+Thu Jan 10 13:59:15 GMT 2008 Mark McLoughlin <markmc@redhat.com>
+
+ * src/iptables.[ch]: add iptablesSaveRules(), and don't
+ save the rules to disk and run lokkit each time a new
+ rule is added
+
+ * src/qemu_driver.c: use iptablesSaveRules()
+
Thu Jan 10 13:57:56 GMT 2008 Mark McLoughlin <markmc@redhat.com>
* src/iptables.c: now that we only use built-in iptables
}
#endif /* ENABLE_IPTABLES_LOKKIT */
+static void
+iptRulesSave(iptRules *rules)
+{
+#ifdef ENABLE_IPTABLES_LOKKIT
+ int err;
+
+ if ((err = writeRules(rules->path, rules->rules, rules->nrules))) {
+ qemudLog(QEMUD_WARN, "Failed to saves iptables rules to %s : %s",
+ rules->path, strerror(err));
+ return;
+ }
+
+ if (rules->nrules > 0)
+ notifyRulesUpdated(rules->table, rules->path);
+ else
+ notifyRulesRemoved(rules->table, rules->path);
+#endif /* ENABLE_IPTABLES_LOKKIT */
+}
+
static void
iptRuleFree(iptRule *rule)
{
rules->nrules++;
-#ifdef ENABLE_IPTABLES_LOKKIT
- {
- int err;
-
- if ((err = virFileMakePath(rules->dir)))
- return err;
-
- if ((err = writeRules(rules->path, rules->rules, rules->nrules)))
- return err;
- }
-
- notifyRulesUpdated(rules->table, rules->path);
-#endif /* ENABLE_IPTABLES_LOKKIT */
-
return 0;
}
rules->nrules--;
-#ifdef ENABLE_IPTABLES_LOKKIT
- {
- int err;
-
- if ((err = writeRules(rules->path, rules->rules, rules->nrules)))
- return err;
- }
-
- if (rules->nrules > 0)
- notifyRulesUpdated(rules->table, rules->path);
- else
- notifyRulesRemoved(rules->table, rules->path);
-#endif /* ENABLE_IPTABLES_LOKKIT */
-
return 0;
}
free(ctx);
}
+/**
+ * iptablesSaveRules:
+ * @ctx: pointer to the IP table context
+ *
+ * Saves all the IP table rules associated with a context
+ * to disk so that if iptables is restarted, the rules
+ * will automatically be reload.
+ */
+void
+iptablesSaveRules(iptablesContext *ctx)
+{
+ iptRulesSave(ctx->input_filter);
+ iptRulesSave(ctx->forward_filter);
+ iptRulesSave(ctx->nat_postrouting);
+}
+
static void
iptRulesReload(iptRules *rules)
{
/* The remaining rules are only needed for IP forwarding */
- if (!network->def->forward)
+ if (!network->def->forward) {
+ iptablesSaveRules(driver->iptables);
return 1;
+ }
/* allow forwarding packets from the bridge interface */
if ((err = iptablesAddForwardAllowOut(driver->iptables,
goto err10;
}
+ iptablesSaveRules(driver->iptables);
+
return 1;
err10:
iptablesRemoveTcpInput(driver->iptables, network->bridge, 53);
iptablesRemoveUdpInput(driver->iptables, network->bridge, 67);
iptablesRemoveTcpInput(driver->iptables, network->bridge, 67);
+ iptablesSaveRules(driver->iptables);
}
static int
projects / thirdparty / libvirt.git / commitdiff
