On 03/11/2014 05:47 AM, Stefan Berger wrote: > From: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx> > > Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1072292 > > Fix a problem related to rule priorities that did not allow to > have rules applied that had a higher priority than the chain they > were in. In this case the chain did not exist yet when the rule > was instantiated. The solution is to adjust the priority of rules > if the priority of the chain is of higher value. That way the chain > will be created before the rule. > > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx> > --- > src/nwfilter/nwfilter_ebiptables_driver.c | 18 +++++++++++++++++- > 1 file changed, 17 insertions(+), 1 deletion(-) > > diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c > index 9d6cc90..59e07f6 100644 > --- a/src/nwfilter/nwfilter_ebiptables_driver.c > +++ b/src/nwfilter/nwfilter_ebiptables_driver.c > @@ -3736,7 +3736,6 @@ ebiptablesApplyNewRules(const char *ifname, > } > } > > - > /* cleanup whatever may exist */ > if (ebtables_cmd_path) { > NWFILTER_SET_EBTABLES_SHELLVAR(&buf); > @@ -3770,6 +3769,23 @@ ebiptablesApplyNewRules(const char *ifname, > > NWFILTER_SET_EBTABLES_SHELLVAR(&buf); > > + /* walk the list of rules and increase the priority > + * of rules in case the chain priority is of higher value; > + * this preserves the order of the rules and ensures that > + * the chain will be created before the chain's rules > + * are created; don't adjust rules in the root chain > + * example: a rule of priority -510 will be adjusted to > + * priority -500 and the chain with priority -500 will > + * then be created before it. > + */ > + for (i = 0; i < nruleInstances; i++) { > + if (inst[i]->chainPriority > inst[i]->priority && > + !strstr("root", inst[i]->neededProtocolChain)) { > + > + inst[i]->priority = inst[i]->chainPriority; > + } > + } > + > /* process ebtables commands; interleave commands from filters with > commands for creating and connecting ebtables chains */ > j = 0; ACK. -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list