Re: [PATCH v2] network: introduce a "none" firewall backend type

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Jun 14, 2024 at 12:22:50PM -0400, Andrea Bolognani wrote:
> On Fri, Jun 14, 2024 at 03:43:53PM GMT, Daniel P. Berrangé wrote:
> >  meson.build                       | 26 +++++++++++++++++++-------
> >  meson_options.txt                 |  2 +-
> >  src/network/bridge_driver_conf.c  | 19 ++++++++++++++-----
> >  src/network/bridge_driver_linux.c | 10 ++++++++++
> >  src/network/bridge_driver_nop.c   | 15 ++++++++++++++-
> >  src/util/virfirewall.c            |  6 ++++++
> >  src/util/virfirewall.h            |  1 +
> >  7 files changed, 65 insertions(+), 14 deletions(-)
> 
> The test suite no longer passes after applying this. At the very
> least, you need to squash in the diff at the bottom of this message.
> 
> >    firewall_backend_priority = get_option('firewall_backend_priority')
> > -  if (not firewall_backend_priority.contains('nftables') or
> > -      not firewall_backend_priority.contains('iptables') or
> > -      firewall_backend_priority.length() != 2)
> > -    error('invalid value for firewall_backend_priority option')
> > +  if firewall_backend_priority.length() == 0
> > +      if host_machine.system() == 'linux'
> > +          firewall_backend_priority = ['nftables', 'iptables']
> > +      else
> > +          # No firewall impl on non-Linux so far, so force 'none'
> > +          # as placeholder
> > +          firewall_backend_priority = ['none']
> > +      endif
> > +  else
> > +      if host_machine.system() != 'linux'
> > +          error('firewall backend priority only supported on linux hosts')
> > +      endif
> >    endif
> 
> This implementation allows things such as
> 
>   -Dfirewall_backend_priority=nftables
> 
> and
> 
>   -Dfirewall_backend_priority=iptables,iptables
> 
> At least
> 
>   -Dfirewall_backend_priority=iptables,nftables,iptables
> 
> will be blocked, but only because it results in a compilation error:
> meson will happily accept it.
> 
> Are we okay with that? It's IMO inferior to the much stricter
> checking that's performed today.

I found that if you try this with meson you'll see this

DEPRECATION: Duplicated values in array option is deprecated. This will become a hard error in the future.

I think we're fine to delegate this to Meson, given its intent to turn
this into a hard error eventually, since duplication is harmless for
us in the short term.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux