From 3b66bd9aa1bc463f7123f7b966e5c38e72d650f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Wed, 22 May 2019 13:08:13 +0100 Subject: [PATCH] network: add more debugging of firewall chain creation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Jim Fehlig Signed-off-by: Daniel P. Berrangé --- src/network/bridge_driver_linux.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index 0d849173b2..75b34fc317 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -45,28 +45,42 @@ static void networkSetupPrivateChains(void) { int rc; + VIR_DEBUG("Setting up global firewall chains"); + createdChains = false; rc = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV4); if (rc < 0) { + VIR_DEBUG("Failed to create global IPv4 chains: %s", + virGetLastErrorMessage()); errInitV4 = virSaveLastError(); virResetLastError(); } else { virFreeError(errInitV4); errInitV4 = NULL; - if (rc) + if (rc) { + VIR_DEBUG("Created global IPv4 chains"); createdChains = true; + } else { + VIR_DEBUG("Global IPv4 chains already exist"); + } } rc = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV6); if (rc < 0) { + VIR_DEBUG("Failed to create global IPv6 chains: %s", + virGetLastErrorMessage()); errInitV6 = virSaveLastError(); virResetLastError(); } else { virFreeError(errInitV6); errInitV6 = NULL; - if (rc) + if (rc) { + VIR_DEBUG("Created global IPv6 chains"); createdChains = true; + } else { + VIR_DEBUG("Global IPv6 chains already exist"); + } } } @@ -95,8 +109,10 @@ void networkPreReloadFirewallRules(bool startup) * rules will be present. Thus we can safely just tell it * to always delete from the builin chain */ - if (startup && createdChains) + if (startup && createdChains) { + VIR_DEBUG("Requesting cleanup of legacy firewall rules"); iptablesSetDeletePrivate(false); + } }