Long ago we tried to use Fedora's lokkit utility in order to register our iptables rules so that 'service iptables restart' would automatically load our rules. There was one fatal flaw - if the user had configured iptables without lokkit, then we would clobber that configuration by running lokkit. We quickly disabled lokkit support, but never removed it. Let's do that now. The 'my virtual network stops working when I restart iptables' still remains. For all the background on this saga, see: https://bugzilla.redhat.com/227011 * src/util/iptables.c: remove lokkit support * configure.in: remove --enable-lokkit * libvirt.spec.in: remove the dirs used only for saving rules for lokkit * src/Makefile.am: ditto * src/libvirt_private.syms, src/network/bridge_driver.c, src/util/iptables.h: remove references to iptablesSaveRules --- configure.in | 21 ---- libvirt.spec.in | 3 - src/Makefile.am | 4 - src/libvirt_private.syms | 1 - src/network/bridge_driver.c | 3 - src/util/iptables.c | 218 ------------------------------------------- src/util/iptables.h | 1 - 7 files changed, 0 insertions(+), 251 deletions(-) diff --git a/configure.in b/configure.in index 8d21207..fe9834d 100644 --- a/configure.in +++ b/configure.in @@ -269,27 +269,6 @@ if test x"$with_rhel5_api" = x"yes"; then AC_DEFINE([WITH_RHEL5_API], [1], [whether building for the RHEL-5 API]) fi -dnl -dnl ensure that Fedora's system-config-firewall knows -dnl about libvirt's iptables rules -dnl -AC_ARG_ENABLE([iptables-lokkit], - [AC_HELP_STRING([--enable-iptables-lokkit=no/yes/check], - [enable registering libvirt's iptables rules with Fedora's lokkit])], - [],[enable_iptables_lokkit=check]) -if test x"$enable_iptables_lokkit" != x"no"; then - AC_PATH_PROG([LOKKIT_PATH],[lokkit], [], [/usr/sbin:$PATH]) -fi - -if test x"$enable_iptables_lokkit" = x"yes" -a x"$LOKKIT_PATH" = x; then - AC_MSG_ERROR([Cannot find lokkit and --enable-iptables-lokkit specified]) -fi - -if test x"$LOKKIT_PATH" != x; then - AC_DEFINE([ENABLE_IPTABLES_LOKKIT], [], [whether support for Fedora's lokkit is enabled]) - AC_DEFINE_UNQUOTED([LOKKIT_PATH], "$LOKKIT_PATH", [path to lokkit binary]) -fi - AC_PATH_PROG([IPTABLES_PATH], [iptables], /sbin/iptables, [/usr/sbin:$PATH]) AC_DEFINE_UNQUOTED([IPTABLES_PATH], "$IPTABLES_PATH", [path to iptables binary]) diff --git a/libvirt.spec.in b/libvirt.spec.in index 408ad05..dd067ad 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -710,9 +710,6 @@ fi %if %{with_network} %dir %{_localstatedir}/run/libvirt/network/ %dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/network/ -%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/iptables/ -%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/iptables/filter/ -%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/iptables/nat/ %endif %if %{with_qemu} diff --git a/src/Makefile.am b/src/Makefile.am index e5d8933..b639915 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -883,8 +883,6 @@ if WITH_UML $(MKDIR_P) "$(DESTDIR)$(localstatedir)/run/libvirt/uml" endif if WITH_NETWORK - $(MKDIR_P) "$(DESTDIR)$(localstatedir)/lib/libvirt/iptables/filter" - $(MKDIR_P) "$(DESTDIR)$(localstatedir)/lib/libvirt/iptables/nat" $(MKDIR_P) "$(DESTDIR)$(localstatedir)/lib/libvirt/network" $(MKDIR_P) "$(DESTDIR)$(localstatedir)/run/libvirt/network" $(MKDIR_P) "$(DESTDIR)$(sysconfdir)/libvirt/qemu/networks/autostart" @@ -921,8 +919,6 @@ if WITH_NETWORK rm -f $(DESTDIR)$(sysconfdir)/libvirt/qemu/networks/default.xml rmdir "$(DESTDIR)$(sysconfdir)/libvirt/qemu/networks/autostart" || : rmdir "$(DESTDIR)$(sysconfdir)/libvirt/qemu/networks" || : - rmdir "$(DESTDIR)$(localstatedir)/lib/libvirt/iptables/filter" ||: - rmdir "$(DESTDIR)$(localstatedir)/lib/libvirt/iptables/nat" ||: rmdir "$(DESTDIR)$(localstatedir)/lib/libvirt/network" ||: rmdir "$(DESTDIR)$(localstatedir)/run/libvirt/network" ||: endif diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 58f99fb..8d64b15 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -247,7 +247,6 @@ iptablesRemoveForwardRejectIn; iptablesRemoveForwardRejectOut; iptablesRemoveTcpInput; iptablesRemoveUdpInput; -iptablesSaveRules; # libvirt_internal.h diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index d5cab71..abee78c 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -752,8 +752,6 @@ networkAddIptablesRules(virConnectPtr conn, !networkAddRoutingIptablesRules(conn, driver, network)) goto err8; - iptablesSaveRules(driver->iptables); - return 1; err8: @@ -807,7 +805,6 @@ networkRemoveIptablesRules(struct network_driver *driver, iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 53); iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 67); iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 67); - iptablesSaveRules(driver->iptables); } static void diff --git a/src/util/iptables.c b/src/util/iptables.c index 36d65e4..8ac7786 100644 --- a/src/util/iptables.c +++ b/src/util/iptables.c @@ -66,14 +66,6 @@ typedef struct int nrules; iptRule *rules; - -#ifdef ENABLE_IPTABLES_LOKKIT - - char dir[PATH_MAX]; - char path[PATH_MAX]; - -#endif /* ENABLE_IPTABLES_LOKKIT */ - } iptRules; struct _iptablesContext @@ -83,186 +75,6 @@ struct _iptablesContext iptRules *nat_postrouting; }; -#ifdef ENABLE_IPTABLES_LOKKIT -static void -notifyRulesUpdated(const char *table, - const char *path) -{ - char arg[PATH_MAX]; - const char *argv[4]; - - snprintf(arg, sizeof(arg), "--custom-rules=ipv4:%s:%s", table, path); - - argv[0] = (char *) LOKKIT_PATH; - argv[1] = (char *) "--nostart"; - argv[2] = arg; - argv[3] = NULL; - - char ebuf[1024]; - if (virRun(NULL, argv, NULL) < 0) - VIR_WARN(_("Failed to run '%s %s': %s"), - LOKKIT_PATH, arg, virStrerror(errno, ebuf, sizeof ebuf)); -} - -static int -stripLine(char *str, int len, const char *line) -{ - char *s, *p; - int changed; - - changed = 0; - s = str; - - while ((p = strchr(s, '\n'))) { - if (p == s || STRNEQLEN(s, line, p - s)) { - s = ++p; - continue; - } - - ++p; - memmove(s, p, len - (p - str) + 1); - len -= p - s; - changed = 1; - } - - if (STREQ(s, line)) { - *s = '\0'; - changed = 1; - } - - return changed; -} - -static void -notifyRulesRemoved(const char *table, - const char *path) -{ -/* 10 MB limit on config file size as a sanity check */ -#define MAX_FILE_LEN (1024*1024*10) - - char arg[PATH_MAX]; - char *content; - int len; - FILE *f = NULL; - - len = virFileReadAll(SYSCONF_DIR "/sysconfig/system-config-firewall", - MAX_FILE_LEN, &content); - if (len < 0) { - VIR_WARN("%s", _("Failed to read " SYSCONF_DIR - "/sysconfig/system-config-firewall")); - return; - } - - snprintf(arg, sizeof(arg), "--custom-rules=ipv4:%s:%s", table, path); - - if (!stripLine(content, len, arg)) { - VIR_FREE(content); - return; - } - - if (!(f = fopen(SYSCONF_DIR "/sysconfig/system-config-firewall", "w"))) - goto write_error; - - if (fputs(content, f) == EOF) - goto write_error; - - if (fclose(f) == EOF) { - f = NULL; - goto write_error; - } - - VIR_FREE(content); - - return; - - write_error:; - char ebuf[1024]; - VIR_WARN(_("Failed to write to " SYSCONF_DIR - "/sysconfig/system-config-firewall : %s"), - virStrerror(errno, ebuf, sizeof ebuf)); - if (f) - fclose(f); - VIR_FREE(content); - -#undef MAX_FILE_LEN -} - -static int -writeRules(const char *path, - const iptRule *rules, - int nrules) -{ - char tmp[PATH_MAX]; - FILE *f; - int istmp; - int i; - - if (nrules == 0 && unlink(path) == 0) - return 0; - - if (snprintf(tmp, PATH_MAX, "%s.new", path) >= PATH_MAX) - return EINVAL; - - istmp = 1; - - if (!(f = fopen(tmp, "w"))) { - istmp = 0; - if (!(f = fopen(path, "w"))) - return errno; - } - - for (i = 0; i < nrules; i++) { - if (fputs(rules[i].rule, f) == EOF || - fputc('\n', f) == EOF) { - fclose(f); - if (istmp) - unlink(tmp); - return errno; - } - } - - fclose(f); - - if (istmp && rename(tmp, path) < 0) { - unlink(tmp); - return errno; - } - - if (istmp) - unlink(tmp); - - return 0; -} -#endif /* ENABLE_IPTABLES_LOKKIT */ - -static void -iptRulesSave(iptRules *rules) -{ -#ifdef ENABLE_IPTABLES_LOKKIT - int err; - - char ebuf[1024]; - if ((err = virFileMakePath(rules->dir))) { - VIR_WARN(_("Failed to create directory %s : %s"), - rules->dir, virStrerror(err, ebuf, sizeof ebuf)); - return; - } - - if ((err = writeRules(rules->path, rules->rules, rules->nrules))) { - VIR_WARN(_("Failed to saves iptables rules to %s : %s"), - rules->path, virStrerror(err, ebuf, sizeof ebuf)); - return; - } - - if (rules->nrules > 0) - notifyRulesUpdated(rules->table, rules->path); - else - notifyRulesRemoved(rules->table, rules->path); -#else - (void) rules; -#endif /* ENABLE_IPTABLES_LOKKIT */ -} - static void iptRuleFree(iptRule *rule) { @@ -340,11 +152,6 @@ iptRulesFree(iptRules *rules) rules->nrules = 0; } -#ifdef ENABLE_IPTABLES_LOKKIT - rules->dir[0] = '\0'; - rules->path[0] = '\0'; -#endif /* ENABLE_IPTABLES_LOKKIT */ - VIR_FREE(rules); } @@ -366,15 +173,6 @@ iptRulesNew(const char *table, rules->rules = NULL; rules->nrules = 0; -#ifdef ENABLE_IPTABLES_LOKKIT - if (virFileBuildPath(LOCAL_STATE_DIR "/lib/libvirt/iptables", table, NULL, - rules->dir, sizeof(rules->dir)) < 0) - goto error; - - if (virFileBuildPath(rules->dir, chain, ".chain", rules->path, sizeof(rules->path)) < 0) - goto error; -#endif /* ENABLE_IPTABLES_LOKKIT */ - return rules; error: @@ -520,22 +318,6 @@ iptablesContextFree(iptablesContext *ctx) VIR_FREE(ctx); } -/** - * iptablesSaveRules: - * @ctx: pointer to the IP table context - * - * Saves all the IP table rules associated with a context - * to disk so that if iptables is restarted, the rules - * will automatically be reload. - */ -void -iptablesSaveRules(iptablesContext *ctx) -{ - iptRulesSave(ctx->input_filter); - iptRulesSave(ctx->forward_filter); - iptRulesSave(ctx->nat_postrouting); -} - static void iptRulesReload(iptRules *rules) { diff --git a/src/util/iptables.h b/src/util/iptables.h index fbe9b5d..826f4f8 100644 --- a/src/util/iptables.h +++ b/src/util/iptables.h @@ -27,7 +27,6 @@ typedef struct _iptablesContext iptablesContext; iptablesContext *iptablesContextNew (void); void iptablesContextFree (iptablesContext *ctx); -void iptablesSaveRules (iptablesContext *ctx); void iptablesReloadRules (iptablesContext *ctx); int iptablesAddTcpInput (iptablesContext *ctx, -- 1.6.5.2 -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list