network: turn on auto-rollback for the rules added for virtual networks

So far this will only affect what happens if there is some failure
while applying the firewall rules; the rollback rules aren't yet
persistent beyond that time. More work is needed to remember the
rollback rules while the network is active, and use those rules to
remove the firewall for the network when it is destroyed.

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Laine Stump 2024-04-19 22:19:42 -04:00
parent e23907635c
commit e1b6b0646f

View File

@ -1599,7 +1599,7 @@ iptablesAddFirewallRules(virNetworkDef *def)
virNetworkIPDef *ipdef; virNetworkIPDef *ipdef;
g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
virFirewallStartTransaction(fw, 0); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK);
iptablesAddGeneralFirewallRules(fw, def); iptablesAddGeneralFirewallRules(fw, def);
@ -1610,17 +1610,8 @@ iptablesAddFirewallRules(virNetworkDef *def)
return -1; return -1;
} }
virFirewallStartRollback(fw, 0); virFirewallStartTransaction(fw, (VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS |
VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK));
for (i = 0;
(ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i));
i++) {
if (iptablesRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0)
return -1;
}
iptablesRemoveGeneralFirewallRules(fw, def);
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
iptablesAddChecksumFirewallRules(fw, def); iptablesAddChecksumFirewallRules(fw, def);
return virFirewallApply(fw); return virFirewallApply(fw);