So far this will only affect what happens if there is some failure
while applying the firewall rules; the rollback rules aren't yet
persistent beyond that time. More work is needed to remember the
rollback rules while the network is active, and use those rules to
remove the firewall for the network when it is destroyed.
Signed-off-by: Laine Stump <laine@xxxxxxxxxx>
Reviewed-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
---
Change from V2:
* remove chunk checking for -ae option from firewalltest, and add it
where it should be, in patch 25
src/network/network_iptables.c | 15 +++------------
1 file changed, 3 insertions(+), 12 deletions(-)
diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c
index db35a4c5a0..467d43c1e9 100644
--- a/src/network/network_iptables.c
+++ b/src/network/network_iptables.c
@@ -1599,7 +1599,7 @@ iptablesAddFirewallRules(virNetworkDef *def)
virNetworkIPDef *ipdef;
g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
- virFirewallStartTransaction(fw, 0);
+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK);
iptablesAddGeneralFirewallRules(fw, def);
@@ -1610,17 +1610,8 @@ iptablesAddFirewallRules(virNetworkDef *def)
return -1;
}
- virFirewallStartRollback(fw, 0);
-
- for (i = 0;
- (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i));
- i++) {
- if (iptablesRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0)
- return -1;
- }
- iptablesRemoveGeneralFirewallRules(fw, def);
-
- virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
+ virFirewallStartTransaction(fw, (VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS |
+ VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK));
iptablesAddChecksumFirewallRules(fw, def);
return virFirewallApply(fw);
--
2.44.0
_______________________________________________
Devel mailing list -- devel@xxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx
