FirewallDriver's defer_apply might need better exception handling

Bug #1706285 reported by IWAMOTO Toshihiro
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

The current code is:

    def defer_apply(self):
        """Defer apply context."""

This means filter_defer_apply_off will be called even if there is an exception and the exception will be reraised.

Assuming the SG rules were consistent before this contextmanager call, it might make more sense to just discard deferred SG programming.

Tags: sg-fw
Revision history for this message
Brian Haley (brian-haley) wrote :

The iptables defer_apply() code is a little better in that it catches the exception in defer_apply_off() and raises a consistent value.

But I think we need to always make the filter_defer_apply_off() call so that things like self._defer_apply are correctly set to False, else we could get in a state where the agent can't apply anything, right? Maybe a patch with your proposed change would be a better place to discuss?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.