We will already need a separate function for virFirewallApplyRule for
iptables vs. nftables, but the only reason for needing a separate
function for virFirewallAddRule* is that iptables/ebtables need to
have an extra arg added for locking (to prevent multiple iptables
commands from running at the same time). We can just as well add
in the -w/--concurrent during virFirewallApplyRule, so move the arg-add to
ApplyRule to keep AddRule simple.
Signed-off-by: Laine Stump <laine@xxxxxxxxxx>
---
src/util/virfirewall.c | 27 +++++++++++++--------------
1 file changed, 13 insertions(+), 14 deletions(-)
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 30e73f603e..e8e74621c8 100644
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -213,20 +213,6 @@ virFirewallAddRuleFullV(virFirewall *firewall,
rule->queryOpaque = opaque;
rule->ignoreErrors = ignoreErrors;
- switch (rule->layer) {
- case VIR_FIREWALL_LAYER_ETHERNET:
- ADD_ARG(rule, "--concurrent");
- break;
- case VIR_FIREWALL_LAYER_IPV4:
- ADD_ARG(rule, "-w");
- break;
- case VIR_FIREWALL_LAYER_IPV6:
- ADD_ARG(rule, "-w");
- break;
- case VIR_FIREWALL_LAYER_LAST:
- break;
- }
-
while ((str = va_arg(args, char *)) != NULL)
ADD_ARG(rule, str);
@@ -499,6 +485,19 @@ virFirewallApplyRuleDirect(virFirewallRule *rule,
cmd = virCommandNewArgList(bin, NULL);
+ /* lock to assure nobody else is messing with the tables while we are */
+ switch (rule->layer) {
+ case VIR_FIREWALL_LAYER_ETHERNET:
+ virCommandAddArg(cmd, "--concurrent");
+ break;
+ case VIR_FIREWALL_LAYER_IPV4:
+ case VIR_FIREWALL_LAYER_IPV6:
+ virCommandAddArg(cmd, "-w");
+ break;
+ case VIR_FIREWALL_LAYER_LAST:
+ break;
+ }
+
for (i = 0; i < rule->argsLen; i++)
virCommandAddArg(cmd, rule->args[i]);
--
2.39.2
