util: add -w/--concurrent when applying a FirewallCmd rather than when building it

We will already need a separate function for virFirewallApplyCmd for
iptables vs. nftables, but the only reason for needing a separate
function for virFirewallAddCmd* is that iptables/ebtables need to have
an extra arg added for locking (to prevent multiple iptables commands
from running at the same time). We can just as well add in the
-w/--concurrent during virFirewallApplyCmd, so move the arg-add to
ApplyCmd to keep AddCmd simple.

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 1897a66070764ee62801c5ecda79665e36453955..a57a79d4ceb067c6f6706bf171b0e6ee62187298 100644 (file)
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -213,20 +213,6 @@ virFirewallAddCmdFullV(virFirewall *firewall,
     fwCmd->queryOpaque = opaque;
     fwCmd->ignoreErrors = ignoreErrors;
 
-    switch (fwCmd->layer) {
-    case VIR_FIREWALL_LAYER_ETHERNET:
-        ADD_ARG(fwCmd, "--concurrent");
-        break;
-    case VIR_FIREWALL_LAYER_IPV4:
-        ADD_ARG(fwCmd, "-w");
-        break;
-    case VIR_FIREWALL_LAYER_IPV6:
-        ADD_ARG(fwCmd, "-w");
-        break;
-    case VIR_FIREWALL_LAYER_LAST:
-        break;
-    }
-
     while ((str = va_arg(args, char *)) != NULL)
         ADD_ARG(fwCmd, str);
 
@@ -499,6 +485,19 @@ virFirewallApplyCmdDirect(virFirewallCmd *fwCmd,
 
     cmd = virCommandNewArgList(bin, NULL);
 
+    /* lock to assure nobody else is messing with the tables while we are */
+    switch (fwCmd->layer) {
+    case VIR_FIREWALL_LAYER_ETHERNET:
+        virCommandAddArg(cmd, "--concurrent");
+        break;
+    case VIR_FIREWALL_LAYER_IPV4:
+    case VIR_FIREWALL_LAYER_IPV6:
+        virCommandAddArg(cmd, "-w");
+        break;
+    case VIR_FIREWALL_LAYER_LAST:
+        break;
+    }
+
     for (i = 0; i < fwCmd->argsLen; i++)
         virCommandAddArg(cmd, fwCmd->args[i]);