libvirt-daemon-config-nwfilter: New binary package

Networks and nwfilters are treated similarly by libvirtd, specifically when it comes to injecting generated data such as the UUID back into a file that was installed into /etc, so let's treat them the same way at the package level too.

libvirt-daemon-config-nwfilter: New binary package
0168a255 · Andrea Bolognani · Guido Günther · 55504dd0 · 0168a255 · 0168a255
Commit 0168a255 authored 4 years ago by Andrea Bolognani Committed by Guido Günther 4 years ago
--- a/debian/control
+++ b/debian/control
@@ -330,6 +330,7 @@ Recommends:
 dnsmasq-base (>= 2.46-1),
 iproute2,
 libvirt-daemon-config-network,
+ libvirt-daemon-config-nwfilter,
 mdevctl,
 parted,
 Suggests:
@@ -419,6 +420,27 @@ Description: Libvirt daemon configuration files (default network)
 application expects it to be present; if that's not the case, this package
 can safely be uninstalled.

+Package: libvirt-daemon-config-nwfilter
+Section: admin
+Architecture: all
+Depends:
+ libvirt-daemon-system (= ${binary:Version}),
+ ${misc:Depends},
+Breaks:
+ libvirt-daemon-system (<< 6.9.0-2~),
+Replaces:
+ libvirt-daemon-system (<< 6.9.0-2~),
+Description: Libvirt daemon configuration files (default network filters)
+ Libvirt is a C toolkit to interact with the virtualization capabilities
+ of recent versions of Linux (and other OSes). The library aims at providing
+ a long term stable C API for different virtualization mechanisms. It currently
+ supports QEMU, KVM, XEN, OpenVZ, LXC, and VirtualBox.
+ .
+ This package contains the configuration for the default libvirt network
+ filters, which only needs to exist if your VMs are configured to use them or
+ some other application expects them to be present; if that's not the case,
+ this package can safely be uninstalled.
+
 Package: libvirt0
 Architecture: any
 Multi-Arch: same

--- a/debian/libvirt-daemon-config-nwfilter.install
+++ b/debian/libvirt-daemon-config-nwfilter.install
+usr/share/libvirt/nwfilter/allow-arp.xml
+usr/share/libvirt/nwfilter/allow-dhcp-server.xml
+usr/share/libvirt/nwfilter/allow-dhcp.xml
+usr/share/libvirt/nwfilter/allow-incoming-ipv4.xml
+usr/share/libvirt/nwfilter/allow-ipv4.xml
+usr/share/libvirt/nwfilter/clean-traffic-gateway.xml
+usr/share/libvirt/nwfilter/clean-traffic.xml
+usr/share/libvirt/nwfilter/no-arp-ip-spoofing.xml
+usr/share/libvirt/nwfilter/no-arp-mac-spoofing.xml
+usr/share/libvirt/nwfilter/no-arp-spoofing.xml
+usr/share/libvirt/nwfilter/no-ip-multicast.xml
+usr/share/libvirt/nwfilter/no-ip-spoofing.xml
+usr/share/libvirt/nwfilter/no-mac-broadcast.xml
+usr/share/libvirt/nwfilter/no-mac-spoofing.xml
+usr/share/libvirt/nwfilter/no-other-l2-traffic.xml
+usr/share/libvirt/nwfilter/no-other-rarp-traffic.xml
+usr/share/libvirt/nwfilter/qemu-announce-self-rarp.xml
+usr/share/libvirt/nwfilter/qemu-announce-self.xml
--- a/debian/libvirt-daemon-config-nwfilter.postinst
+++ b/debian/libvirt-daemon-config-nwfilter.postinst
+#!/bin/sh
+
+set -e
+
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <postinst> `abort-remove'
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see https://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+create_config_from_template() {
+    local config="$1"
+    local template="$2"
+
+    if [ "$3" != "--" ]; then
+        echo "create_config_from_template called with the wrong number of arguments" >&2
+        return 1
+    fi
+    for _ in $(seq 1 3); do
+        shift
+    done
+
+    if [ -n "$2" ] && [ -e "$config.dpkg-backup" ]; then
+        # If the package has been configured in the past and a backup config
+        # is available use it, so that uninstalling the package and
+        # subsequently reinstalling it results in the very same configuration
+        mv -f "$config.dpkg-backup" "$config"
+        return 0
+    fi
+
+    if [ -z "$2" ]; then
+        # If we're installing from scratch, make a copy of the template in
+        # the appropriate location and with the expected permissions
+        install -o root -g root -m 0600 "$template" "$config"
+        return 0
+    fi
+}
+
+finish_conffile_transfer() {
+    local conffile="$1"
+    local lastver="$2"
+    local pkgfrom="$3"
+    local pkgto="$4"
+
+    if [ "$5" != "--" ]; then
+        echo "finish_conffile_transfer called with the wrong number of arguments" >&2
+        return 1
+    fi
+    for _ in $(seq 1 5); do
+        shift
+    done
+
+    # If we're upgrading rather than installing from scratch, we can assume
+    # the transfer must have happened at some point in the past and stop here
+    if [ -n "$2" ]; then
+        return 0
+    fi
+
+    if [ -e "$conffile.dpkg-transfer" ]; then
+        # Complete the process started in $pkgfrom's preinst by restoring the
+        # version of the conffile containing local modifications
+        echo "Finishing transfer of config file $conffile (from $pkgfrom to $pkgto) ..."
+        mv -f "$conffile.dpkg-transfer" "$conffile"
+        return 0
+    fi
+
+    if [ -e "$conffile.dpkg-disappear" ]; then
+        # The conffile had been deleted by the admin, so let's return to
+        # that state
+        rm -f "$conffile" "$conffile.dpkg-disappear"
+        return 0
+    fi
+}
+
+NWFILTERS="
+    allow-arp
+    allow-dhcp-server
+    allow-dhcp
+    allow-incoming-ipv4
+    allow-ipv4
+    clean-traffic-gateway
+    clean-traffic
+    no-arp-ip-spoofing
+    no-arp-mac-spoofing
+    no-arp-spoofing
+    no-ip-multicast
+    no-ip-spoofing
+    no-mac-broadcast
+    no-mac-spoofing
+    no-other-l2-traffic
+    no-other-rarp-traffic
+    qemu-announce-self-rarp
+    qemu-announce-self
+"
+
+case "$1" in
+    configure)
+        for nwfilter in $NWFILTERS; do
+            create_config_from_template \
+                "/etc/libvirt/nwfilter/$nwfilter.xml" \
+                "/usr/share/libvirt/nwfilter/$nwfilter.xml" \
+                -- \
+                "$@"
+            finish_conffile_transfer \
+                "/etc/libvirt/nwfilter/$nwfilter.xml" \
+                "6.9.0-2~" \
+                "libvirt-daemon-system" \
+                "libvirt-daemon-config-nwfilter" \
+                -- \
+                "$@"
+        done
+
+        # Since we might have changed the on-disk configuration for some
+        # services, restart them so that they can pick up the new settings
+        if [ -d /run/systemd/system ]; then
+            if systemctl is-active -q virtnwfilterd; then
+                systemctl restart virtnwfilterd
+            fi
+            if systemctl is-active -q libvirtd; then
+                systemctl restart libvirtd
+            fi
+        fi
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+#DEBHELPER#
+
+exit 0
--- a/debian/libvirt-daemon-config-nwfilter.postrm
+++ b/debian/libvirt-daemon-config-nwfilter.postrm
+#!/bin/sh
+
+set -e
+
+# summary of how this script can be called:
+#        * <postrm> `remove'
+#        * <postrm> `purge'
+#        * <old-postrm> `upgrade' <new-version>
+#        * <new-postrm> `failed-upgrade' <old-version>
+#        * <new-postrm> `abort-install'
+#        * <new-postrm> `abort-install' <old-version>
+#        * <new-postrm> `abort-upgrade' <old-version>
+#        * <disappearer's-postrm> `disappear' <overwriter>
+#          <overwriter-version>
+# for details, see https://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+remove_config_from_template() {
+    local config="$1"
+    local template="$2"
+
+    if [ "$3" != "--" ]; then
+        echo "remove_config_from_template called with the wrong number of arguments" >&2
+        return 1
+    fi
+    for _ in $(seq 1 3); do
+        shift
+    done
+
+    if [ "$1" = "remove" ] && [ -e "$config" ]; then
+        # When removing the package, move the configuration file to the side
+        # so that the daemon no longer sees it, but we can still restore it
+        # at a later time if the package is reinstalled
+        mv -f "$config" "$config.dpkg-backup"
+        return 0
+    fi
+
+    if [ "$1" = "purge" ]; then
+        # When purging the package, remove all traces of the configuration
+        rm -f "$config" "$config.dpkg-backup"
+        return 0
+    fi
+}
+
+NWFILTERS="
+    allow-arp
+    allow-dhcp-server
+    allow-dhcp
+    allow-incoming-ipv4
+    allow-ipv4
+    clean-traffic-gateway
+    clean-traffic
+    no-arp-ip-spoofing
+    no-arp-mac-spoofing
+    no-arp-spoofing
+    no-ip-multicast
+    no-ip-spoofing
+    no-mac-broadcast
+    no-mac-spoofing
+    no-other-l2-traffic
+    no-other-rarp-traffic
+    qemu-announce-self-rarp
+    qemu-announce-self
+"
+
+case "$1" in
+    remove|purge)
+        for nwfilter in $NWFILTERS; do
+            remove_config_from_template \
+                "/etc/libvirt/nwfilter/$nwfilter.xml" \
+                "/usr/share/libvirt/nwfilter/$nwfilter.xml" \
+                -- \
+                "$@"
+        done
+
+        # Since we might have changed the on-disk configuration for some
+        # services, restart them so that they can pick up the new settings
+        if [ -d /run/systemd/system ]; then
+            if systemctl is-active -q virtnwfilterd; then
+                systemctl restart virtnwfilterd
+            fi
+            if systemctl is-active -q libvirtd; then
+                systemctl restart libvirtd
+            fi
+        fi
+    ;;
+
+    upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+    ;;
+
+    *)
+        echo "postrm called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+#DEBHELPER#
+
+exit 0
--- a/debian/libvirt-daemon-system.postrm
+++ b/debian/libvirt-daemon-system.postrm
@@ -45,6 +45,27 @@ abort_conffile_transfer() {
    rm -f "$conffile.dpkg-disappear"
 }

+NWFILTERS="
+    allow-arp
+    allow-dhcp-server
+    allow-dhcp
+    allow-incoming-ipv4
+    allow-ipv4
+    clean-traffic-gateway
+    clean-traffic
+    no-arp-ip-spoofing
+    no-arp-mac-spoofing
+    no-arp-spoofing
+    no-ip-multicast
+    no-ip-spoofing
+    no-mac-broadcast
+    no-mac-spoofing
+    no-other-l2-traffic
+    no-other-rarp-traffic
+    qemu-announce-self-rarp
+    qemu-announce-self
+"
+
 case "$1" in
    purge)
        if getent group libvirt >/dev/null; then
@@ -87,6 +108,15 @@ case "$1" in
            "libvirt-daemon-config-network" \
            -- \
            "$@"
+        for nwfilter in $NWFILTERS; do
+            abort_conffile_transfer \
+                "/etc/libvirt/nwfilter/$nwfilter.xml" \
+                "6.9.0-2~" \
+                "libvirt-daemon-system" \
+                "libvirt-daemon-config-nwfilter" \
+                -- \
+                "$@"
+        done
    ;;

    remove|upgrade|failed-upgrade|disappear)

--- a/debian/libvirt-daemon-system.preinst
+++ b/debian/libvirt-daemon-system.preinst
@@ -48,6 +48,27 @@ prepare_conffile_transfer() {
    fi
 }

+NWFILTERS="
+    allow-arp
+    allow-dhcp-server
+    allow-dhcp
+    allow-incoming-ipv4
+    allow-ipv4
+    clean-traffic-gateway
+    clean-traffic
+    no-arp-ip-spoofing
+    no-arp-mac-spoofing
+    no-arp-spoofing
+    no-ip-multicast
+    no-ip-spoofing
+    no-mac-broadcast
+    no-mac-spoofing
+    no-other-l2-traffic
+    no-other-rarp-traffic
+    qemu-announce-self-rarp
+    qemu-announce-self
+"
+
 case "$1" in
    install|upgrade)
        prepare_conffile_transfer \
@@ -57,6 +78,15 @@ case "$1" in
            "libvirt-daemon-config-network" \
            -- \
            "$@"
+        for nwfilter in $NWFILTERS; do
+            prepare_conffile_transfer \
+                "/etc/libvirt/nwfilter/$nwfilter.xml" \
+                "6.9.0-2~" \
+                "libvirt-daemon-system" \
+                "libvirt-daemon-config-nwfilter" \
+                -- \
+                "$@"
+        done
    ;;

    abort-upgrade)

--- a/debian/rules
+++ b/debian/rules
@@ -223,6 +223,7 @@ override_dh_auto_install:

 	mkdir -p $(DEB_DESTDIR)/usr/share/libvirt/
 	mv $(DEB_DESTDIR)/etc/libvirt/qemu/networks/ \
+	   $(DEB_DESTDIR)/etc/libvirt/nwfilter/ \
 	   $(DEB_DESTDIR)/usr/share/libvirt/

 override_dh_install-arch:
@@ -244,7 +245,6 @@ ifneq (,$(findstring $(DEB_HOST_ARCH_OS), linux))
 	dh_install -p libvirt-daemon-system usr/share/systemtap
 	dh_install -p libvirt-daemon-system etc/libvirt/lxc.conf
 	dh_install -p libvirt-daemon-system etc/libvirt/qemu-sanlock.conf
-	dh_install -p libvirt-daemon-system etc/libvirt/nwfilter/
 	dh_install -p libnss-libvirt \
 	           usr/lib/$(DEB_HOST_MULTIARCH)/libnss_libvirt*.so.2 \
 	           lib/$(DEB_HOST_MULTIARCH)/