util: synchronize with firewalld before we start calling iptables directly

When it is starting up, firewalld will delete all existing iptables
rules and chains before adding its own rules. If libvirtd were to try
to directly add iptables rules during the time before firewalld has
finished initializing, firewalld would end up deleting the rules that
libvirtd has just added.

Currently this isn't a problem, since libvirtd only adds iptables
rules via the firewalld "passthrough command" API, and so firewalld is
able to properly serialize everything. However, we will soon be
changing libvirtd to add its iptables and ebtables rules by directly
calling iptables/ebtables rather than via firewalld, thus removing the
serialization of libvirtd adding rules vs. firewalld deleting rules.

This will especially apparent (if we don't fix it in advance, as this
patch does) when libvirtd is responding to the dbus NameOwnerChanged
event, which is used to learn when firewalld has been restarted. In
that case, dbus sends the event before firewalld has been able to
complete its initialization, so when libvirt responds to the event by
adding back its iptables rules (with direct calls to
/usr/bin/iptables), some of those rules are added before firewalld has
a chance to do its "remove everything" startup protocol. The usual
result of this is that libvirt will successfully add its private
chains (e.g. LIBVIRT_INP, etc), but then fail when it tries to add a
rule jumping to one of those chains (because in the interim, firewalld
has deleted the new chains).

The solution is for libvirt to preface it's direct calling to iptables
with a iptables command sent via firewalld's passthrough command
API. Since commands sent to firewalld are completed synchronously, and
since firewalld won't service them until it has completed its own
initialization, this will assure that by the time libvirt starts
calling iptables to add rules, that firewalld will not be following up
by deleting any of those rules.

To minimize the amount of extra overhead, we request the simplest
iptables command possible: "iptables -V" (and aside from logging a
debug message, we ignore the result, for good measure).

(This patch is being done *before* the patch that switches to calling
iptables directly, so that everything will function properly with any
fractional part of the series applied).

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 95bdc6e9c1fd064b5cebb9c579e690f7c990491c..f581676227692e0dbd2d22921e0d5339c4802b0a 100644 (file)
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2149,6 +2149,7 @@ virFileCacheSetPriv;
 # util/virfirewall.h
 virFirewallAddRuleFull;
 virFirewallApply;
+virFirewallBackendSynchronize;
 virFirewallFree;
 virFirewallNew;
 virFirewallRemoveRule;

diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 0b022b14afa0b9336a5769b8cb8ade0dd4ff53f0..307825331dbd7c3e5e28e26e7193d6b36fec04f9 100644 (file)
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -649,6 +649,36 @@ virFirewallApplyRuleFirewallD(virFirewallRulePtr rule,
     return virFirewallDApplyRule(rule->layer, rule->args, rule->argsLen, ignoreErrors, output);
 }
 
+
+void
+virFirewallBackendSynchronize(void)
+{
+    const char *arg = "-V";
+    g_autofree char *output = NULL;
+
+    switch (currentBackend) {
+    case VIR_FIREWALL_BACKEND_DIRECT:
+        /* nobody to synchronize with */
+        break;
+    case VIR_FIREWALL_BACKEND_FIREWALLD:
+        /* Send a simple rule via firewalld's passthrough iptables
+         * command so that we'll be sure firewalld has fully
+         * initialized and caught up with its internal queue of
+         * iptables commands. Waiting for this will prevent our own
+         * directly-executed iptables commands from being run while
+         * firewalld is still initializing.
+         */
+        ignore_value(virFirewallDApplyRule(VIR_FIREWALL_LAYER_IPV4,
+                                           (char **)&arg, 1, true, &output));
+        VIR_DEBUG("Result of 'iptables -V' via firewalld: %s", NULLSTR(output));
+        break;
+    case VIR_FIREWALL_BACKEND_AUTOMATIC:
+    case VIR_FIREWALL_BACKEND_LAST:
+        break;
+    }
+}
+
+
 static int
 virFirewallApplyRule(virFirewallPtr firewall,
                      virFirewallRulePtr rule,

diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h
index fda3cdec01e6d9b42193767b77abcfd29e824f22..3db0864380bda403b41e83306b386649495b1b69 100644 (file)
--- a/src/util/virfirewall.h
+++ b/src/util/virfirewall.h
@@ -111,4 +111,6 @@ void virFirewallStartRollback(virFirewallPtr firewall,
 
 int virFirewallApply(virFirewallPtr firewall);
 
+void virFirewallBackendSynchronize(void);
+
 G_DEFINE_AUTOPTR_CLEANUP_FUNC(virFirewall, virFirewallFree);

diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index 9cfbc9f2aabf3f6c43657afeb64ee2a4052165d2..5fbb77fd5b70a341f84c1d0bf5792b7481984751 100644 (file)
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -150,6 +150,13 @@ iptablesSetupPrivateChains(virFirewallLayer layer)
     };
     size_t i;
 
+    /* When the backend is firewalld, we need to make sure that
+     * firewalld has been fully started and completed its
+     * initialization, otherwise firewalld might delete our rules soon
+     * after we add them!
+     */
+    virFirewallBackendSynchronize();
+
     virFirewallStartTransaction(fw, 0);
 
     for (i = 0; i < G_N_ELEMENTS(data); i++)