From e1b6b0646ff722a569171663f3c0ba8b996b05cd Mon Sep 17 00:00:00 2001 From: Laine Stump Date: Fri, 19 Apr 2024 22:19:42 -0400 Subject: [PATCH] network: turn on auto-rollback for the rules added for virtual networks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit So far this will only affect what happens if there is some failure while applying the firewall rules; the rollback rules aren't yet persistent beyond that time. More work is needed to remember the rollback rules while the network is active, and use those rules to remove the firewall for the network when it is destroyed. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/network/network_iptables.c | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index db35a4c5a0..467d43c1e9 100644 --- a/src/network/network_iptables.c +++ b/src/network/network_iptables.c @@ -1599,7 +1599,7 @@ iptablesAddFirewallRules(virNetworkDef *def) virNetworkIPDef *ipdef; g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); - virFirewallStartTransaction(fw, 0); + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK); iptablesAddGeneralFirewallRules(fw, def); @@ -1610,17 +1610,8 @@ iptablesAddFirewallRules(virNetworkDef *def) return -1; } - virFirewallStartRollback(fw, 0); - - for (i = 0; - (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); - i++) { - if (iptablesRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0) - return -1; - } - iptablesRemoveGeneralFirewallRules(fw, def); - - virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); + virFirewallStartTransaction(fw, (VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS | + VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK)); iptablesAddChecksumFirewallRules(fw, def); return virFirewallApply(fw);