From 73ab4e084589746cb5b629bb1700947fbc4b7367 Mon Sep 17 00:00:00 2001 From: Mark McLoughlin Date: Thu, 10 Jan 2008 14:01:00 +0000 Subject: [PATCH] add iptablesSaveRules(), and don't save the rules to disk and run lokkit each time a new rule is added. --- ChangeLog | 8 ++++++ src/iptables.c | 63 ++++++++++++++++++++++++++--------------------- src/iptables.h | 1 + src/qemu_driver.c | 7 +++++- 4 files changed, 50 insertions(+), 29 deletions(-) diff --git a/ChangeLog b/ChangeLog index fe941de796..210022e96d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +Thu Jan 10 13:59:15 GMT 2008 Mark McLoughlin + + * src/iptables.[ch]: add iptablesSaveRules(), and don't + save the rules to disk and run lokkit each time a new + rule is added + + * src/qemu_driver.c: use iptablesSaveRules() + Thu Jan 10 13:57:56 GMT 2008 Mark McLoughlin * src/iptables.c: now that we only use built-in iptables diff --git a/src/iptables.c b/src/iptables.c index 14153e522c..59236bda06 100644 --- a/src/iptables.c +++ b/src/iptables.c @@ -232,6 +232,25 @@ writeRules(const char *path, } #endif /* ENABLE_IPTABLES_LOKKIT */ +static void +iptRulesSave(iptRules *rules) +{ +#ifdef ENABLE_IPTABLES_LOKKIT + int err; + + if ((err = writeRules(rules->path, rules->rules, rules->nrules))) { + qemudLog(QEMUD_WARN, "Failed to saves iptables rules to %s : %s", + rules->path, strerror(err)); + return; + } + + if (rules->nrules > 0) + notifyRulesUpdated(rules->table, rules->path); + else + notifyRulesRemoved(rules->table, rules->path); +#endif /* ENABLE_IPTABLES_LOKKIT */ +} + static void iptRuleFree(iptRule *rule) { @@ -272,20 +291,6 @@ iptRulesAppend(iptRules *rules, rules->nrules++; -#ifdef ENABLE_IPTABLES_LOKKIT - { - int err; - - if ((err = virFileMakePath(rules->dir))) - return err; - - if ((err = writeRules(rules->path, rules->rules, rules->nrules))) - return err; - } - - notifyRulesUpdated(rules->table, rules->path); -#endif /* ENABLE_IPTABLES_LOKKIT */ - return 0; } @@ -310,20 +315,6 @@ iptRulesRemove(iptRules *rules, rules->nrules--; -#ifdef ENABLE_IPTABLES_LOKKIT - { - int err; - - if ((err = writeRules(rules->path, rules->rules, rules->nrules))) - return err; - } - - if (rules->nrules > 0) - notifyRulesUpdated(rules->table, rules->path); - else - notifyRulesRemoved(rules->table, rules->path); -#endif /* ENABLE_IPTABLES_LOKKIT */ - return 0; } @@ -559,6 +550,22 @@ iptablesContextFree(iptablesContext *ctx) free(ctx); } +/** + * iptablesSaveRules: + * @ctx: pointer to the IP table context + * + * Saves all the IP table rules associated with a context + * to disk so that if iptables is restarted, the rules + * will automatically be reload. + */ +void +iptablesSaveRules(iptablesContext *ctx) +{ + iptRulesSave(ctx->input_filter); + iptRulesSave(ctx->forward_filter); + iptRulesSave(ctx->nat_postrouting); +} + static void iptRulesReload(iptRules *rules) { diff --git a/src/iptables.h b/src/iptables.h index a5bb8dd469..6fe017428e 100644 --- a/src/iptables.h +++ b/src/iptables.h @@ -29,6 +29,7 @@ typedef struct _iptablesContext iptablesContext; iptablesContext *iptablesContextNew (void); void iptablesContextFree (iptablesContext *ctx); +void iptablesSaveRules (iptablesContext *ctx); void iptablesReloadRules (iptablesContext *ctx); int iptablesAddTcpInput (iptablesContext *ctx, diff --git a/src/qemu_driver.c b/src/qemu_driver.c index 55adb1844b..c96fb45f69 100644 --- a/src/qemu_driver.c +++ b/src/qemu_driver.c @@ -1009,8 +1009,10 @@ qemudAddIptablesRules(virConnectPtr conn, /* The remaining rules are only needed for IP forwarding */ - if (!network->def->forward) + if (!network->def->forward) { + iptablesSaveRules(driver->iptables); return 1; + } /* allow forwarding packets from the bridge interface */ if ((err = iptablesAddForwardAllowOut(driver->iptables, @@ -1044,6 +1046,8 @@ qemudAddIptablesRules(virConnectPtr conn, goto err10; } + iptablesSaveRules(driver->iptables); + return 1; err10: @@ -1100,6 +1104,7 @@ qemudRemoveIptablesRules(struct qemud_driver *driver, iptablesRemoveTcpInput(driver->iptables, network->bridge, 53); iptablesRemoveUdpInput(driver->iptables, network->bridge, 67); iptablesRemoveTcpInput(driver->iptables, network->bridge, 67); + iptablesSaveRules(driver->iptables); } static int