commit: 27a2f5aa3b111e62f52fcd3f66f763293f24871b
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Fri Aug 14 09:12:11 2015 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Fri Aug 14 09:28:26 2015 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=27a2f5aa
net-firewall/iptables: init: use -w when running iptables #501710
Newer iptables versions have an internal lock to keep multiple instances
from trampling on each other, but you have to use the -w flag. Normally
this doesn't come up, but when you run iptables & ip6tables in parallel,
things can get a bit racy wrt state (even though they're updating diff
sets of chains).
net-firewall/iptables/files/iptables.init | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/net-firewall/iptables/files/iptables.init
b/net-firewall/iptables/files/iptables.init
index 440e840..f396ea2 100755
--- a/net-firewall/iptables/files/iptables.init
+++ b/net-firewall/iptables/files/iptables.init
@@ -35,7 +35,7 @@ set_table_policy() {
esac
local chain
for chain in ${chains} ; do
- ${iptables_bin} -t ${table} -P ${chain} ${policy}
+ ${iptables_bin} -w -t ${table} -P ${chain} ${policy}
done
}
@@ -73,8 +73,8 @@ stop() {
for a in $(cat ${iptables_proc}) ; do
set_table_policy $a ACCEPT
- ${iptables_bin} -F -t $a
- ${iptables_bin} -X -t $a
+ ${iptables_bin} -w -F -t $a
+ ${iptables_bin} -w -X -t $a
done
eend $?
}
@@ -85,8 +85,8 @@ reload() {
ebegin "Flushing firewall"
local a
for a in $(cat ${iptables_proc}) ; do
- ${iptables_bin} -F -t $a
- ${iptables_bin} -X -t $a
+ ${iptables_bin} -w -F -t $a
+ ${iptables_bin} -w -X -t $a
done
eend $?
@@ -121,8 +121,8 @@ panic() {
local a
ebegin "Dropping all packets"
for a in $(cat ${iptables_proc}) ; do
- ${iptables_bin} -F -t $a
- ${iptables_bin} -X -t $a
+ ${iptables_bin} -w -F -t $a
+ ${iptables_bin} -w -X -t $a
set_table_policy $a DROP
done
