Do not defer IPTables apply in firewall path
By default, iptables apply is deferred in L3 agent. For
external gateways, iptables is applied immediately (to
enable NAT for floating IP). Similarly, when firewall
is created/updated/deleted, iptable rules are applies
immediately.
Change-Id: I4f652a030ae23a71a2e20af2e8ef0ad5b882b80e
Closes-Bug: #1320775
(cherry picked from commit 6167cb55e2
)
This commit is contained in:
parent
22e77e7ef2
commit
cd7a622d3b
@ -71,7 +71,8 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
|
||||
ipt_mgr = router_info.iptables_manager
|
||||
self._remove_chains(fwid, ipt_mgr)
|
||||
self._remove_default_chains(ipt_mgr)
|
||||
ipt_mgr.apply()
|
||||
# apply the changes immediately (no defer in firewall path)
|
||||
ipt_mgr.defer_apply_off()
|
||||
except (LookupError, RuntimeError):
|
||||
# catch known library exceptions and raise Fwaas generic exception
|
||||
LOG.exception(_("Failed to delete firewall: %s"), fwid)
|
||||
@ -106,8 +107,8 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
|
||||
self._add_default_policy_chain_v4v6(ipt_mgr)
|
||||
self._enable_policy_chain(fwid, ipt_mgr)
|
||||
|
||||
# apply the changes
|
||||
ipt_mgr.apply()
|
||||
# apply the changes immediately (no defer in firewall path)
|
||||
ipt_mgr.defer_apply_off()
|
||||
except (LookupError, RuntimeError):
|
||||
# catch known library exceptions and raise Fwaas generic exception
|
||||
LOG.exception(_("Failed to apply default policy on firewall: %s"),
|
||||
@ -128,8 +129,8 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
|
||||
#create chain based on configured policy
|
||||
self._setup_chains(firewall, ipt_mgr)
|
||||
|
||||
# apply the changes
|
||||
ipt_mgr.apply()
|
||||
# apply the changes immediately (no defer in firewall path)
|
||||
ipt_mgr.defer_apply_off()
|
||||
|
||||
def _get_chain_name(self, fwid, ver, direction):
|
||||
return '%s%s%s' % (CHAIN_NAME_PREFIX[direction],
|
||||
|
Loading…
Reference in New Issue
Block a user