On Thu, Dec 10, 2009 at 11:27:51AM +0000, Mark McLoughlin wrote: > Currently, when we add iptables rules, we keep them on a list so that > we can easily reload them on e.g. 'service libvirtd reload'. > > However, we don't save this list to disk, so if libvirtd is restarted > we lose the ability to reload the rules. > > The fix is simple - just re-add the damn things on reload. > > Note, we delete the rules before re-adding them, just like the current > behaviour of iptRulesReload(). > > * src/network/bridge_driver.c: re-add the iptables rules on reload. > --- > src/network/bridge_driver.c | 30 ++++++++++++++++++++++++------ > 1 files changed, 24 insertions(+), 6 deletions(-) > > diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c > index 0342aa0..766f8cd 100644 > --- a/src/network/bridge_driver.c > +++ b/src/network/bridge_driver.c > @@ -96,6 +96,8 @@ static int networkShutdownNetworkDaemon(virConnectPtr conn, > struct network_driver *driver, > virNetworkObjPtr network); > > +static void networkReloadIptablesRules(struct network_driver *driver); > + > static struct network_driver *driverState = NULL; > > > @@ -291,12 +293,7 @@ networkReload(void) { > &driverState->networks, > driverState->networkConfigDir, > driverState->networkAutostartDir); > - > - if (driverState->iptables) { > - VIR_INFO0(_("Reloading iptables rules\n")); > - iptablesReloadRules(driverState->iptables); > - } > - > + networkReloadIptablesRules(driverState); > networkAutostartConfigs(driverState); > networkDriverUnlock(driverState); > return 0; > @@ -812,6 +809,27 @@ networkRemoveIptablesRules(struct network_driver *driver, > iptablesSaveRules(driver->iptables); > } > > +static void > +networkReloadIptablesRules(struct network_driver *driver) > +{ > + unsigned int i; > + > + VIR_INFO0(_("Reloading iptables rules")); > + > + for (i = 0 ; i < driver->networks.count ; i++) { > + virNetworkObjLock(driver->networks.objs[i]); > + > + if (virNetworkObjIsActive(driver->networks.objs[i])) { > + networkRemoveIptablesRules(driver, driver->networks.objs[i]); > + if (!networkAddIptablesRules(NULL, driver, driver->networks.objs[i])) { > + /* failed to add but already logged */ > + } > + } > + > + virNetworkObjUnlock(driver->networks.objs[i]); > + } > +} > + > /* Enable IP Forwarding. Return 0 for success, -1 for failure. */ > static int > networkEnableIpForwarding(void) ACK Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list