Do not defer IPTables apply in firewall path
By default, iptables apply is deferred in L3 agent. For external gateways, iptables is applied immediately (to enable NAT for floating IP). Similarly, when firewall is created/updated/deleted, iptable rules are applies immediately. Change-Id: I4f652a030ae23a71a2e20af2e8ef0ad5b882b80e Closes-Bug: #1320775
This commit is contained in:
Rajesh Mohan
parent
ced29a894b
commit
9acc000216
@ -70,7 +70,8 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
|
||||
ipt_mgr = router_info.iptables_manager
|
||||
self._remove_chains(fwid, ipt_mgr)
|
||||
self._remove_default_chains(ipt_mgr)
|
||||
ipt_mgr.apply()
|
||||
# apply the changes immediately (no defer in firewall path)
|
||||
ipt_mgr.defer_apply_off()
|
||||
except (LookupError, RuntimeError):
|
||||
# catch known library exceptions and raise Fwaas generic exception
|
||||
LOG.exception(_("Failed to delete firewall: %s"), fwid)
|
||||
@ -105,8 +106,8 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
|
||||
self._add_default_policy_chain_v4v6(ipt_mgr)
|
||||
self._enable_policy_chain(fwid, ipt_mgr)
|
||||
|
||||
# apply the changes
|
||||
ipt_mgr.apply()
|
||||
# apply the changes immediately (no defer in firewall path)
|
||||
ipt_mgr.defer_apply_off()
|
||||
except (LookupError, RuntimeError):
|
||||
# catch known library exceptions and raise Fwaas generic exception
|
||||
LOG.exception(_("Failed to apply default policy on firewall: %s"),
|
||||
@ -127,8 +128,8 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
|
||||
#create chain based on configured policy
|
||||
self._setup_chains(firewall, ipt_mgr)
|
||||
|
||||
# apply the changes
|
||||
ipt_mgr.apply()
|
||||
# apply the changes immediately (no defer in firewall path)
|
||||
ipt_mgr.defer_apply_off()
|
||||
|
||||
def _get_chain_name(self, fwid, ver, direction):
|
||||
return '%s%s%s' % (CHAIN_NAME_PREFIX[direction],
|
||||
|
||||
Loading…
Reference in New Issue
Block a user