On Sun, Apr 30, 2023 at 11:19:15PM -0400, Laine Stump wrote:
> When I first started on this (long, protracted, repeatedly interrupted
> for extended periods - many of these patches are > a year old) task, I
> considered doing an all-at-once complete replacement of iptables with
> nftables, since
On Sun, Apr 30, 2023 at 11:19:17PM -0400, Laine Stump wrote:
> We will need access to these attributes of the object from outside
> virfirewall.c.
I think this is not desirable. It is caused by the movement of
part of virfirewall functionality into viriptables.c and the
new virnftables.c. This
On Sun, Apr 30, 2023 at 11:19:20PM -0400, Laine Stump wrote:
> These function are all moved into virnetfilter.[ch]. The only
> functions from viriptables.[ch] that are still called from the
> consumer (network bridge driver) are iptablesSetupPrivateChains()
> (which creates the private chains that
On Sun, Apr 30, 2023 at 11:19:21PM -0400, Laine Stump wrote:
> and take advantage of this to replace all the ternary operators when
> calling virFirewallAddRule() with virIptablesActionTypeToString().
>
> (NB: the VIR_ENUM declaration uses "virIptablesAction" rather than
> "virFirewallAction"
On Sun, Apr 30, 2023 at 11:19:22PM -0400, Laine Stump wrote:
> This is done so that we can be sure we're using the same chain name
> for iptables and nftables. Not strictly necessary, but it will make
> documentation and troubleshooting simpler.
>
> Signed-off-by: Laine Stump
> ---
>
On Sun, Apr 30, 2023 at 11:19:25PM -0400, Laine Stump wrote:
> Signed-off-by: Laine Stump
> ---
> libvirt.spec.in | 3 ++
> src/network/libvirtd_network.aug | 36
> src/network/meson.build | 11
>
On Wed, May 03, 2023 at 04:21:28PM +0100, Daniel P. Berrangé wrote:
> On Sun, Apr 30, 2023 at 11:19:23PM -0400, Laine Stump wrote:
> > This is the only iptables-specific function in all of
> > virfirewall.c. By moving it to viriptables.c (with appropriate
> > renaming), and calling it indirectly
On Sun, Apr 30, 2023 at 11:19:19PM -0400, Laine Stump wrote:
> These toplevel functions have no iptables-specific code, except that
> they each call a lower-level internal function that *is* iptables
> specific. As a preparation to supporting use of either iptables or
> nftables, rename these
On Sun, Apr 30, 2023 at 11:19:18PM -0400, Laine Stump wrote:
> We know at the time a virFirewallRule is created (with
> virFirewallAddRule*()) whether or not we will later want to ignore
> errors encountered when attempting to apply that rule - if
> ignoreErrors is set in the AddRule or if the
On Sun, Apr 30, 2023 at 11:19:19PM -0400, Laine Stump wrote:
> These toplevel functions have no iptables-specific code, except that
> they each call a lower-level internal function that *is* iptables
> specific. As a preparation to supporting use of either iptables or
> nftables, rename these
On Tue, May 02, 2023 at 06:14:03PM +0200, Andrea Bolognani wrote:
> The current values might have been accurate at the time
> when the logic was introduced, but these days Arch is
> using the same ones as Debian.
>
> Signed-off-by: Andrea Bolognani
> ---
Reviewed-by: Erik Skultety
This depends on the corresponding changes in libvirt-perl and libvirt-python:
https://gitlab.com/libvirt/libvirt-perl/-/merge_requests/92
https://gitlab.com/libvirt/libvirt-python/-/merge_requests/114
Once those are in, I'll provide a link to a fresh libvirt proof pipeline.
Erik Skultety (4):
Signed-off-by: Erik Skultety
---
ci/buildenv/fedora-38.sh | 96 +
ci/containers/fedora-38.Dockerfile | 108 +
ci/gitlab/builds.yml | 26 +++
ci/gitlab/containers.yml | 7 ++
ci/integration.yml
Signed-off-by: Erik Skultety
---
...-mingw32.sh => fedora-38-cross-mingw32.sh} | 0
...-mingw64.sh => fedora-38-cross-mingw64.sh} | 0
...ile => fedora-38-cross-mingw32.Dockerfile} | 2 +-
...ile => fedora-38-cross-mingw64.Dockerfile} | 2 +-
ci/gitlab/builds.yml |
Signed-off-by: Erik Skultety
---
ci/integration.yml | 24
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/ci/integration.yml b/ci/integration.yml
index 8dafff5c9a..25788099b5 100644
--- a/ci/integration.yml
+++ b/ci/integration.yml
@@ -161,41 +161,41 @@
Signed-off-by: Erik Skultety
---
ci/buildenv/fedora-36.sh | 96 -
ci/containers/fedora-36.Dockerfile | 108 -
ci/gitlab/builds.yml | 26 ---
ci/gitlab/containers.yml | 7 --
ci/integration.yml
On 5/3/23 06:07, Andrea Bolognani wrote:
On Fri, Apr 28, 2023 at 02:15:04PM -0300, Daniel Henrique Barboza wrote:
On 4/28/23 12:40, Andrea Bolognani wrote:
On Thu, Apr 27, 2023 at 06:04:10PM -0300, Daniel Henrique Barboza wrote:
At this moment it is not possible to launch a 'riscv64'
On Wed, May 03, 2023 at 09:19:10AM +0200, Erik Skultety wrote:
> This depends on the corresponding changes in libvirt-perl and libvirt-python:
>
> https://gitlab.com/libvirt/libvirt-perl/-/merge_requests/92
> https://gitlab.com/libvirt/libvirt-python/-/merge_requests/114
>
> Once those are in,
On Wed, May 03, 2023 at 09:19:13AM +0200, Erik Skultety wrote:
> +++ b/ci/manifest.yml
> @@ -124,11 +124,6 @@ targets:
>paths:
> - libvirt-rpms
>
> - - arch: mingw32
> -builds: false
> -
> - - arch: mingw64
> -
>fedora-38:
> jobs:
>-
The virfirewalld.h file provides a declaration for
virFirewallDApplyRule() which accepts an argument of type
virFirewallLayer. But the typedef lives in virfirewall.h and thus
including just virfirewalld.h is not sufficient.
Signed-off-by: Michal Privoznik
---
src/util/virfirewalld.h | 2 ++
1
Neither of tests that use virfirewallmock.c
(networkxml2firewalltest, nwfilterebiptablestest,
nwfilterxml2firewalltest, virfirewalltest) really call
virFindFileInPath(). But at least networkxml2firewalltest calls
virFirewallDIsRegistered(), under the hood. Now, the actual
implementation connects
On 5/1/23 05:19, Laine Stump wrote:
>
> 45 files changed, 5718 insertions(+), 954 deletions(-)
Reviewed-by: Michal Privoznik
Michal
*** BLURB HERE ***
Michal Prívozník (2):
util: include virfirewall.h in virfirewalld.h
virfirewallmock: Replace virFindFileInPath() with
virFirewallDIsRegistered()
src/util/virfirewalld.h | 2 ++
tests/virfirewallmock.c | 16
2 files changed, 6 insertions(+), 12
On Fri, Apr 28, 2023 at 02:15:04PM -0300, Daniel Henrique Barboza wrote:
> On 4/28/23 12:40, Andrea Bolognani wrote:
> > On Thu, Apr 27, 2023 at 06:04:10PM -0300, Daniel Henrique Barboza wrote:
> > > At this moment it is not possible to launch a 'riscv64' domain of type
> > > 'qemu' (i.e. TCG) and
On a Sunday in 2023, Laine Stump wrote:
This patch series enables libvirt to use nftables rules rather than
iptables *when setting up virtual networks* (it does *not* add
nftables support to the nwfilter driver). It accomplishes this by
getting these patches in.
[... 150 lines delted ...]
On a Sunday in 2023, Laine Stump wrote:
Determining the correct rollback rule for nftables is more complicated
than iptables - nftables give each new table/chain/rule a handle, and
the nft delete command to delete the object must contain that handle
(rather than just replicating the entire
On Sun, Apr 30, 2023 at 11:19:30PM -0400, Laine Stump wrote:
> and include it in BuildRequires and Requires of the rpm specfile to
> make sure it's available when doing official distro builds.
>
> Signed-off-by: Laine Stump
> ---
> libvirt.spec.in | 2 ++
> meson.build | 1 +
> 2 files
On Sun, Apr 30, 2023 at 11:19:16PM -0400, Laine Stump wrote:
> We will already need a separate function for virFirewallApplyRule for
> iptables vs. nftables, but the only reason for needing a separate
> function for virFirewallAddRule* is that iptables/ebtables need to
> have an extra arg added
On Sun, Apr 30, 2023 at 11:19:23PM -0400, Laine Stump wrote:
> This is the only iptables-specific function in all of
> virfirewall.c. By moving it to viriptables.c (with appropriate
> renaming), and calling it indirectly through a similarly named wrapper
> function in virnetfilter.c, we have made
On Sun, Apr 30, 2023 at 11:19:27PM -0400, Laine Stump wrote:
> Long long ago (commit fd5b15ff in July 2010), we determined that the
> combination of virtio-net + vhost packet handling (i.e. handling
> packets in the kernel rather than userspace) + very old guest OSes
> (e.g. RHEL5, but not even
30 matches
Mail list logo
