From aac434a339ec9d261bdba70eaf649bcd8820af51 Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Mon, 13 Aug 2018 16:02:11 -0400 Subject: [PATCH 2/4] fw: on restart set policy from same function Toggle the DROP/ACCEPT policy from the same function. Doing it in various areas is error prone. (cherry picked from commit d3acaac62106b10945c7ac400140b5d0f2c4264d) --- src/firewall/core/fw.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py index e99201d0363d..1ff36f18cd99 100644 --- a/src/firewall/core/fw.py +++ b/src/firewall/core/fw.py @@ -391,14 +391,11 @@ class Firewall(object): # Start transaction transaction = FirewallTransaction(self) - if reload: - self.set_policy("DROP", use_transaction=transaction) - # flush rules self.flush(use_transaction=transaction) # If modules need to be unloaded in complete reload or if there are - # ipsets to get applied, limit the transaction to set_policy and flush. + # ipsets to get applied, limit the transaction to flush. # # Future optimization for the ipset case in reload: The transaction # only needs to be split here if there are conflicting ipset types in @@ -919,6 +916,8 @@ class Firewall(object): # stop self.cleanup() + self.set_policy("DROP") + # start self._start(reload=True, complete_reload=stop) -- 2.18.0