External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-09-24 16:35:44 +00:00
Code Issues Packages Projects Releases Wiki Activity
1cf97c87c0
libvirt/src/nwfilter
History
Stefan Berger b7d00de2bd Fix libvirt upgrade path when nwfilter is used 
Between revision 65fb9d49 and before this patch, an upgrade of libvirt while
VMs are running and instantiating iptables filtering rules due to nwfilter
rules, may leave stray iptables rules behind when shutting VMs down.
Left-over iptables rules may look like this:

Chain FP-vnet0 (1 references)
target     prot opt source               destination         
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:122
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

[...]

Chain libvirt-out (1 references)
target     prot opt source               destination         
FO-vnet0   all  --  0.0.0.0/0            0.0.0.0/0           [goto]  PHYSDEV match --physdev-out vnet0



The reason is that the recent nwfilter code only removed filtering rules in
the libvirt-out chain that contain the --physdev-is-bridged parameter.
Older rules didn't match and were not removed.

Note that the user-defined chain FO-vnet0 could not be removed due to the
reference from the rule in libvirt-out.

Often the work around may be done through

service iptables restart
kill -SIGHUP $(pidof libvirtd)

This patch now also removes older libvirt versions' iptables rules.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
2013-02-15 21:33:37 -05:00
..
nwfilter_dhcpsnoop.c virCondDestroy: Lose attribute RETURN_CHECK 2013-02-08 09:12:11 +01:00
nwfilter_dhcpsnoop.h maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
nwfilter_driver.c Fix nwfilter driver reload/shutdown handling when unprivileged 2013-01-23 12:43:28 +00:00
nwfilter_driver.h maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
nwfilter_ebiptables_driver.c Fix libvirt upgrade path when nwfilter is used 2013-02-15 21:33:37 -05:00
nwfilter_ebiptables_driver.h maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
nwfilter_gentech_driver.c Turn virDomainObjList into an opaque virObject 2013-02-05 15:49:25 +00:00
nwfilter_gentech_driver.h Turn virDomainObjList into an opaque virObject 2013-02-05 15:49:25 +00:00
nwfilter_learnipaddr.c Rename virterror.c virterror_internal.h to virerror.{c,h} 2012-12-21 11:19:50 +00:00
nwfilter_learnipaddr.h maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00