We will already need a separate function for virFirewallApplyCmd for
iptables vs. nftables, but the only reason for needing a separate
function for virFirewallAddCmd* is that iptables/ebtables need to have
an extra arg added for locking (to prevent multiple iptables commands
from running at the same time). We can just as well add in the
-w/--concurrent during virFirewallApplyCmd, so move the arg-add to
ApplyCmd to keep AddCmd simple.
Signed-off-by: Laine Stump <laine@xxxxxxxxxx>
Reviewed-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
---
src/util/virfirewall.c | 27 +++++++++++++--------------
1 file changed, 13 insertions(+), 14 deletions(-)
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 1897a66070..a57a79d4ce 100644
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -213,20 +213,6 @@ virFirewallAddCmdFullV(virFirewall *firewall,
fwCmd->queryOpaque = opaque;
fwCmd->ignoreErrors = ignoreErrors;
- switch (fwCmd->layer) {
- case VIR_FIREWALL_LAYER_ETHERNET:
- ADD_ARG(fwCmd, "--concurrent");
- break;
- case VIR_FIREWALL_LAYER_IPV4:
- ADD_ARG(fwCmd, "-w");
- break;
- case VIR_FIREWALL_LAYER_IPV6:
- ADD_ARG(fwCmd, "-w");
- break;
- case VIR_FIREWALL_LAYER_LAST:
- break;
- }
-
while ((str = va_arg(args, char *)) != NULL)
ADD_ARG(fwCmd, str);
@@ -499,6 +485,19 @@ virFirewallApplyCmdDirect(virFirewallCmd *fwCmd,
cmd = virCommandNewArgList(bin, NULL);
+ /* lock to assure nobody else is messing with the tables while we are */
+ switch (fwCmd->layer) {
+ case VIR_FIREWALL_LAYER_ETHERNET:
+ virCommandAddArg(cmd, "--concurrent");
+ break;
+ case VIR_FIREWALL_LAYER_IPV4:
+ case VIR_FIREWALL_LAYER_IPV6:
+ virCommandAddArg(cmd, "-w");
+ break;
+ case VIR_FIREWALL_LAYER_LAST:
+ break;
+ }
+
for (i = 0; i < fwCmd->argsLen; i++)
virCommandAddArg(cmd, fwCmd->args[i]);
--
2.44.0
_______________________________________________
Devel mailing list -- devel@xxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx
