libvirt looks for a zone called libvirt and tries to use it. NB: firewalld zones can only be added to the permanent config of firewalld, and won't be loaded/enabled until firewalld is restarted, so at package install/upgrade time we have to restart firewalld. For rpm-based distros, this is done in the libvirt.spec file by calling the %firewalld_restart rpm macro, which is a part of the firewalld-filesystem package. (For distros that don't use rpm packages, the command "firewalld-cmd --reload" will have the same effect). Signed-off-by: NLaine Stump <laine@laine.org> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Laine Stump 提交于
Support for firewalld is a feature that can be selectively enabled or disabled (using --with-firewalld/--without-firewalld), not merely something that must be accounted for in the code if it is present with no exceptions. It is more consistent with other usage in libvirt to use WITH_FIREWALLD rather than HAVE_FIREWALLD. Signed-off-by: NLaine Stump <laine@laine.org> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 01 2月, 2019 1 次提交
-
-
由 Casey Callendrello 提交于
This adds an additional directive to the dnsmasq configuration file that notifies clients via dhcp about the link's MTU. Guests can then choose adjust their link accordingly. Signed-off-by: NCasey Callendrello <cdc@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com> Signed-off-by: NJán Tomko <jtomko@redhat.com>
-
- 29 1月, 2019 3 次提交
-
-
由 Daniel P. Berrangé 提交于
The previous commit created new chains to hold the firewall rules. This commit changes the code that creates rules to place them in the new private chains instead of the builtin top level chains. With two networks running, the rules in the filter table now look like -N LIBVIRT_FWI -N LIBVIRT_FWO -N LIBVIRT_FWX -N LIBVIRT_INP -N LIBVIRT_OUT -A INPUT -j LIBVIRT_INP -A FORWARD -j LIBVIRT_FWX -A FORWARD -j LIBVIRT_FWI -A FORWARD -j LIBVIRT_FWO -A OUTPUT -j LIBVIRT_OUT -A LIBVIRT_FWI -d 192.168.0.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWI -d 192.168.1.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWO -s 192.168.0.0/24 -i virbr0 -j ACCEPT -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWO -s 192.168.1.0/24 -i virbr1 -j ACCEPT -A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT -A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT -A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT -A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT While in the nat table: -N LIBVIRT_PRT -A POSTROUTING -j LIBVIRT_PRT -A LIBVIRT_PRT -s 192.168.0.0/24 -d 224.0.0.0/24 -j RETURN -A LIBVIRT_PRT -s 192.168.0.0/24 -d 255.255.255.255/32 -j RETURN -A LIBVIRT_PRT -s 192.168.0.0/24 ! -d 192.168.0.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A LIBVIRT_PRT -s 192.168.0.0/24 ! -d 192.168.0.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A LIBVIRT_PRT -s 192.168.0.0/24 ! -d 192.168.0.0/24 -j MASQUERADE -A LIBVIRT_PRT -s 192.168.1.0/24 -d 224.0.0.0/24 -j RETURN -A LIBVIRT_PRT -s 192.168.1.0/24 -d 255.255.255.255/32 -j RETURN -A LIBVIRT_PRT -s 192.168.1.0/24 ! -d 192.168.1.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A LIBVIRT_PRT -s 192.168.1.0/24 ! -d 192.168.1.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A LIBVIRT_PRT -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE And finally the mangle table: -N LIBVIRT_PRT -A POSTROUTING -j LIBVIRT_PRT -A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A LIBVIRT_PRT -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
Historically firewall rules for virtual networks were added straight into the base chains. This works but has a number of bugs and design limitations: - It is inflexible for admins wanting to add extra rules ahead of libvirt's rules, via hook scripts. - It is not clear to the admin that the rules were created by libvirt - Each rule must be deleted by libvirt individually since they are all directly in the builtin chains - The ordering of rules in the forward chain is incorrect when multiple networks are created, allowing traffic to mistakenly flow between networks in one direction. To address all of these problems, libvirt needs to move to creating rules in its own private chains. In the top level builtin chains, libvirt will add links to its own private top level chains. Addressing the traffic ordering bug requires some extra steps. With everything going into the FORWARD chain there was interleaving of rules for outbound traffic and inbound traffic for each network: -A FORWARD -d 192.168.3.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.3.0/24 -i virbr1 -j ACCEPT -A FORWARD -i virbr1 -o virbr1 -j ACCEPT -A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -d 192.168.2.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.2.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable The rule allowing outbound traffic from virbr1 would mistakenly allow packets from virbr1 to virbr0, before the rule denying input to virbr0 gets a chance to run. What we really need todo is group the forwarding rules into three distinct sets: * Cross rules - LIBVIRT_FWX -A FORWARD -i virbr1 -o virbr1 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT * Incoming rules - LIBVIRT_FWI -A FORWARD -d 192.168.3.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -d 192.168.2.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable * Outgoing rules - LIBVIRT_FWO -A FORWARD -s 192.168.3.0/24 -i virbr1 -j ACCEPT -A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -s 192.168.2.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable There is thus no risk of outgoing rules for one network mistakenly allowing incoming traffic for another network, as all incoming rules are evalated first. With this in mind, we'll thus need three distinct chains linked from the FORWARD chain, so we end up with: INPUT --> LIBVIRT_INP (filter) OUTPUT --> LIBVIRT_OUT (filter) FORWARD +-> LIBVIRT_FWX (filter) +-> LIBVIRT_FWO \-> LIBVIRT_FWI POSTROUTING --> LIBVIRT_PRT (nat & mangle) Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
Allow the platform driver impls to run logic before and after the firewall reload process. Reviewed-by: NLaine Stump <laine@laine.org> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 26 1月, 2019 1 次提交
-
-
由 Laine Stump 提交于
networkMigrateStateFiles was added nearly 5 years ago when the network state directory was moved from /var/lib/libvirt to /var/run/libvirt just prior to libvirt-1.2.4). It was only required to maintain proper state information for networks that were active during an upgrade that didn't involve rebooting the host. At this point the likelyhood of anyone upgrading their libvirt from pre-1.2.4 directly to 5.0.0 or later *without rebooting the host* is probably so close to 0 that no properly informed bookie would take *any* odds on it happening, so it seems appropriate to remove this pointless code. Signed-off-by: NLaine Stump <laine@laine.org> Reviewed-by: NAndrea Bolognani <abologna@redhat.com>
-
- 14 12月, 2018 3 次提交
-
-
由 Daniel P. Berrangé 提交于
Require that all headers are guarded by a symbol named LIBVIRT_$FILENAME where $FILENAME is the uppercased filename, with all characters outside a-z changed into '_'. Note we do not use a leading __ because that is technically a namespace reserved for the toolchain. Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
This introduces a syntax-check script that validates header files use a common layout: /* ...copyright header... */ <one blank line> #ifndef SYMBOL # define SYMBOL ....content.... #endif /* SYMBOL */ For any file ending priv.h, before the #ifndef, we will require a guard to prevent bogus imports: #ifndef SYMBOL_ALLOW # error .... #endif /* SYMBOL_ALLOW */ <one blank line> The many mistakes this script identifies are then fixed. Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
In many files there are header comments that contain an Author: statement, supposedly reflecting who originally wrote the code. In a large collaborative project like libvirt, any non-trivial file will have been modified by a large number of different contributors. IOW, the Author: comments are quickly out of date, omitting people who have made significant contribitions. In some places Author: lines have been added despite the person merely being responsible for creating the file by moving existing code out of another file. IOW, the Author: lines give an incorrect record of authorship. With this all in mind, the comments are useless as a means to identify who to talk to about code in a particular file. Contributors will always be better off using 'git log' and 'git blame' if they need to find the author of a particular bit of code. This commit thus deletes all Author: comments from the source and adds a rule to prevent them reappearing. The Copyright headers are similarly misleading and inaccurate, however, we cannot delete these as they have legal meaning, despite being largely inaccurate. In addition only the copyright holder is permitted to change their respective copyright statement. Reviewed-by: NErik Skultety <eskultet@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 20 9月, 2018 2 次提交
-
-
由 Erik Skultety 提交于
All of the ones being removed are pulled in by internal.h. The only exception is sanlock which expects the application to include <stdint.h> before sanlock's headers, because sanlock prototypes use fixed width int, but they don't include stdint.h themselves, so we have to leave that one in place. Signed-off-by: NErik Skultety <eskultet@redhat.com> Acked-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Erik Skultety 提交于
It doesn't really make sense for us to have stdlib.h and string.h but not stdio.h in the internal.h header. Signed-off-by: NErik Skultety <eskultet@redhat.com> Acked-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 17 9月, 2018 1 次提交
-
-
由 Shi Lei 提交于
Signed-off-by: NShi Lei <shi_lei@massclouds.com>
-
- 13 8月, 2018 1 次提交
-
-
由 Michal Privoznik 提交于
When starting network a macmap object is created (which stores MAC -> domain name mappings). However, if something goes wrong (e.g. virNetDevIPCheckIPv6Forwarding() fails) then the object is leaked. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NErik Skultety <eskultet@redhat.com>
-
- 26 7月, 2018 1 次提交
-
-
由 Michal Privoznik 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=1600468 If we are unable to read leases file (no matter what the reason is), we return 0 - just like if there were no leases. However, because we use virFileReadAll() an error is printed into the log. Note that not all networks have leases file - only those for which we start dnsmasq. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NErik Skultety <eskultet@redhat.com>
-
- 25 7月, 2018 1 次提交
-
-
由 Shi Lei 提交于
With 'switch' we can utilize the compile time enum checks which we can't rely on with plain 'if' conditions. Signed-off-by: NShi Lei <shilei.massclouds@gmx.com> Reviewed-by: NErik Skultety <eskultet@redhat.com>
-
- 03 7月, 2018 1 次提交
-
-
由 Laine Stump 提交于
When libvirtd is restarted, it checks that each guest tap device is still attached to the bridge device that the configuration info says it should be connected to. If not, the tap will be disconnected from [wherever it is] and connected to [wherever it should be]. The previous code that did this did not account for: 1) the IFLA_MASTER attribute in a netdev's ifinfo will be set to "ovs-system" for any tap device connected to an OVS bridge, *not* to the name of the bridge it is attached to. 2) virNetDevRemovePort() only works for devices that are attached to a standard Linux host bridge. If a device is currently attached to an OVS bridge, then virNetDevOpenvswitchRemovePort() must be called instead. This patch remedies those problems, and adds a couple of information log messages to aid in debugging any future problem. Resolves: https://bugzilla.redhat.com/1596176Signed-off-by: NLaine Stump <laine@laine.org> ACKed-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 12 6月, 2018 1 次提交
-
-
由 Anya Harter 提交于
And remove NULL checking from all callers. Signed-off-by: NAnya Harter <aharter@redhat.com>
-
- 11 5月, 2018 1 次提交
-
-
由 John Ferlan 提交于
Rather than have virJSONValueArraySize return a -1 when the input is not an array and then splat an error message, let's check for an array before calling and then change the return to be a size_t instead of ssize_t. That means using the helper virJSONValueIsArray as well as using a more generic error message such as "Malformed <something> array". In some cases we can remove stack variables and when we cannot, those variables should be size_t not ssize_t. Alter a few references of if (!value) to be if (value == 0) instead as well. Some callers can already assume an array is being worked on based on the previous call, so there's less to do. Signed-off-by: NJohn Ferlan <jferlan@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
- 04 5月, 2018 1 次提交
-
-
由 Martin Kletzander 提交于
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
- 12 4月, 2018 3 次提交
-
-
由 Daniel P. Berrangé 提交于
Ensuring that we don't call the virDrvConnectOpen method with a NULL URI means that the drivers can drop various checks for NULL URIs. These were not needed anymore since the probe functionality was split Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
Declare what URI schemes a driver supports in its virConnectDriver struct. This allows us to skip trying to open the driver entirely if the URI scheme doesn't match. Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
Add a localOnly flag to the virConnectDriver struct which allows a driver to indicate whether it is local-only, or permits remote connections. Stateful drivers running inside libvirtd are generally local only. This allows us to remote the check for uri->server != NULL from most drivers. Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 01 4月, 2018 1 次提交
-
-
由 Ján Tomko 提交于
QEMU is the preferred spelling used on QEMU website. Signed-off-by: NJán Tomko <jtomko@redhat.com>
-