Created
June 25, 2012 21:13
-
-
Save vishvananda/2991284 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py | |
index 42fb9cc..a30c767 100644 | |
--- a/nova/network/linux_net.py | |
+++ b/nova/network/linux_net.py | |
@@ -136,6 +136,14 @@ class IptablesTable(object): | |
self.chains = set() | |
self.unwrapped_chains = set() | |
+ def __eq__(self, other): | |
+ return ((self.rules == other.rules) and | |
+ (self.chains == other.chains) and | |
+ (self.unwrapped_chains == other.unwrapped_chains)) | |
+ | |
+ def __ne__(self, other): | |
+ return not self == other | |
+ | |
def add_chain(self, name, wrap=True): | |
"""Adds a named chain to the table. | |
diff --git a/nova/virt/firewall.py b/nova/virt/firewall.py | |
index 89559a8..4a8f47b 100644 | |
--- a/nova/virt/firewall.py | |
+++ b/nova/virt/firewall.py | |
@@ -148,10 +148,10 @@ class IptablesFirewallDriver(FirewallDriver): | |
self.instances[instance['id']] = instance | |
self.network_infos[instance['id']] = network_info | |
self.add_filters_for_instance(instance) | |
+ self.iptables.apply() | |
LOG.debug(_('Filters added to instance'), instance=instance) | |
self.refresh_provider_fw_rules() | |
LOG.debug(_('Provider Firewall Rules refreshed'), instance=instance) | |
- self.iptables.apply() | |
def _create_filter(self, ips, chain_name): | |
return ['-d %s -j $%s' % (ip, chain_name) for ip in ips] | |
@@ -384,29 +384,37 @@ class IptablesFirewallDriver(FirewallDriver): | |
pass | |
def refresh_security_group_members(self, security_group): | |
- self.do_refresh_security_group_rules(security_group) | |
- self.iptables.apply() | |
+ if self.do_refresh_security_group_rules(security_group): | |
+ self.iptables.apply() | |
def refresh_security_group_rules(self, security_group): | |
- self.do_refresh_security_group_rules(security_group) | |
- self.iptables.apply() | |
+ if self.do_refresh_security_group_rules(security_group): | |
+ self.iptables.apply() | |
@utils.synchronized('iptables', external=True) | |
def do_refresh_security_group_rules(self, security_group): | |
+ ipv4rules = self.iptables.ipv4['filter'] | |
+ ipv6rules = self.iptables.ipv6['filter'] | |
for instance in self.instances.values(): | |
self.remove_filters_for_instance(instance) | |
self.add_filters_for_instance(instance) | |
+ return (self.iptables.ipv4['filter'] != ipv4rules or | |
+ self.iptables.ipv6['filter'] != ipv6rules) | |
def refresh_provider_fw_rules(self): | |
"""See :class:`FirewallDriver` docs.""" | |
- self._do_refresh_provider_fw_rules() | |
- self.iptables.apply() | |
+ if self._do_refresh_provider_fw_rules(): | |
+ self.iptables.apply() | |
@utils.synchronized('iptables', external=True) | |
def _do_refresh_provider_fw_rules(self): | |
"""Internal, synchronized version of refresh_provider_fw_rules.""" | |
+ ipv4rules = self.iptables.ipv4['filter'] | |
+ ipv6rules = self.iptables.ipv6['filter'] | |
self._purge_provider_fw_rules() | |
self._build_provider_fw_rules() | |
+ return (self.iptables.ipv4['filter'] != ipv4rules or | |
+ self.iptables.ipv6['filter'] != ipv6rules) | |
def _purge_provider_fw_rules(self): | |
"""Remove all rules from the provider chains.""" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment