[Libvir] [patch 1/1] Reduce the number of times lokkit is run

Fri Jan 4 17:13:31 UTC 2008

plain text document attachment (libvirt-iptables-save-rules.patch)
With --enable-iptables-lokkit, the rules are saved to disk
and lokkit --custom-rules is run each time a single rule is
added or removed.

This patch moves this code into a new iptablesSaveRules()
function so that we can do it for all rules at once.

Signed-off-by: Mark McLoughlin <markmc at redhat.com>

Index: libvirt/src/iptables.c
===================================================================

--- libvirt.orig/src/iptables.c	2008-01-04 15:30:31.000000000 +0000
+++ libvirt.orig/src/iptables.c	2008-01-04 15:30:31.000000000 +0000
@@ -282,6 +282,25 @@ writeRules(const char *path,
 #endif /* ENABLE_IPTABLES_LOKKIT */
 
 static void
+iptRulesSave(iptRules *rules)
+{
+#ifdef ENABLE_IPTABLES_LOKKIT
+    int err;
+
+    if ((err = writeRules(rules->path, rules->rules, rules->nrules))) {
+        qemudLog(QEMUD_WARN, "Failed to saves iptables rules to %s : %s",
+                 rules->path, strerror(err));
+        return;
+    }
+
+    if (rules->nrules > 0)
+        notifyRulesUpdated(rules->table, rules->path);
+    else
+        notifyRulesRemoved(rules->table, rules->path);
+#endif /* ENABLE_IPTABLES_LOKKIT */
+}
+
+static void
 iptRuleFree(iptRule *rule)
 {
     if (rule->rule)
@@ -321,20 +340,6 @@ iptRulesAppend(iptRules *rules,
 
     rules->nrules++;
 
-#ifdef ENABLE_IPTABLES_LOKKIT
-    {
-        int err;
-
-        if ((err = virFileMakePath(rules->dir)))
-            return err;
-
-        if ((err = writeRules(rules->path, rules->rules, rules->nrules)))
-            return err;
-    }
-
-    notifyRulesUpdated(rules->table, rules->path);
-#endif /* ENABLE_IPTABLES_LOKKIT */
-
     return 0;
 }
 
@@ -359,20 +364,6 @@ iptRulesRemove(iptRules *rules,
 
     rules->nrules--;
 
-#ifdef ENABLE_IPTABLES_LOKKIT
-    {
-        int err;
-
-        if ((err = writeRules(rules->path, rules->rules, rules->nrules)))
-            return err;
-    }
-
-    if (rules->nrules > 0)
-        notifyRulesUpdated(rules->table, rules->path);
-    else
-        notifyRulesRemoved(rules->table, rules->path);
-#endif /* ENABLE_IPTABLES_LOKKIT */
-
     return 0;
 }
 
@@ -658,6 +649,22 @@ iptablesContextFree(iptablesContext *ctx
     free(ctx);
 }
 
+/**
+ * iptablesSaveRules:
+ * @ctx: pointer to the IP table context
+ *
+ * Saves all the IP table rules associated with a context
+ * to disk so that if iptables is restarted, the rules
+ * will automatically be reload.
+ */
+void
+iptablesSaveRules(iptablesContext *ctx)
+{
+    iptRulesSave(ctx->input_filter);
+    iptRulesSave(ctx->forward_filter);
+    iptRulesSave(ctx->nat_postrouting);
+}
+
 static void
 iptRulesReload(iptRules *rules)
 {
Index: libvirt/src/iptables.h
===================================================================
--- libvirt.orig/src/iptables.h	2007-12-13 09:05:31.000000000 +0000
+++ libvirt.orig/src/iptables.h	2007-12-13 09:05:31.000000000 +0000
@@ -29,6 +29,7 @@ typedef struct _iptablesContext iptables
 iptablesContext *iptablesContextNew              (void);
 void             iptablesContextFree             (iptablesContext *ctx);
 
+void             iptablesSaveRules               (iptablesContext *ctx);
 void             iptablesReloadRules             (iptablesContext *ctx);
 
 int              iptablesAddTcpInput             (iptablesContext *ctx,
Index: libvirt/src/qemu_driver.c
===================================================================
--- libvirt.orig/src/qemu_driver.c	2007-12-13 09:05:31.000000000 +0000
+++ libvirt.orig/src/qemu_driver.c	2007-12-13 09:05:31.000000000 +0000
@@ -1009,8 +1009,10 @@ qemudAddIptablesRules(virConnectPtr conn
 

     /* The remaining rules are only needed for IP forwarding */
-    if (!network->def->forward)
+    if (!network->def->forward) {
+        iptablesSaveRules(driver->iptables);
         return 1;
+    }
 
     /* allow forwarding packets from the bridge interface */
     if ((err = iptablesAddForwardAllowOut(driver->iptables,
@@ -1044,6 +1046,8 @@ qemudAddIptablesRules(virConnectPtr conn
         goto err10;
     }
 
+    iptablesSaveRules(driver->iptables);
+
     return 1;
 
  err10:
@@ -1100,6 +1104,7 @@ qemudRemoveIptablesRules(struct qemud_dr
     iptablesRemoveTcpInput(driver->iptables, network->bridge, 53);
     iptablesRemoveUdpInput(driver->iptables, network->bridge, 67);
     iptablesRemoveTcpInput(driver->iptables, network->bridge, 67);
+    iptablesSaveRules(driver->iptables);
 }
 
 static int

-- 


