The bridge driver implementation of virNetworkUpdate() removes and
re-adds iptables rules any time a network has an <ip>, <forward>, or
<forward>/<interface> elements updated. There are some types of
networks that have those elements and yet have no iptables rules
associated with them, and unfortunately the functions that remove/add
iptables rules don't check the type of network before attempting to
remove/add the rules.
Under normal circumstances I would refactor the lower level functions
to be more robust, but to avoid code churn as much as possible, I've
just added extra checks directly to networkUpdate().
---
src/network/bridge_driver.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index fce1739..6e260f7 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -2945,9 +2945,12 @@ networkUpdate(virNetworkPtr net,
goto cleanup;
}
- if (section == VIR_NETWORK_SECTION_IP ||
- section == VIR_NETWORK_SECTION_FORWARD ||
- section == VIR_NETWORK_SECTION_FORWARD_INTERFACE) {
+ if ((section == VIR_NETWORK_SECTION_IP ||
+ section == VIR_NETWORK_SECTION_FORWARD ||
+ section == VIR_NETWORK_SECTION_FORWARD_INTERFACE) &&
+ (network->def->forwardType == VIR_NETWORK_FORWARD_NONE ||
+ network->def->forwardType == VIR_NETWORK_FORWARD_NAT ||
+ network->def->forwardType == VIR_NETWORK_FORWARD_ROUTE)) {
/* these could affect the iptables rules */
networkRemoveIptablesRules(driver, network);
if (networkAddIptablesRules(driver, network) < 0)
--
1.7.11.4
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list