[libvirt] [PATCH 1/5] reload iptables rules simply by re-adding them
Daniel P. Berrange
berrange at redhat.com
Thu Dec 10 12:04:10 UTC 2009
On Thu, Dec 10, 2009 at 11:27:51AM +0000, Mark McLoughlin wrote:
> Currently, when we add iptables rules, we keep them on a list so that
> we can easily reload them on e.g. 'service libvirtd reload'.
>
> However, we don't save this list to disk, so if libvirtd is restarted
> we lose the ability to reload the rules.
>
> The fix is simple - just re-add the damn things on reload.
>
> Note, we delete the rules before re-adding them, just like the current
> behaviour of iptRulesReload().
>
> * src/network/bridge_driver.c: re-add the iptables rules on reload.
> ---
> src/network/bridge_driver.c | 30 ++++++++++++++++++++++++------
> 1 files changed, 24 insertions(+), 6 deletions(-)
>
> diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
> index 0342aa0..766f8cd 100644
> --- a/src/network/bridge_driver.c
> +++ b/src/network/bridge_driver.c
> @@ -96,6 +96,8 @@ static int networkShutdownNetworkDaemon(virConnectPtr conn,
> struct network_driver *driver,
> virNetworkObjPtr network);
>
> +static void networkReloadIptablesRules(struct network_driver *driver);
> +
> static struct network_driver *driverState = NULL;
>
>
> @@ -291,12 +293,7 @@ networkReload(void) {
> &driverState->networks,
> driverState->networkConfigDir,
> driverState->networkAutostartDir);
> -
> - if (driverState->iptables) {
> - VIR_INFO0(_("Reloading iptables rules\n"));
> - iptablesReloadRules(driverState->iptables);
> - }
> -
> + networkReloadIptablesRules(driverState);
> networkAutostartConfigs(driverState);
> networkDriverUnlock(driverState);
> return 0;
> @@ -812,6 +809,27 @@ networkRemoveIptablesRules(struct network_driver *driver,
> iptablesSaveRules(driver->iptables);
> }
>
> +static void
> +networkReloadIptablesRules(struct network_driver *driver)
> +{
> + unsigned int i;
> +
> + VIR_INFO0(_("Reloading iptables rules"));
> +
> + for (i = 0 ; i < driver->networks.count ; i++) {
> + virNetworkObjLock(driver->networks.objs[i]);
> +
> + if (virNetworkObjIsActive(driver->networks.objs[i])) {
> + networkRemoveIptablesRules(driver, driver->networks.objs[i]);
> + if (!networkAddIptablesRules(NULL, driver, driver->networks.objs[i])) {
> + /* failed to add but already logged */
> + }
> + }
> +
> + virNetworkObjUnlock(driver->networks.objs[i]);
> + }
> +}
> +
> /* Enable IP Forwarding. Return 0 for success, -1 for failure. */
> static int
> networkEnableIpForwarding(void)
ACK
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the libvir-list
mailing list