From 6167cb55e2f62a645487d66e52b809c9599b3bb8 Mon Sep 17 00:00:00 2001
From: Rajesh Mohan <rajesh_mohan3@dell.com>
Date: Tue, 20 May 2014 19:41:26 -0700
Subject: [PATCH] Do not defer IPTables apply in firewall path

By default, iptables apply is deferred in L3 agent. For
external gateways, iptables is applied immediately (to
enable NAT for floating IP). Similarly, when firewall
is created/updated/deleted, iptable rules are applies
immediately.

Change-Id: I4f652a030ae23a71a2e20af2e8ef0ad5b882b80e
Closes-Bug: #1320775
---
 .../services/firewall/drivers/linux/iptables_fwaas.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/neutron/services/firewall/drivers/linux/iptables_fwaas.py b/neutron/services/firewall/drivers/linux/iptables_fwaas.py
index af3c44e4512..00a3ed7922c 100644
--- a/neutron/services/firewall/drivers/linux/iptables_fwaas.py
+++ b/neutron/services/firewall/drivers/linux/iptables_fwaas.py
@@ -70,7 +70,8 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
                 ipt_mgr = router_info.iptables_manager
                 self._remove_chains(fwid, ipt_mgr)
                 self._remove_default_chains(ipt_mgr)
-                ipt_mgr.apply()
+                # apply the changes immediately (no defer in firewall path)
+                ipt_mgr.defer_apply_off()
         except (LookupError, RuntimeError):
             # catch known library exceptions and raise Fwaas generic exception
             LOG.exception(_("Failed to delete firewall: %s"), fwid)
@@ -105,8 +106,8 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
                 self._add_default_policy_chain_v4v6(ipt_mgr)
                 self._enable_policy_chain(fwid, ipt_mgr)
 
-                # apply the changes
-                ipt_mgr.apply()
+                # apply the changes immediately (no defer in firewall path)
+                ipt_mgr.defer_apply_off()
         except (LookupError, RuntimeError):
             # catch known library exceptions and raise Fwaas generic exception
             LOG.exception(_("Failed to apply default policy on firewall: %s"),
@@ -127,8 +128,8 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
             #create chain based on configured policy
             self._setup_chains(firewall, ipt_mgr)
 
-            # apply the changes
-            ipt_mgr.apply()
+            # apply the changes immediately (no defer in firewall path)
+            ipt_mgr.defer_apply_off()
 
     def _get_chain_name(self, fwid, ver, direction):
         return '%s%s%s' % (CHAIN_NAME_PREFIX[direction],