plain text document attachment (libvirt-iptables-save-rules.patch) With --enable-iptables-lokkit, the rules are saved to disk and lokkit --custom-rules is run each time a single rule is added or removed. This patch moves this code into a new iptablesSaveRules() function so that we can do it for all rules at once. Signed-off-by: Mark McLoughlin <markmc(a)redhat.com&gt; Index: libvirt/src/iptables.c =================================================================== --- libvirt.orig/src/iptables.c 2008-01-04 15:30:31.000000000 +0000 +++ libvirt.orig/src/iptables.c 2008-01-04 15:30:31.000000000 +0000 @@ -282,6 +282,25 @@ writeRules(const char *path, #endif /* ENABLE_IPTABLES_LOKKIT */ static void +iptRulesSave(iptRules *rules) +{ +#ifdef ENABLE_IPTABLES_LOKKIT + int err; + + if ((err = writeRules(rules->path, rules->rules, rules->nrules))) { + qemudLog(QEMUD_WARN, "Failed to saves iptables rules to %s : %s", + rules->path, strerror(err)); + return; + } + + if (rules->nrules > 0) + notifyRulesUpdated(rules->table, rules->path); + else + notifyRulesRemoved(rules->table, rules->path); +#endif /* ENABLE_IPTABLES_LOKKIT */ +} + +static void iptRuleFree(iptRule *rule) { if (rule->rule) @@ -321,20 +340,6 @@ iptRulesAppend(iptRules *rules, rules->nrules++; -#ifdef ENABLE_IPTABLES_LOKKIT - { - int err; - - if ((err = virFileMakePath(rules->dir))) - return err; - - if ((err = writeRules(rules->path, rules->rules, rules->nrules))) - return err; - } - - notifyRulesUpdated(rules->table, rules->path); -#endif /* ENABLE_IPTABLES_LOKKIT */ - return 0; } @@ -359,20 +364,6 @@ iptRulesRemove(iptRules *rules, rules->nrules--; -#ifdef ENABLE_IPTABLES_LOKKIT - { - int err; - - if ((err = writeRules(rules->path, rules->rules, rules->nrules))) - return err; - } - - if (rules->nrules > 0) - notifyRulesUpdated(rules->table, rules->path); - else - notifyRulesRemoved(rules->table, rules->path); -#endif /* ENABLE_IPTABLES_LOKKIT */ - return 0; } @@ -658,6 +649,22 @@ iptablesContextFree(iptablesContext *ctx free(ctx); } +/** + * iptablesSaveRules: + * @ctx: pointer to the IP table context + * + * Saves all the IP table rules associated with a context + * to disk so that if iptables is restarted, the rules + * will automatically be reload. + */ +void +iptablesSaveRules(iptablesContext *ctx) +{ + iptRulesSave(ctx->input_filter); + iptRulesSave(ctx->forward_filter); + iptRulesSave(ctx->nat_postrouting); +} + static void iptRulesReload(iptRules *rules) { Index: libvirt/src/iptables.h =================================================================== --- libvirt.orig/src/iptables.h 2007-12-13 09:05:31.000000000 +0000 +++ libvirt.orig/src/iptables.h 2007-12-13 09:05:31.000000000 +0000 @@ -29,6 +29,7 @@ typedef struct _iptablesContext iptables iptablesContext *iptablesContextNew (void); void iptablesContextFree (iptablesContext *ctx); +void iptablesSaveRules (iptablesContext *ctx); void iptablesReloadRules (iptablesContext *ctx); int iptablesAddTcpInput (iptablesContext *ctx, Index: libvirt/src/qemu_driver.c =================================================================== --- libvirt.orig/src/qemu_driver.c 2007-12-13 09:05:31.000000000 +0000 +++ libvirt.orig/src/qemu_driver.c 2007-12-13 09:05:31.000000000 +0000 @@ -1009,8 +1009,10 @@ qemudAddIptablesRules(virConnectPtr conn /* The remaining rules are only needed for IP forwarding */ - if (!network->def->forward) + if (!network->def->forward) { + iptablesSaveRules(driver->iptables); return 1; + } /* allow forwarding packets from the bridge interface */ if ((err = iptablesAddForwardAllowOut(driver->iptables, @@ -1044,6 +1046,8 @@ qemudAddIptablesRules(virConnectPtr conn goto err10; } + iptablesSaveRules(driver->iptables); + return 1; err10: @@ -1100,6 +1104,7 @@ qemudRemoveIptablesRules(struct qemud_dr iptablesRemoveTcpInput(driver->iptables, network->bridge, 53); iptablesRemoveUdpInput(driver->iptables, network->bridge, 67); iptablesRemoveTcpInput(driver->iptables, network->bridge, 67); + iptablesSaveRules(driver->iptables); } static int --