Re: [libvirt] [PATCH 1/5] reload iptables rules simply by re-adding them

Currently, when we add iptables rules, we keep them on a list so that we can easily reload them on e.g. 'service libvirtd reload'. However, we don't save this list to disk, so if libvirtd is restarted we lose the ability to reload the rules. The fix is simple - just re-add the damn things on reload. Note, we delete the rules before re-adding them, just like the current behaviour of iptRulesReload(). * src/network/bridge_driver.c: re-add the iptables rules on reload. --- src/network/bridge_driver.c | 30 ++++++++++++++++++++++++------ 1 files changed, 24 insertions(+), 6 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 0342aa0..766f8cd 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -96,6 +96,8 @@ static int networkShutdownNetworkDaemon(virConnectPtr conn, struct network_driver *driver, virNetworkObjPtr network); +static void networkReloadIptablesRules(struct network_driver *driver); + static struct network_driver *driverState = NULL; @@ -291,12 +293,7 @@ networkReload(void) { &driverState->networks, driverState->networkConfigDir, driverState->networkAutostartDir); - - if (driverState->iptables) { - VIR_INFO0(_("Reloading iptables rules\n")); - iptablesReloadRules(driverState->iptables); - } - + networkReloadIptablesRules(driverState); networkAutostartConfigs(driverState); networkDriverUnlock(driverState); return 0; @@ -812,6 +809,27 @@ networkRemoveIptablesRules(struct network_driver *driver, iptablesSaveRules(driver->iptables); } +static void +networkReloadIptablesRules(struct network_driver *driver) +{ + unsigned int i; + + VIR_INFO0(_("Reloading iptables rules")); + + for (i = 0 ; i < driver->networks.count ; i++) { + virNetworkObjLock(driver->networks.objs[i]); + + if (virNetworkObjIsActive(driver->networks.objs[i])) { + networkRemoveIptablesRules(driver, driver->networks.objs[i]); + if (!networkAddIptablesRules(NULL, driver, driver->networks.objs[i])) { + /* failed to add but already logged */ + } + } + + virNetworkObjUnlock(driver->networks.objs[i]); + } +} + /* Enable IP Forwarding. Return 0 for success, -1 for failure. */ static int networkEnableIpForwarding(void)