External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-07-06 09:55:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

remove all traces of lokkit support

Browse Source 
Long ago we tried to use Fedora's lokkit utility in order to register
our iptables rules so that 'service iptables restart' would
automatically load our rules.

There was one fatal flaw - if the user had configured iptables without
lokkit, then we would clobber that configuration by running lokkit.

We quickly disabled lokkit support, but never removed it. Let's do
that now.

The 'my virtual network stops working when I restart iptables' still
remains. For all the background on this saga, see:

  https://bugzilla.redhat.com/227011

* src/util/iptables.c: remove lokkit support

* configure.in: remove --enable-lokkit

* libvirt.spec.in: remove the dirs used only for saving rules for lokkit

* src/Makefile.am: ditto

* src/libvirt_private.syms, src/network/bridge_driver.c,
  src/util/iptables.h: remove references to iptablesSaveRules
This commit is contained in:
Mark McLoughlin 2009-12-10 11:27:17 +00:00
parent 534664c372
commit 3b3305d859
7 changed files with 0 additions and 251 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
configure.in
View File

@ -269,27 +269,6 @@ if test x"$with_rhel5_api" = x"yes"; then
AC_DEFINE([WITH_RHEL5_API], [1], [whether building for the RHEL-5 API])
fi
dnl
dnl ensure that Fedora's system-config-firewall knows
dnl about libvirt's iptables rules
dnl
AC_ARG_ENABLE([iptables-lokkit],
[AC_HELP_STRING([--enable-iptables-lokkit=no/yes/check],
[enable registering libvirt's iptables rules with Fedora's lokkit])],
[],[enable_iptables_lokkit=check])
if test x"$enable_iptables_lokkit" != x"no"; then
AC_PATH_PROG([LOKKIT_PATH],[lokkit], [], [/usr/sbin:$PATH])
fi
if test x"$enable_iptables_lokkit" = x"yes" -a x"$LOKKIT_PATH" = x; then
AC_MSG_ERROR([Cannot find lokkit and --enable-iptables-lokkit specified])
fi
if test x"$LOKKIT_PATH" != x; then
AC_DEFINE([ENABLE_IPTABLES_LOKKIT], [], [whether support for Fedora's lokkit is enabled])
AC_DEFINE_UNQUOTED([LOKKIT_PATH], "$LOKKIT_PATH", [path to lokkit binary])
fi
AC_PATH_PROG([IPTABLES_PATH], [iptables], /sbin/iptables, [/usr/sbin:$PATH])
AC_DEFINE_UNQUOTED([IPTABLES_PATH], "$IPTABLES_PATH", [path to iptables binary])

3
libvirt.spec.in
View File

@ -710,9 +710,6 @@ fi
%if %{with_network}
%dir %{_localstatedir}/run/libvirt/network/
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/network/
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/iptables/
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/iptables/filter/
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/iptables/nat/
%endif
%if %{with_qemu}

4
src/Makefile.am
View File

@ -883,8 +883,6 @@ if WITH_UML
$(MKDIR_P) "$(DESTDIR)$(localstatedir)/run/libvirt/uml"
endif
if WITH_NETWORK
$(MKDIR_P) "$(DESTDIR)$(localstatedir)/lib/libvirt/iptables/filter"
$(MKDIR_P) "$(DESTDIR)$(localstatedir)/lib/libvirt/iptables/nat"
$(MKDIR_P) "$(DESTDIR)$(localstatedir)/lib/libvirt/network"
$(MKDIR_P) "$(DESTDIR)$(localstatedir)/run/libvirt/network"
$(MKDIR_P) "$(DESTDIR)$(sysconfdir)/libvirt/qemu/networks/autostart"
@ -921,8 +919,6 @@ if WITH_NETWORK
rm -f $(DESTDIR)$(sysconfdir)/libvirt/qemu/networks/default.xml
rmdir "$(DESTDIR)$(sysconfdir)/libvirt/qemu/networks/autostart" || :
rmdir "$(DESTDIR)$(sysconfdir)/libvirt/qemu/networks" || :
rmdir "$(DESTDIR)$(localstatedir)/lib/libvirt/iptables/filter" ||:
rmdir "$(DESTDIR)$(localstatedir)/lib/libvirt/iptables/nat" ||:
rmdir "$(DESTDIR)$(localstatedir)/lib/libvirt/network" ||:
rmdir "$(DESTDIR)$(localstatedir)/run/libvirt/network" ||:
endif

1
src/libvirt_private.syms
View File

@ -247,7 +247,6 @@ iptablesRemoveForwardRejectIn;
iptablesRemoveForwardRejectOut;
iptablesRemoveTcpInput;
iptablesRemoveUdpInput;
iptablesSaveRules;
# libvirt_internal.h

3
src/network/bridge_driver.c
View File

@ -752,8 +752,6 @@ networkAddIptablesRules(virConnectPtr conn,
!networkAddRoutingIptablesRules(conn, driver, network))
goto err8;
iptablesSaveRules(driver->iptables);
return 1;
err8:
@ -807,7 +805,6 @@ networkRemoveIptablesRules(struct network_driver *driver,
iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 53);
iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 67);
iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 67);
iptablesSaveRules(driver->iptables);
}
static void

218
src/util/iptables.c
View File

@ -66,14 +66,6 @@ typedef struct
int nrules;
iptRule *rules;
#ifdef ENABLE_IPTABLES_LOKKIT
char dir[PATH_MAX];
char path[PATH_MAX];
#endif /* ENABLE_IPTABLES_LOKKIT */
} iptRules;
struct _iptablesContext
@ -83,186 +75,6 @@ struct _iptablesContext
iptRules *nat_postrouting;
};
#ifdef ENABLE_IPTABLES_LOKKIT
static void
notifyRulesUpdated(const char *table,
const char *path)
{
char arg[PATH_MAX];
const char *argv[4];
snprintf(arg, sizeof(arg), "--custom-rules=ipv4:%s:%s", table, path);
argv[0] = (char *) LOKKIT_PATH;
argv[1] = (char *) "--nostart";
argv[2] = arg;
argv[3] = NULL;
char ebuf[1024];
if (virRun(NULL, argv, NULL) < 0)
VIR_WARN(_("Failed to run '%s %s': %s"),
LOKKIT_PATH, arg, virStrerror(errno, ebuf, sizeof ebuf));
}
static int
stripLine(char *str, int len, const char *line)
{
char *s, *p;
int changed;
changed = 0;
s = str;
while ((p = strchr(s, '\n'))) {
if (p == s || STRNEQLEN(s, line, p - s)) {
s = ++p;
continue;
}
++p;
memmove(s, p, len - (p - str) + 1);
len -= p - s;
changed = 1;
}
if (STREQ(s, line)) {
*s = '\0';
changed = 1;
}
return changed;
}
static void
notifyRulesRemoved(const char *table,
const char *path)
{
/* 10 MB limit on config file size as a sanity check */
#define MAX_FILE_LEN (1024*1024*10)
char arg[PATH_MAX];
char *content;
int len;
FILE *f = NULL;
len = virFileReadAll(SYSCONF_DIR "/sysconfig/system-config-firewall",
MAX_FILE_LEN, &content);
if (len < 0) {
VIR_WARN("%s", _("Failed to read " SYSCONF_DIR
"/sysconfig/system-config-firewall"));
return;
}
snprintf(arg, sizeof(arg), "--custom-rules=ipv4:%s:%s", table, path);
if (!stripLine(content, len, arg)) {
VIR_FREE(content);
return;
}
if (!(f = fopen(SYSCONF_DIR "/sysconfig/system-config-firewall", "w")))
goto write_error;
if (fputs(content, f) == EOF)
goto write_error;
if (fclose(f) == EOF) {
f = NULL;
goto write_error;
}
VIR_FREE(content);
return;
write_error:;
char ebuf[1024];
VIR_WARN(_("Failed to write to " SYSCONF_DIR
"/sysconfig/system-config-firewall : %s"),
virStrerror(errno, ebuf, sizeof ebuf));
if (f)
fclose(f);
VIR_FREE(content);
#undef MAX_FILE_LEN
}
static int
writeRules(const char *path,
const iptRule *rules,
int nrules)
{
char tmp[PATH_MAX];
FILE *f;
int istmp;
int i;
if (nrules == 0 && unlink(path) == 0)
return 0;
if (snprintf(tmp, PATH_MAX, "%s.new", path) >= PATH_MAX)
return EINVAL;
istmp = 1;
if (!(f = fopen(tmp, "w"))) {
istmp = 0;
if (!(f = fopen(path, "w")))
return errno;
}
for (i = 0; i < nrules; i++) {
if (fputs(rules[i].rule, f) == EOF ||
fputc('\n', f) == EOF) {
fclose(f);
if (istmp)
unlink(tmp);
return errno;
}
}
fclose(f);
if (istmp && rename(tmp, path) < 0) {
unlink(tmp);
return errno;
}
if (istmp)
unlink(tmp);
return 0;
}
#endif /* ENABLE_IPTABLES_LOKKIT */
static void
iptRulesSave(iptRules *rules)
{
#ifdef ENABLE_IPTABLES_LOKKIT
int err;
char ebuf[1024];
if ((err = virFileMakePath(rules->dir))) {
VIR_WARN(_("Failed to create directory %s : %s"),
rules->dir, virStrerror(err, ebuf, sizeof ebuf));
return;
}
if ((err = writeRules(rules->path, rules->rules, rules->nrules))) {
VIR_WARN(_("Failed to saves iptables rules to %s : %s"),
rules->path, virStrerror(err, ebuf, sizeof ebuf));
return;
}
if (rules->nrules > 0)
notifyRulesUpdated(rules->table, rules->path);
else
notifyRulesRemoved(rules->table, rules->path);
#else
(void) rules;
#endif /* ENABLE_IPTABLES_LOKKIT */
}
static void
iptRuleFree(iptRule *rule)
{
@ -340,11 +152,6 @@ iptRulesFree(iptRules *rules)
rules->nrules = 0;
}
#ifdef ENABLE_IPTABLES_LOKKIT
rules->dir[0] = '\0';
rules->path[0] = '\0';
#endif /* ENABLE_IPTABLES_LOKKIT */
VIR_FREE(rules);
}
@ -366,15 +173,6 @@ iptRulesNew(const char *table,
rules->rules = NULL;
rules->nrules = 0;
#ifdef ENABLE_IPTABLES_LOKKIT
if (virFileBuildPath(LOCAL_STATE_DIR "/lib/libvirt/iptables", table, NULL,
rules->dir, sizeof(rules->dir)) < 0)
goto error;
if (virFileBuildPath(rules->dir, chain, ".chain", rules->path, sizeof(rules->path)) < 0)
goto error;
#endif /* ENABLE_IPTABLES_LOKKIT */
return rules;
error:
@ -520,22 +318,6 @@ iptablesContextFree(iptablesContext *ctx)
VIR_FREE(ctx);
}
/**
* iptablesSaveRules:
* @ctx: pointer to the IP table context
*
* Saves all the IP table rules associated with a context
* to disk so that if iptables is restarted, the rules
* will automatically be reload.
*/
void
iptablesSaveRules(iptablesContext *ctx)
{
iptRulesSave(ctx->input_filter);
iptRulesSave(ctx->forward_filter);
iptRulesSave(ctx->nat_postrouting);
}
static void
iptRulesReload(iptRules *rules)
{

1
src/util/iptables.h
View File

@ -27,7 +27,6 @@ typedef struct _iptablesContext iptablesContext;
iptablesContext *iptablesContextNew (void);
void iptablesContextFree (iptablesContext *ctx);
void iptablesSaveRules (iptablesContext *ctx);
void iptablesReloadRules (iptablesContext *ctx);
int iptablesAddTcpInput (iptablesContext *ctx,