From: "Mike Frysinger" <vapier@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: net-firewall/iptables/files/
Date: Fri, 14 Aug 2015 09:28:34 +0000 (UTC) [thread overview]
Message-ID: <1439544506.27a2f5aa3b111e62f52fcd3f66f763293f24871b.vapier@gentoo> (raw)
commit: 27a2f5aa3b111e62f52fcd3f66f763293f24871b
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Fri Aug 14 09:12:11 2015 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Fri Aug 14 09:28:26 2015 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=27a2f5aa
net-firewall/iptables: init: use -w when running iptables #501710
Newer iptables versions have an internal lock to keep multiple instances
from trampling on each other, but you have to use the -w flag. Normally
this doesn't come up, but when you run iptables & ip6tables in parallel,
things can get a bit racy wrt state (even though they're updating diff
sets of chains).
net-firewall/iptables/files/iptables.init | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/net-firewall/iptables/files/iptables.init b/net-firewall/iptables/files/iptables.init
index 440e840..f396ea2 100755
--- a/net-firewall/iptables/files/iptables.init
+++ b/net-firewall/iptables/files/iptables.init
@@ -35,7 +35,7 @@ set_table_policy() {
esac
local chain
for chain in ${chains} ; do
- ${iptables_bin} -t ${table} -P ${chain} ${policy}
+ ${iptables_bin} -w -t ${table} -P ${chain} ${policy}
done
}
@@ -73,8 +73,8 @@ stop() {
for a in $(cat ${iptables_proc}) ; do
set_table_policy $a ACCEPT
- ${iptables_bin} -F -t $a
- ${iptables_bin} -X -t $a
+ ${iptables_bin} -w -F -t $a
+ ${iptables_bin} -w -X -t $a
done
eend $?
}
@@ -85,8 +85,8 @@ reload() {
ebegin "Flushing firewall"
local a
for a in $(cat ${iptables_proc}) ; do
- ${iptables_bin} -F -t $a
- ${iptables_bin} -X -t $a
+ ${iptables_bin} -w -F -t $a
+ ${iptables_bin} -w -X -t $a
done
eend $?
@@ -121,8 +121,8 @@ panic() {
local a
ebegin "Dropping all packets"
for a in $(cat ${iptables_proc}) ; do
- ${iptables_bin} -F -t $a
- ${iptables_bin} -X -t $a
+ ${iptables_bin} -w -F -t $a
+ ${iptables_bin} -w -X -t $a
set_table_policy $a DROP
done
next reply other threads:[~2015-08-14 9:28 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-14 9:28 Mike Frysinger [this message]
-- strict thread matches above, loose matches on Subject: below --
2019-07-20 19:39 [gentoo-commits] repo/gentoo:master commit in: net-firewall/iptables/files/ Aaron Bauman
2019-09-19 15:29 Mike Gilbert
2021-02-17 19:33 Conrad Kostecki
2022-10-02 14:43 Conrad Kostecki
2024-03-16 12:13 Conrad Kostecki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1439544506.27a2f5aa3b111e62f52fcd3f66f763293f24871b.vapier@gentoo \
--to=vapier@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox