Do not defer IPTables apply in firewall path

By default, iptables apply is deferred in L3 agent. For
external gateways, iptables is applied immediately (to
enable NAT for floating IP). Similarly, when firewall
is created/updated/deleted, iptable rules are applies
immediately.

Change-Id: I4f652a030ae23a71a2e20af2e8ef0ad5b882b80e
Closes-Bug: #1320775
changes/16/94516/2
Rajesh Mohan 9 years ago
parent d5c0a37999
commit 6167cb55e2

@ -70,7 +70,8 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
ipt_mgr = router_info.iptables_manager
self._remove_chains(fwid, ipt_mgr)
self._remove_default_chains(ipt_mgr)
ipt_mgr.apply()
# apply the changes immediately (no defer in firewall path)
ipt_mgr.defer_apply_off()
except (LookupError, RuntimeError):
# catch known library exceptions and raise Fwaas generic exception
LOG.exception(_("Failed to delete firewall: %s"), fwid)
@ -105,8 +106,8 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
self._add_default_policy_chain_v4v6(ipt_mgr)
self._enable_policy_chain(fwid, ipt_mgr)
# apply the changes
ipt_mgr.apply()
# apply the changes immediately (no defer in firewall path)
ipt_mgr.defer_apply_off()
except (LookupError, RuntimeError):
# catch known library exceptions and raise Fwaas generic exception
LOG.exception(_("Failed to apply default policy on firewall: %s"),
@ -127,8 +128,8 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
#create chain based on configured policy
self._setup_chains(firewall, ipt_mgr)
# apply the changes
ipt_mgr.apply()
# apply the changes immediately (no defer in firewall path)
ipt_mgr.defer_apply_off()
def _get_chain_name(self, fwid, ver, direction):
return '%s%s%s' % (CHAIN_NAME_PREFIX[direction],

Loading…
Cancel
Save