[Libvir] [patch 1/1] Reduce the number of times lokkit is run
plain text document attachment (libvirt-iptables-save-rules.patch)
With --enable-iptables-lokkit, the rules are saved to disk
and lokkit --custom-rules is run each time a single rule is
added or removed.
This patch moves this code into a new iptablesSaveRules()
function so that we can do it for all rules at once.
Signed-off-by: Mark McLoughlin <markmc(a)redhat.com>
Index: libvirt/src/iptables.c
===================================================================
--- libvirt.orig/src/iptables.c 2008-01-04 15:30:31.000000000 +0000
+++ libvirt.orig/src/iptables.c 2008-01-04 15:30:31.000000000 +0000
@@ -282,6 +282,25 @@ writeRules(const char *path,
#endif /* ENABLE_IPTABLES_LOKKIT */
static void
+iptRulesSave(iptRules *rules)
+{
+#ifdef ENABLE_IPTABLES_LOKKIT
+ int err;
+
+ if ((err = writeRules(rules->path, rules->rules, rules->nrules))) {
+ qemudLog(QEMUD_WARN, "Failed to saves iptables rules to %s : %s",
+ rules->path, strerror(err));
+ return;
+ }
+
+ if (rules->nrules > 0)
+ notifyRulesUpdated(rules->table, rules->path);
+ else
+ notifyRulesRemoved(rules->table, rules->path);
+#endif /* ENABLE_IPTABLES_LOKKIT */
+}
+
+static void
iptRuleFree(iptRule *rule)
{
if (rule->rule)
@@ -321,20 +340,6 @@ iptRulesAppend(iptRules *rules,
rules->nrules++;
-#ifdef ENABLE_IPTABLES_LOKKIT
- {
- int err;
-
- if ((err = virFileMakePath(rules->dir)))
- return err;
-
- if ((err = writeRules(rules->path, rules->rules, rules->nrules)))
- return err;
- }
-
- notifyRulesUpdated(rules->table, rules->path);
-#endif /* ENABLE_IPTABLES_LOKKIT */
-
return 0;
}
@@ -359,20 +364,6 @@ iptRulesRemove(iptRules *rules,
rules->nrules--;
-#ifdef ENABLE_IPTABLES_LOKKIT
- {
- int err;
-
- if ((err = writeRules(rules->path, rules->rules, rules->nrules)))
- return err;
- }
-
- if (rules->nrules > 0)
- notifyRulesUpdated(rules->table, rules->path);
- else
- notifyRulesRemoved(rules->table, rules->path);
-#endif /* ENABLE_IPTABLES_LOKKIT */
-
return 0;
}
@@ -658,6 +649,22 @@ iptablesContextFree(iptablesContext *ctx
free(ctx);
}
+/**
+ * iptablesSaveRules:
+ * @ctx: pointer to the IP table context
+ *
+ * Saves all the IP table rules associated with a context
+ * to disk so that if iptables is restarted, the rules
+ * will automatically be reload.
+ */
+void
+iptablesSaveRules(iptablesContext *ctx)
+{
+ iptRulesSave(ctx->input_filter);
+ iptRulesSave(ctx->forward_filter);
+ iptRulesSave(ctx->nat_postrouting);
+}
+
static void
iptRulesReload(iptRules *rules)
{
Index: libvirt/src/iptables.h
===================================================================
--- libvirt.orig/src/iptables.h 2007-12-13 09:05:31.000000000 +0000
+++ libvirt.orig/src/iptables.h 2007-12-13 09:05:31.000000000 +0000
@@ -29,6 +29,7 @@ typedef struct _iptablesContext iptables
iptablesContext *iptablesContextNew (void);
void iptablesContextFree (iptablesContext *ctx);
+void iptablesSaveRules (iptablesContext *ctx);
void iptablesReloadRules (iptablesContext *ctx);
int iptablesAddTcpInput (iptablesContext *ctx,
Index: libvirt/src/qemu_driver.c
===================================================================
--- libvirt.orig/src/qemu_driver.c 2007-12-13 09:05:31.000000000 +0000
+++ libvirt.orig/src/qemu_driver.c 2007-12-13 09:05:31.000000000 +0000
@@ -1009,8 +1009,10 @@ qemudAddIptablesRules(virConnectPtr conn
/* The remaining rules are only needed for IP forwarding */
- if (!network->def->forward)
+ if (!network->def->forward) {
+ iptablesSaveRules(driver->iptables);
return 1;
+ }
/* allow forwarding packets from the bridge interface */
if ((err = iptablesAddForwardAllowOut(driver->iptables,
@@ -1044,6 +1046,8 @@ qemudAddIptablesRules(virConnectPtr conn
goto err10;
}
+ iptablesSaveRules(driver->iptables);
+
return 1;
err10:
@@ -1100,6 +1104,7 @@ qemudRemoveIptablesRules(struct qemud_dr
iptablesRemoveTcpInput(driver->iptables, network->bridge, 53);
iptablesRemoveUdpInput(driver->iptables, network->bridge, 67);
iptablesRemoveTcpInput(driver->iptables, network->bridge, 67);
+ iptablesSaveRules(driver->iptables);
}
static int
--