On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
Convert the virebtables.{c,h} files to use the new virFirewall
APIs for changing ebtables rules.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
/**
* ebtablesContextNew:
*
@@ -216,12 +89,30 @@ ebtablesContextFree(ebtablesContext *ctx)
int
ebtablesAddForwardPolicyReject(ebtablesContext *ctx)
{
- ebtablesAddRemoveRule("--new-chain", ctx->chain, NULL,
- NULL);
- ebtablesAddRemoveRule("--insert", "FORWARD",
"--jump",
- ctx->chain, NULL);
- return ebtablesAddRemoveRule("-P", ctx->chain, "DROP",
- NULL);
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+
+ fw = virFirewallNew();
+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
Ignoring errors because the ebtablesAdd* calls above ignored them as
well... makes sense.
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "--new-chain", ctx->chain,
+ NULL);
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "--insert", "FORWARD",
+ "--jump", ctx->chain, NULL);
+
+ virFirewallStartTransaction(fw, 0);
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-P", ctx->chain, "DROP",
+ NULL);
+
+ if (virFirewallApply(fw) < 0)
+ goto cleanup;
+
+ ret = 0;
+ cleanup:
+ virFirewallFree(fw);
+ return ret;
}
ACK