File 3b66bd9a-add-debug-chain-creation.patch of Package libvirt.11700
commit 3b66bd9aa1bc463f7123f7b966e5c38e72d650f7
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: Wed May 22 13:08:13 2019 +0100
network: add more debugging of firewall chain creation
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Index: libvirt-5.1.0/src/network/bridge_driver_linux.c
===================================================================
--- libvirt-5.1.0.orig/src/network/bridge_driver_linux.c
+++ libvirt-5.1.0/src/network/bridge_driver_linux.c
@@ -45,28 +45,42 @@ static void networkSetupPrivateChains(vo
{
int rc;
+ VIR_DEBUG("Setting up global firewall chains");
+
createdChains = false;
rc = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV4);
if (rc < 0) {
+ VIR_DEBUG("Failed to create global IPv4 chains: %s",
+ virGetLastErrorMessage());
errInitV4 = virSaveLastError();
virResetLastError();
} else {
virFreeError(errInitV4);
errInitV4 = NULL;
- if (rc)
+ if (rc) {
+ VIR_DEBUG("Created global IPv4 chains");
createdChains = true;
+ } else {
+ VIR_DEBUG("Global IPv4 chains already exist");
+ }
}
rc = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV6);
if (rc < 0) {
+ VIR_DEBUG("Failed to create global IPv6 chains: %s",
+ virGetLastErrorMessage());
errInitV6 = virSaveLastError();
virResetLastError();
} else {
virFreeError(errInitV6);
errInitV6 = NULL;
- if (rc)
+ if (rc) {
+ VIR_DEBUG("Created global IPv6 chains");
createdChains = true;
+ } else {
+ VIR_DEBUG("Global IPv6 chains already exist");
+ }
}
}
@@ -95,8 +109,10 @@ void networkPreReloadFirewallRules(bool
* rules will be present. Thus we can safely just tell it
* to always delete from the builin chain
*/
- if (startup && createdChains)
+ if (startup && createdChains) {
+ VIR_DEBUG("Requesting cleanup of legacy firewall rules");
iptablesSetDeletePrivate(false);
+ }
}