network: eliminate code that uses default iptables chains

The network driver has put all its rules into private chains (created
by libvirt) since commit 7431b3eb9a, which was included in
libvirt-5.1.0. When the conversion was made, code was included that
would attempt to delete existing rules in the default chains, to make
it possible to upgrade libvirt without restarting the host OS.

Almost 3 years has passed, and it is doubtful that anyone will be
attempting to upgrade directly from a pre-5.1.0 libvirt to something
as new as 8.0.0 (possibly with the exception of upgrading the entire
OS to a new release, which would include also rebooting), so it is now
safe to remove this code.

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index da27ee7b53022437d164596067469c04e797281b..fc53293ead1098bc80268c0b967bcb3241b28da7 100644 (file)
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2501,7 +2501,6 @@ iptablesRemoveTcpInput;
 iptablesRemoveTcpOutput;
 iptablesRemoveUdpInput;
 iptablesRemoveUdpOutput;
-iptablesSetDeletePrivate;
 iptablesSetupPrivateChains;
 
 

diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index d2eab33e5fb0caecfbaab067faff5cb1477f804f..1c8be7103a82d9fe97ea102b9f4381e6418da0f8 100644 (file)
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -37,7 +37,7 @@ VIR_LOG_INIT("network.bridge_driver_linux");
 
 static virOnceControl createdOnce;
 static bool chainInitDone; /* true iff networkSetupPrivateChains was ever called */
-static bool createdChains; /* true iff networkSetupPrivateChains created chains during most recent call */
+
 static virErrorPtr errInitV4;
 static virErrorPtr errInitV6;
 
@@ -50,7 +50,6 @@ static void networkSetupPrivateChains(void)
 
     VIR_DEBUG("Setting up global firewall chains");
 
-    createdChains = false;
     virFreeError(errInitV4);
     errInitV4 = NULL;
     virFreeError(errInitV6);
@@ -63,12 +62,10 @@ static void networkSetupPrivateChains(void)
         errInitV4 = virSaveLastError();
         virResetLastError();
     } else {
-        if (rc) {
+        if (rc)
             VIR_DEBUG("Created global IPv4 chains");
-            createdChains = true;
-        } else {
+        else
             VIR_DEBUG("Global IPv4 chains already exist");
-        }
     }
 
     rc = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV6);
@@ -78,12 +75,10 @@ static void networkSetupPrivateChains(void)
         errInitV6 = virSaveLastError();
         virResetLastError();
     } else {
-        if (rc) {
+        if (rc)
             VIR_DEBUG("Created global IPv6 chains");
-            createdChains = true;
-        } else {
+        else
             VIR_DEBUG("Global IPv6 chains already exist");
-        }
     }
 
     chainInitDone = true;
@@ -145,7 +140,7 @@ networkHasRunningNetworksWithFW(virNetworkDriverState *driver)
 
 void
 networkPreReloadFirewallRules(virNetworkDriverState *driver,
-                              bool startup,
+                              bool startup G_GNUC_UNUSED,
                               bool force)
 {
     /*
@@ -183,31 +178,13 @@ networkPreReloadFirewallRules(virNetworkDriverState *driver,
         }
 
         ignore_value(virOnce(&createdOnce, networkSetupPrivateChains));
-
-        /*
-         * If this is initial startup, and we just created the
-         * top level private chains we either
-         *
-         *   - upgraded from old libvirt
-         *   - freshly booted from clean state
-         *
-         * In the first case we must delete the old rules from
-         * the built-in chains, instead of our new private chains.
-         * In the second case it doesn't matter, since no existing
-         * rules will be present. Thus we can safely just tell it
-         * to always delete from the builin chain
-         */
-        if (startup && createdChains) {
-            VIR_DEBUG("Requesting cleanup of legacy firewall rules");
-            iptablesSetDeletePrivate(false);
-        }
     }
 }
 
 
 void networkPostReloadFirewallRules(bool startup G_GNUC_UNUSED)
 {
-    iptablesSetDeletePrivate(true);
+
 }
 
 

diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index 721e1eeae799e785979985c793906ce72464ad63..ac949efba7d7ee2555b7b2a4a813287558a7c6df 100644 (file)
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -47,8 +47,6 @@ enum {
     REMOVE
 };
 
-static bool deletePrivate = true;
-
 typedef struct {
     const char *parent;
     const char *child;
@@ -162,17 +160,9 @@ iptablesSetupPrivateChains(virFirewallLayer layer)
 }
 
 
-void
-iptablesSetDeletePrivate(bool pvt)
-{
-    deletePrivate = pvt;
-}
-
-
 static void
 iptablesInput(virFirewall *fw,
               virFirewallLayer layer,
-              bool pvt,
               const char *iface,
               int port,
               int action,
@@ -186,7 +176,7 @@ iptablesInput(virFirewall *fw,
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
                        action == ADD ? "--insert" : "--delete",
-                       pvt ? "LIBVIRT_INP" : "INPUT",
+                       "LIBVIRT_INP",
                        "--in-interface", iface,
                        "--protocol", tcp ? "tcp" : "udp",
                        "--destination-port", portstr,
@@ -197,7 +187,6 @@ iptablesInput(virFirewall *fw,
 static void
 iptablesOutput(virFirewall *fw,
                virFirewallLayer layer,
-               bool pvt,
                const char *iface,
                int port,
                int action,
@@ -211,7 +200,7 @@ iptablesOutput(virFirewall *fw,
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
                        action == ADD ? "--insert" : "--delete",
-                       pvt ? "LIBVIRT_OUT" : "OUTPUT",
+                       "LIBVIRT_OUT",
                        "--out-interface", iface,
                        "--protocol", tcp ? "tcp" : "udp",
                        "--destination-port", portstr,
@@ -234,7 +223,7 @@ iptablesAddTcpInput(virFirewall *fw,
                     const char *iface,
                     int port)
 {
-    iptablesInput(fw, layer, true, iface, port, ADD, 1);
+    iptablesInput(fw, layer, iface, port, ADD, 1);
 }
 
 /**
@@ -252,7 +241,7 @@ iptablesRemoveTcpInput(virFirewall *fw,
                        const char *iface,
                        int port)
 {
-    iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 1);
+    iptablesInput(fw, layer, iface, port, REMOVE, 1);
 }
 
 /**
@@ -270,7 +259,7 @@ iptablesAddUdpInput(virFirewall *fw,
                     const char *iface,
                     int port)
 {
-    iptablesInput(fw, layer, true, iface, port, ADD, 0);
+    iptablesInput(fw, layer, iface, port, ADD, 0);
 }
 
 /**
@@ -288,7 +277,7 @@ iptablesRemoveUdpInput(virFirewall *fw,
                        const char *iface,
                        int port)
 {
-    iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 0);
+    iptablesInput(fw, layer, iface, port, REMOVE, 0);
 }
 
 /**
@@ -306,7 +295,7 @@ iptablesAddTcpOutput(virFirewall *fw,
                      const char *iface,
                      int port)
 {
-    iptablesOutput(fw, layer, true, iface, port, ADD, 1);
+    iptablesOutput(fw, layer, iface, port, ADD, 1);
 }
 
 /**
@@ -324,7 +313,7 @@ iptablesRemoveTcpOutput(virFirewall *fw,
                         const char *iface,
                         int port)
 {
-    iptablesOutput(fw, layer, deletePrivate, iface, port, REMOVE, 1);
+    iptablesOutput(fw, layer, iface, port, REMOVE, 1);
 }
 
 /**
@@ -342,7 +331,7 @@ iptablesAddUdpOutput(virFirewall *fw,
                      const char *iface,
                      int port)
 {
-    iptablesOutput(fw, layer, true, iface, port, ADD, 0);
+    iptablesOutput(fw, layer, iface, port, ADD, 0);
 }
 
 /**
@@ -360,7 +349,7 @@ iptablesRemoveUdpOutput(virFirewall *fw,
                         const char *iface,
                         int port)
 {
-    iptablesOutput(fw, layer, deletePrivate, iface, port, REMOVE, 0);
+    iptablesOutput(fw, layer, iface, port, REMOVE, 0);
 }
 
 
@@ -400,7 +389,6 @@ static char *iptablesFormatNetwork(virSocketAddr *netaddr,
  */
 static int
 iptablesForwardAllowOut(virFirewall *fw,
-                        bool pvt,
                         virSocketAddr *netaddr,
                         unsigned int prefix,
                         const char *iface,
@@ -418,7 +406,7 @@ iptablesForwardAllowOut(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
                            action == ADD ? "--insert" : "--delete",
-                           pvt ? "LIBVIRT_FWO" : "FORWARD",
+                           "LIBVIRT_FWO",
                            "--source", networkstr,
                            "--in-interface", iface,
                            "--out-interface", physdev,
@@ -428,7 +416,7 @@ iptablesForwardAllowOut(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
                            action == ADD ? "--insert" : "--delete",
-                           pvt ? "LIBVIRT_FWO" : "FORWARD",
+                           "LIBVIRT_FWO",
                            "--source", networkstr,
                            "--in-interface", iface,
                            "--jump", "ACCEPT",
@@ -457,7 +445,7 @@ iptablesAddForwardAllowOut(virFirewall *fw,
                            const char *iface,
                            const char *physdev)
 {
-    return iptablesForwardAllowOut(fw, true, netaddr, prefix, iface, physdev, ADD);
+    return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, ADD);
 }
 
 /**
@@ -480,7 +468,7 @@ iptablesRemoveForwardAllowOut(virFirewall *fw,
                               const char *iface,
                               const char *physdev)
 {
-    return iptablesForwardAllowOut(fw, deletePrivate, netaddr, prefix, iface, physdev, REMOVE);
+    return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, REMOVE);
 }
 
 
@@ -489,7 +477,6 @@ iptablesRemoveForwardAllowOut(virFirewall *fw,
  */
 static int
 iptablesForwardAllowRelatedIn(virFirewall *fw,
-                              bool pvt,
                               virSocketAddr *netaddr,
                               unsigned int prefix,
                               const char *iface,
@@ -507,7 +494,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
                            action == ADD ? "--insert" : "--delete",
-                           pvt ? "LIBVIRT_FWI" : "FORWARD",
+                           "LIBVIRT_FWI",
                            "--destination", networkstr,
                            "--in-interface", physdev,
                            "--out-interface", iface,
@@ -519,7 +506,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
                            action == ADD ? "--insert" : "--delete",
-                           pvt ? "LIBVIRT_FWI" : "FORWARD",
+                           "LIBVIRT_FWI",
                            "--destination", networkstr,
                            "--out-interface", iface,
                            "--match", "conntrack",
@@ -550,7 +537,7 @@ iptablesAddForwardAllowRelatedIn(virFirewall *fw,
                                  const char *iface,
                                  const char *physdev)
 {
-    return iptablesForwardAllowRelatedIn(fw, true, netaddr, prefix, iface, physdev, ADD);
+    return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, ADD);
 }
 
 /**
@@ -573,14 +560,13 @@ iptablesRemoveForwardAllowRelatedIn(virFirewall *fw,
                                     const char *iface,
                                     const char *physdev)
 {
-    return iptablesForwardAllowRelatedIn(fw, deletePrivate, netaddr, prefix, iface, physdev, REMOVE);
+    return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, REMOVE);
 }
 
 /* Allow all traffic destined to the bridge, with a valid network address
  */
 static int
 iptablesForwardAllowIn(virFirewall *fw,
-                       bool pvt,
                        virSocketAddr *netaddr,
                        unsigned int prefix,
                        const char *iface,
@@ -598,7 +584,7 @@ iptablesForwardAllowIn(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
                            action == ADD ? "--insert" : "--delete",
-                           pvt ? "LIBVIRT_FWI" : "FORWARD",
+                           "LIBVIRT_FWI",
                            "--destination", networkstr,
                            "--in-interface", physdev,
                            "--out-interface", iface,
@@ -608,7 +594,7 @@ iptablesForwardAllowIn(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
                            action == ADD ? "--insert" : "--delete",
-                           pvt ? "LIBVIRT_FWI" : "FORWARD",
+                           "LIBVIRT_FWI",
                            "--destination", networkstr,
                            "--out-interface", iface,
                            "--jump", "ACCEPT",
@@ -636,7 +622,7 @@ iptablesAddForwardAllowIn(virFirewall *fw,
                           const char *iface,
                           const char *physdev)
 {
-    return iptablesForwardAllowIn(fw, true, netaddr, prefix, iface, physdev, ADD);
+    return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD);
 }
 
 /**
@@ -659,20 +645,19 @@ iptablesRemoveForwardAllowIn(virFirewall *fw,
                              const char *iface,
                              const char *physdev)
 {
-    return iptablesForwardAllowIn(fw, deletePrivate, netaddr, prefix, iface, physdev, REMOVE);
+    return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE);
 }
 
 static void
 iptablesForwardAllowCross(virFirewall *fw,
                           virFirewallLayer layer,
-                          bool pvt,
                           const char *iface,
                           int action)
 {
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
                        action == ADD ? "--insert" : "--delete",
-                       pvt ? "LIBVIRT_FWX" : "FORWARD",
+                       "LIBVIRT_FWX",
                        "--in-interface", iface,
                        "--out-interface", iface,
                        "--jump", "ACCEPT",
@@ -695,7 +680,7 @@ iptablesAddForwardAllowCross(virFirewall *fw,
                              virFirewallLayer layer,
                              const char *iface)
 {
-    iptablesForwardAllowCross(fw, layer, true, iface, ADD);
+    iptablesForwardAllowCross(fw, layer, iface, ADD);
 }
 
 /**
@@ -714,20 +699,19 @@ iptablesRemoveForwardAllowCross(virFirewall *fw,
                                 virFirewallLayer layer,
                                 const char *iface)
 {
-    iptablesForwardAllowCross(fw, layer, deletePrivate, iface, REMOVE);
+    iptablesForwardAllowCross(fw, layer, iface, REMOVE);
 }
 
 static void
 iptablesForwardRejectOut(virFirewall *fw,
                          virFirewallLayer layer,
-                         bool pvt,
                          const char *iface,
                          int action)
 {
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
                        action == ADD ? "--insert" : "--delete",
-                       pvt ? "LIBVIRT_FWO" : "FORWARD",
+                       "LIBVIRT_FWO",
                        "--in-interface", iface,
                        "--jump", "REJECT",
                        NULL);
@@ -748,7 +732,7 @@ iptablesAddForwardRejectOut(virFirewall *fw,
                             virFirewallLayer layer,
                             const char *iface)
 {
-    iptablesForwardRejectOut(fw, layer, true, iface, ADD);
+    iptablesForwardRejectOut(fw, layer, iface, ADD);
 }
 
 /**
@@ -766,21 +750,20 @@ iptablesRemoveForwardRejectOut(virFirewall *fw,
                                virFirewallLayer layer,
                                const char *iface)
 {
-    iptablesForwardRejectOut(fw, layer, deletePrivate, iface, REMOVE);
+    iptablesForwardRejectOut(fw, layer, iface, REMOVE);
 }
 
 
 static void
 iptablesForwardRejectIn(virFirewall *fw,
                         virFirewallLayer layer,
-                        bool pvt,
                         const char *iface,
                         int action)
 {
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
                        action == ADD ? "--insert" : "--delete",
-                       pvt ? "LIBVIRT_FWI" : "FORWARD",
+                       "LIBVIRT_FWI",
                        "--out-interface", iface,
                        "--jump", "REJECT",
                        NULL);
@@ -801,7 +784,7 @@ iptablesAddForwardRejectIn(virFirewall *fw,
                            virFirewallLayer layer,
                            const char *iface)
 {
-    iptablesForwardRejectIn(fw, layer, true, iface, ADD);
+    iptablesForwardRejectIn(fw, layer, iface, ADD);
 }
 
 /**
@@ -819,7 +802,7 @@ iptablesRemoveForwardRejectIn(virFirewall *fw,
                               virFirewallLayer layer,
                               const char *iface)
 {
-    iptablesForwardRejectIn(fw, layer, deletePrivate, iface, REMOVE);
+    iptablesForwardRejectIn(fw, layer, iface, REMOVE);
 }
 
 
@@ -828,7 +811,6 @@ iptablesRemoveForwardRejectIn(virFirewall *fw,
  */
 static int
 iptablesForwardMasquerade(virFirewall *fw,
-                          bool pvt,
                           virSocketAddr *netaddr,
                           unsigned int prefix,
                           const char *physdev,
@@ -863,7 +845,7 @@ iptablesForwardMasquerade(virFirewall *fw,
         rule = virFirewallAddRule(fw, layer,
                                   "--table", "nat",
                                   action == ADD ? "--insert" : "--delete",
-                                  pvt ? "LIBVIRT_PRT" : "POSTROUTING",
+                                  "LIBVIRT_PRT",
                                   "--source", networkstr,
                                   "-p", protocol,
                                   "!", "--destination", networkstr,
@@ -872,7 +854,7 @@ iptablesForwardMasquerade(virFirewall *fw,
         rule = virFirewallAddRule(fw, layer,
                                   "--table", "nat",
                                   action == ADD ? "--insert" : "--delete",
-                                  pvt ? "LIBVIRT_PRT" : "POSTROUTING",
+                                  "LIBVIRT_PRT",
                                   "--source", networkstr,
                                   "!", "--destination", networkstr,
                                   NULL);
@@ -944,7 +926,7 @@ iptablesAddForwardMasquerade(virFirewall *fw,
                              virPortRange *port,
                              const char *protocol)
 {
-    return iptablesForwardMasquerade(fw, true, netaddr, prefix,
+    return iptablesForwardMasquerade(fw, netaddr, prefix,
                                      physdev, addr, port, protocol, ADD);
 }
 
@@ -970,7 +952,7 @@ iptablesRemoveForwardMasquerade(virFirewall *fw,
                                 virPortRange *port,
                                 const char *protocol)
 {
-    return iptablesForwardMasquerade(fw, deletePrivate, netaddr, prefix,
+    return iptablesForwardMasquerade(fw, netaddr, prefix,
                                      physdev, addr, port, protocol, REMOVE);
 }
 
@@ -980,7 +962,6 @@ iptablesRemoveForwardMasquerade(virFirewall *fw,
  */
 static int
 iptablesForwardDontMasquerade(virFirewall *fw,
-                              bool pvt,
                               virSocketAddr *netaddr,
                               unsigned int prefix,
                               const char *physdev,
@@ -998,7 +979,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "nat",
                            action == ADD ? "--insert" : "--delete",
-                           pvt ? "LIBVIRT_PRT" : "POSTROUTING",
+                           "LIBVIRT_PRT",
                            "--out-interface", physdev,
                            "--source", networkstr,
                            "--destination", destaddr,
@@ -1008,7 +989,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
         virFirewallAddRule(fw, layer,
                            "--table", "nat",
                            action == ADD ? "--insert" : "--delete",
-                           pvt ? "LIBVIRT_PRT" : "POSTROUTING",
+                           "LIBVIRT_PRT",
                            "--source", networkstr,
                            "--destination", destaddr,
                            "--jump", "RETURN",
@@ -1038,7 +1019,7 @@ iptablesAddDontMasquerade(virFirewall *fw,
                           const char *physdev,
                           const char *destaddr)
 {
-    return iptablesForwardDontMasquerade(fw, true, netaddr, prefix,
+    return iptablesForwardDontMasquerade(fw, netaddr, prefix,
                                          physdev, destaddr, ADD);
 }
 
@@ -1063,14 +1044,13 @@ iptablesRemoveDontMasquerade(virFirewall *fw,
                              const char *physdev,
                              const char *destaddr)
 {
-    return iptablesForwardDontMasquerade(fw, deletePrivate, netaddr, prefix,
+    return iptablesForwardDontMasquerade(fw, netaddr, prefix,
                                          physdev, destaddr, REMOVE);
 }
 
 
 static void
 iptablesOutputFixUdpChecksum(virFirewall *fw,
-                             bool pvt,
                              const char *iface,
                              int port,
                              int action)
@@ -1083,7 +1063,7 @@ iptablesOutputFixUdpChecksum(virFirewall *fw,
     virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
                        "--table", "mangle",
                        action == ADD ? "--insert" : "--delete",
-                       pvt ? "LIBVIRT_PRT" : "POSTROUTING",
+                       "LIBVIRT_PRT",
                        "--out-interface", iface,
                        "--protocol", "udp",
                        "--destination-port", portstr,
@@ -1107,7 +1087,7 @@ iptablesAddOutputFixUdpChecksum(virFirewall *fw,
                                 const char *iface,
                                 int port)
 {
-    iptablesOutputFixUdpChecksum(fw, true, iface, port, ADD);
+    iptablesOutputFixUdpChecksum(fw, iface, port, ADD);
 }
 
 /**
@@ -1124,5 +1104,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewall *fw,
                                    const char *iface,
                                    int port)
 {
-    iptablesOutputFixUdpChecksum(fw, deletePrivate, iface, port, REMOVE);
+    iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE);
 }

diff --git a/src/util/viriptables.h b/src/util/viriptables.h
index 41c493d3ebb1b419d8c9ffc860c61a365813e6f0..bb13f3292d9c44145abd05050e6fc8951df8dd06 100644 (file)
--- a/src/util/viriptables.h
+++ b/src/util/viriptables.h
@@ -25,8 +25,6 @@
 
 int              iptablesSetupPrivateChains      (virFirewallLayer layer);
 
-void             iptablesSetDeletePrivate        (bool pvt);
-
 void             iptablesAddTcpInput             (virFirewall *fw,
                                                   virFirewallLayer layer,
                                                   const char *iface,