[libvirt PATCH 01/28] util: add -w/--concurrent when applying the rule rather than when building it

Laine Stump posted 28 patches 1 year, 4 months ago
There is a newer version of this series
[libvirt PATCH 01/28] util: add -w/--concurrent when applying the rule rather than when building it
Posted by Laine Stump 1 year, 4 months ago
We will already need a separate function for virFirewallApplyRule for
iptables vs. nftables, but the only reason for needing a separate
function for virFirewallAddRule* is that iptables/ebtables need to
have an extra arg added for locking (to prevent multiple iptables
commands from running at the same time). We can just as well add
in the -w/--concurrent during virFirewallApplyRule, so move the arg-add to
ApplyRule to keep AddRule simple.

Signed-off-by: Laine Stump <laine@redhat.com>
---
 src/util/virfirewall.c | 27 +++++++++++++--------------
 1 file changed, 13 insertions(+), 14 deletions(-)

diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 30e73f603e..e8e74621c8 100644
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -213,20 +213,6 @@ virFirewallAddRuleFullV(virFirewall *firewall,
     rule->queryOpaque = opaque;
     rule->ignoreErrors = ignoreErrors;
 
-    switch (rule->layer) {
-    case VIR_FIREWALL_LAYER_ETHERNET:
-        ADD_ARG(rule, "--concurrent");
-        break;
-    case VIR_FIREWALL_LAYER_IPV4:
-        ADD_ARG(rule, "-w");
-        break;
-    case VIR_FIREWALL_LAYER_IPV6:
-        ADD_ARG(rule, "-w");
-        break;
-    case VIR_FIREWALL_LAYER_LAST:
-        break;
-    }
-
     while ((str = va_arg(args, char *)) != NULL)
         ADD_ARG(rule, str);
 
@@ -499,6 +485,19 @@ virFirewallApplyRuleDirect(virFirewallRule *rule,
 
     cmd = virCommandNewArgList(bin, NULL);
 
+    /* lock to assure nobody else is messing with the tables while we are */
+    switch (rule->layer) {
+    case VIR_FIREWALL_LAYER_ETHERNET:
+        virCommandAddArg(cmd, "--concurrent");
+        break;
+    case VIR_FIREWALL_LAYER_IPV4:
+    case VIR_FIREWALL_LAYER_IPV6:
+        virCommandAddArg(cmd, "-w");
+        break;
+    case VIR_FIREWALL_LAYER_LAST:
+        break;
+    }
+
     for (i = 0; i < rule->argsLen; i++)
         virCommandAddArg(cmd, rule->args[i]);
 
-- 
2.39.2
Re: [libvirt PATCH 01/28] util: add -w/--concurrent when applying the rule rather than when building it
Posted by Daniel P. Berrangé 1 year, 4 months ago
On Sun, Apr 30, 2023 at 11:19:16PM -0400, Laine Stump wrote:
> We will already need a separate function for virFirewallApplyRule for
> iptables vs. nftables, but the only reason for needing a separate
> function for virFirewallAddRule* is that iptables/ebtables need to
> have an extra arg added for locking (to prevent multiple iptables
> commands from running at the same time). We can just as well add
> in the -w/--concurrent during virFirewallApplyRule, so move the arg-add to
> ApplyRule to keep AddRule simple.
> 
> Signed-off-by: Laine Stump <laine@redhat.com>
> ---
>  src/util/virfirewall.c | 27 +++++++++++++--------------
>  1 file changed, 13 insertions(+), 14 deletions(-)

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|