openstack
/
neutron
Code Issues Proposed changes

Do not defer IPTables apply in firewall path

Browse Source 
By default, iptables apply is deferred in L3 agent. For
external gateways, iptables is applied immediately (to
enable NAT for floating IP). Similarly, when firewall
is created/updated/deleted, iptable rules are applies
immediately.

Change-Id: I4f652a030ae23a71a2e20af2e8ef0ad5b882b80e
Closes-Bug: #1320775
changes/16/94516/2
Rajesh Mohan 9 years ago
parent d5c0a37999
commit 6167cb55e2
1 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File

11
neutron/services/firewall/drivers/linux/iptables_fwaas.py
Unescape View File

@ -70,7 +70,8 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
ipt_mgr = router_info.iptables_manager
self._remove_chains(fwid, ipt_mgr)
self._remove_default_chains(ipt_mgr)
ipt_mgr.apply()
# apply the changes immediately (no defer in firewall path)
ipt_mgr.defer_apply_off()
except (LookupError, RuntimeError):
# catch known library exceptions and raise Fwaas generic exception
LOG.exception(_("Failed to delete firewall: %s"), fwid)
@ -105,8 +106,8 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
self._add_default_policy_chain_v4v6(ipt_mgr)
self._enable_policy_chain(fwid, ipt_mgr)
# apply the changes
ipt_mgr.apply()
# apply the changes immediately (no defer in firewall path)
ipt_mgr.defer_apply_off()
except (LookupError, RuntimeError):
# catch known library exceptions and raise Fwaas generic exception
LOG.exception(_("Failed to apply default policy on firewall: %s"),
@ -127,8 +128,8 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
#create chain based on configured policy
self._setup_chains(firewall, ipt_mgr)
# apply the changes
ipt_mgr.apply()
# apply the changes immediately (no defer in firewall path)
ipt_mgr.defer_apply_off()
def _get_chain_name(self, fwid, ver, direction):
return '%s%s%s' % (CHAIN_NAME_PREFIX[direction],

Write Preview
Loading…
Cancel
Save