From 4330d13852d0d49cb14d67c606ecf5255ee00220 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 21 May 2019 11:37:37 +0100 Subject: [PATCH] network: pull global chain init into separate method MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pull the logic for creating global iptables chains into a separate method and protect its invocation with virOnce, to make it possible to reuse it in non-startup paths. Reviewed-by: Jim Fehlig Signed-off-by: Daniel P. Berrangé --- src/network/bridge_driver_linux.c | 39 +++++++++++++++++++------------ 1 file changed, 24 insertions(+), 15 deletions(-) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index f2827543ca..0d849173b2 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -35,22 +35,18 @@ VIR_LOG_INIT("network.bridge_driver_linux"); #define PROC_NET_ROUTE "/proc/net/route" +static virOnceControl createdOnce; +static bool createdChains; static virErrorPtr errInitV4; static virErrorPtr errInitV6; -void networkPreReloadFirewallRules(bool startup) +/* Only call via virOnce */ +static void networkSetupPrivateChains(void) { - bool created = false; int rc; - /* We create global rules upfront as we don't want - * the perf hit of conditionally figuring out whether - * to create them each time a network is started. - * - * Any errors here are saved to be reported at time - * of starting the network though as that makes them - * more likely to be seen by a human - */ + createdChains = false; + rc = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV4); if (rc < 0) { errInitV4 = virSaveLastError(); @@ -58,9 +54,9 @@ void networkPreReloadFirewallRules(bool startup) } else { virFreeError(errInitV4); errInitV4 = NULL; + if (rc) + createdChains = true; } - if (rc) - created = true; rc = iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV6); if (rc < 0) { @@ -69,9 +65,22 @@ void networkPreReloadFirewallRules(bool startup) } else { virFreeError(errInitV6); errInitV6 = NULL; + if (rc) + createdChains = true; } - if (rc) - created = true; +} + +void networkPreReloadFirewallRules(bool startup) +{ + /* We create global rules upfront as we don't want + * the perf hit of conditionally figuring out whether + * to create them each time a network is started. + * + * Any errors here are saved to be reported at time + * of starting the network though as that makes them + * more likely to be seen by a human + */ + ignore_value(virOnce(&createdOnce, networkSetupPrivateChains)); /* * If this is initial startup, and we just created the @@ -86,7 +95,7 @@ void networkPreReloadFirewallRules(bool startup) * rules will be present. Thus we can safely just tell it * to always delete from the builin chain */ - if (startup && created) + if (startup && createdChains) iptablesSetDeletePrivate(false); }