Prevent updating and tearing down of filter while the IP address learning thread is running and has its own filtering rules applied. Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx> Index: libvirt-acl/src/nwfilter/nwfilter_gentech_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_gentech_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_gentech_driver.c @@ -610,6 +610,8 @@ virNWFilterInstantiate(virConnectPtr con } else if (virHashSize(missing_vars->hashTable) > 1) { rc = 1; goto err_exit; + } else if (virNWFilterLookupLearnReq(ifindex) == NULL) { + goto err_exit; } rc = _virNWFilterInstantiateRec(conn, @@ -890,7 +892,9 @@ int virNWFilterRollbackUpdateFilter(virC const virDomainNetDefPtr net) { const char *drvname = EBIPTABLES_DRIVER_ID; + int ifindex; virNWFilterTechDriverPtr techdriver; + techdriver = virNWFilterTechDriverForName(drvname); if (!techdriver) { virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, @@ -900,6 +904,11 @@ int virNWFilterRollbackUpdateFilter(virC return 1; } + /* don't tear anything while the address is being learned */ + if (ifaceGetIndex(true, net->ifname, &ifindex) == 0 && + virNWFilterLookupLearnReq(ifindex) != NULL) + return 0; + return techdriver->tearNewRules(conn, net->ifname); } @@ -909,7 +918,9 @@ virNWFilterTearOldFilter(virConnectPtr c virDomainNetDefPtr net) { const char *drvname = EBIPTABLES_DRIVER_ID; + int ifindex; virNWFilterTechDriverPtr techdriver; + techdriver = virNWFilterTechDriverForName(drvname); if (!techdriver) { virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, @@ -919,6 +930,11 @@ virNWFilterTearOldFilter(virConnectPtr c return 1; } + /* don't tear anything while the address is being learned */ + if (ifaceGetIndex(true, net->ifname, &ifindex) == 0 && + virNWFilterLookupLearnReq(ifindex) != NULL) + return 0; + return techdriver->tearOldRules(conn, net->ifname); } -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list