Bug 1593549 - parts of the network filter can not pass virt-xml-validate
Summary: parts of the network filter can not pass virt-xml-validate
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Laine Stump
QA Contact: yalzhang@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-21 04:49 UTC by yalzhang@redhat.com
Modified: 2018-10-30 09:57 UTC (History)
4 users (show)

Fixed In Version: libvirt-4.5.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 09:56:58 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3113 None None None 2018-10-30 09:57:59 UTC

Description yalzhang@redhat.com 2018-06-21 04:49:35 UTC
Description of problem:
virt-xml-validate fail for parts of the built-in network filters

Version-Release number of selected component (if applicable):
libvirt-4.4.0-2.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. 
# virsh nwfilter-dumpxml allow-arp
<filter name='allow-arp' chain='arp' priority='-500'>
  <uuid>06ab02dc-4e10-4d07-94e6-cb7bb0e96524</uuid>
  <rule action='accept' direction='inout' priority='500'/>
</filter>

# virsh nwfilter-dumpxml allow-arp > test.xml
# virt-xml-validate test.xml
test.xml:3: element rule: Relax-NG validity error : Expecting an element , got nothing
test.xml fails to validate

2. Same issue with 
no-other-rarp-traffic    
no-ip-spoofing   
no-arp-mac-spoofing 
no-arp-ip-spoofing   
allow-ipv4    
allow-incoming-ipv4    
allow-arp

Actual results:
part of the network filter will fail to validate the xml

Expected results:
the xml the filter should validate successfully

Additional info:

# cat  -n /usr/share/libvirt/schemas/nwfilter.rng
 20           <element name="rule"> 
  21             <ref name="rule-node-attributes"/> 
  22             <choice> 
  23                 <element name="mac"> 
...
 28                 </element> 
  29                 <element name="vlan"> 
...
  34                 </element> 
  35                 <element name="stp"> 
....

Comment 2 yalzhang@redhat.com 2018-06-21 04:50:36 UTC
It is a regression from https://www.redhat.com/archives/libvir-list/2017-December/msg00195.html

Comment 4 Laine Stump 2018-06-21 06:13:36 UTC
Patch posted upstream:

https://www.redhat.com/archives/libvir-list/2018-June/msg01488.html

Comment 5 Laine Stump 2018-06-21 18:00:48 UTC
Pushed upstream, will be in libvirt-4.5.0:

commit 17b4734288ced5c34b3157c7c240f88823cbbfed
Author: Laine Stump <laine@laine.org>
Date:   Thu Jun 21 02:07:17 2018 -0400

    schema: allow a <rule> element with no subelements in a nwfilter

Comment 8 yalzhang@redhat.com 2018-07-05 02:03:32 UTC
Test on libvirt-4.5.0-1.el7.x86_64, all nwfilter xml validates successfully

Get all the builtin nwfilter name in a file
# cat test
allow-arp           
allow-dhcp          
allow-dhcp-server   
allow-incoming-ipv4 
allow-ipv4          
clean-traffic       
no-arp-ip-spoofing  
no-arp-mac-spoofing 
no-arp-spoofing     
no-ip-multicast     
no-ip-spoofing      
no-mac-broadcast    
no-mac-spoofing     
no-other-l2-traffic 
no-other-rarp-traffic
qemu-announce-self  
qemu-announce-self-rarp

Prepare a simple script as below:
# cat test.sh 
#!/bin/bash
cat test | while read line
do 
  virsh nwfilter-dumpxml ${line} > /tmp/${line}.xml
  virt-xml-validate /tmp/${line}.xml
done

validate all the nwfilter dumpxml file successfully.
# ./test.sh
/tmp/allow-arp.xml validates
/tmp/allow-dhcp.xml validates
/tmp/allow-dhcp-server.xml validates
/tmp/allow-incoming-ipv4.xml validates
/tmp/allow-ipv4.xml validates
/tmp/clean-traffic.xml validates
/tmp/no-arp-ip-spoofing.xml validates
/tmp/no-arp-mac-spoofing.xml validates
/tmp/no-arp-spoofing.xml validates
/tmp/no-ip-multicast.xml validates
/tmp/no-ip-spoofing.xml validates
/tmp/no-mac-broadcast.xml validates
/tmp/no-mac-spoofing.xml validates
/tmp/no-other-l2-traffic.xml validates
/tmp/no-other-rarp-traffic.xml validates
/tmp/qemu-announce-self.xml validates
/tmp/qemu-announce-self-rarp.xml validates

Comment 10 errata-xmlrpc 2018-10-30 09:56:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3113


Note You need to log in before you can comment on or make changes to this bug.