network: don't "refresh" iptables rules on rule-less networks

The bridge driver implementation of virNetworkUpdate() removes and
re-adds iptables rules any time a network has an <ip>, <forward>, or
<forward>/<interface> element updated. There are some types of
networks that have those elements and yet have no iptables rules
associated with them, and unfortunately the functions that remove/add
iptables rules don't check the type of network before attempting to
remove/add the rules, sometimes leading to an erroneous failure of the
entire update operation.

Under normal circumstances I would refactor the lower level functions
to be more robust, but to avoid code churn as much as possible, I've
just added extra checks directly to networkUpdate().

1 files changed, 6 insertions, 3 deletions

diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index fce17390b..6e260f774 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -2945,9 +2945,12 @@ networkUpdate(virNetworkPtr net,
                 goto cleanup;
         }
 
-        if (section == VIR_NETWORK_SECTION_IP ||
-            section == VIR_NETWORK_SECTION_FORWARD ||
-            section == VIR_NETWORK_SECTION_FORWARD_INTERFACE) {
+        if ((section == VIR_NETWORK_SECTION_IP ||
+             section == VIR_NETWORK_SECTION_FORWARD ||
+             section == VIR_NETWORK_SECTION_FORWARD_INTERFACE) &&
+           (network->def->forwardType == VIR_NETWORK_FORWARD_NONE ||
+            network->def->forwardType == VIR_NETWORK_FORWARD_NAT ||
+            network->def->forwardType == VIR_NETWORK_FORWARD_ROUTE)) {
             /* these could affect the iptables rules */
             networkRemoveIptablesRules(driver, network);
             if (networkAddIptablesRules(driver, network) < 0)