add iptablesSaveRules(), and don't save the rules to disk

and run lokkit each time a new rule is added.

ChangeLog

@@ -1,3 +1,11 @@
+Thu Jan 10 13:59:15 GMT 2008 Mark McLoughlin <markmc@redhat.com>
+
+	* src/iptables.[ch]: add iptablesSaveRules(), and don't
+	save the rules to disk and run lokkit each time a new
+	rule is added
+
+	* src/qemu_driver.c: use iptablesSaveRules()
+
 Thu Jan 10 13:57:56 GMT 2008 Mark McLoughlin <markmc@redhat.com>
 
 	* src/iptables.c: now that we only use built-in iptables

src/iptables.c

@@ -232,6 +232,25 @@ writeRules(const char *path,
 }
 #endif /* ENABLE_IPTABLES_LOKKIT */
 
+static void
+iptRulesSave(iptRules *rules)
+{
+#ifdef ENABLE_IPTABLES_LOKKIT
+    int err;
+
+    if ((err = writeRules(rules->path, rules->rules, rules->nrules))) {
+        qemudLog(QEMUD_WARN, "Failed to saves iptables rules to %s : %s",
+                 rules->path, strerror(err));
+        return;
+    }
+
+    if (rules->nrules > 0)
+        notifyRulesUpdated(rules->table, rules->path);
+    else
+        notifyRulesRemoved(rules->table, rules->path);
+#endif /* ENABLE_IPTABLES_LOKKIT */
+}
+
 static void
 iptRuleFree(iptRule *rule)
 {
@@ -272,20 +291,6 @@ iptRulesAppend(iptRules *rules,
 
     rules->nrules++;
 
-#ifdef ENABLE_IPTABLES_LOKKIT
-    {
-        int err;
-
-        if ((err = virFileMakePath(rules->dir)))
-            return err;
-
-        if ((err = writeRules(rules->path, rules->rules, rules->nrules)))
-            return err;
-    }
-
-    notifyRulesUpdated(rules->table, rules->path);
-#endif /* ENABLE_IPTABLES_LOKKIT */
-
     return 0;
 }
 
@@ -310,20 +315,6 @@ iptRulesRemove(iptRules *rules,
 
     rules->nrules--;
 
-#ifdef ENABLE_IPTABLES_LOKKIT
-    {
-        int err;
-
-        if ((err = writeRules(rules->path, rules->rules, rules->nrules)))
-            return err;
-    }
-
-    if (rules->nrules > 0)
-        notifyRulesUpdated(rules->table, rules->path);
-    else
-        notifyRulesRemoved(rules->table, rules->path);
-#endif /* ENABLE_IPTABLES_LOKKIT */
-
     return 0;
 }
 
@@ -559,6 +550,22 @@ iptablesContextFree(iptablesContext *ctx)
     free(ctx);
 }
 
+/**
+ * iptablesSaveRules:
+ * @ctx: pointer to the IP table context
+ *
+ * Saves all the IP table rules associated with a context
+ * to disk so that if iptables is restarted, the rules
+ * will automatically be reload.
+ */
+void
+iptablesSaveRules(iptablesContext *ctx)
+{
+    iptRulesSave(ctx->input_filter);
+    iptRulesSave(ctx->forward_filter);
+    iptRulesSave(ctx->nat_postrouting);
+}
+
 static void
 iptRulesReload(iptRules *rules)
 {

src/iptables.h

@@ -29,6 +29,7 @@ typedef struct _iptablesContext iptablesContext;
 iptablesContext *iptablesContextNew              (void);
 void             iptablesContextFree             (iptablesContext *ctx);
 
+void             iptablesSaveRules               (iptablesContext *ctx);
 void             iptablesReloadRules             (iptablesContext *ctx);
 
 int              iptablesAddTcpInput             (iptablesContext *ctx,

src/qemu_driver.c

@@ -1009,8 +1009,10 @@ qemudAddIptablesRules(virConnectPtr conn,
 
 
     /* The remaining rules are only needed for IP forwarding */
-    if (!network->def->forward)
+    if (!network->def->forward) {
+        iptablesSaveRules(driver->iptables);
         return 1;
+    }
 
     /* allow forwarding packets from the bridge interface */
     if ((err = iptablesAddForwardAllowOut(driver->iptables,
@@ -1044,6 +1046,8 @@ qemudAddIptablesRules(virConnectPtr conn,
         goto err10;
     }
 
+    iptablesSaveRules(driver->iptables);
+
     return 1;
 
  err10:
@@ -1100,6 +1104,7 @@ qemudRemoveIptablesRules(struct qemud_driver *driver,
     iptablesRemoveTcpInput(driver->iptables, network->bridge, 53);
     iptablesRemoveUdpInput(driver->iptables, network->bridge, 67);
     iptablesRemoveTcpInput(driver->iptables, network->bridge, 67);
+    iptablesSaveRules(driver->iptables);
 }
 
 static int