Use iptables' ‘-w’ flag

This prevents errors like "Another app is currently holding the xtables lock" if the firewall and NAT services are starting in parallel. (Longer term, we should probably move to a single service for managing the iptables rules.)
2014-04-11 16:29:45 +02:00 · 2014-04-11 16:29:45 +02:00 · 017408e048
commit 017408e048
parent b9281e6a2d
2 changed files with 12 additions and 12 deletions
--- a/nixos/modules/services/networking/firewall.nix
+++ b/nixos/modules/services/networking/firewall.nix
@ -32,9 +32,9 @@ let
    ''
      # Helper command to manipulate both the IPv4 and IPv6 tables.
      ip46tables() {
-        iptables "$@"
+        iptables -w "$@"
        ${optionalString config.networking.enableIPv6 ''
-          ip6tables "$@"
+          ip6tables -w "$@"
        ''}
      }
    '';
@ -386,7 +386,7 @@ in

            # Optionally respond to ICMPv4 pings.
            ${optionalString cfg.allowPing ''
-              iptables -A nixos-fw -p icmp --icmp-type echo-request ${optionalString (cfg.pingLimit != null)
+              iptables -w -A nixos-fw -p icmp --icmp-type echo-request ${optionalString (cfg.pingLimit != null)
                "-m limit ${cfg.pingLimit} "
              }-j nixos-fw-accept
            ''}
--- a/nixos/modules/services/networking/nat.nix
+++ b/nixos/modules/services/networking/nat.nix
@ -95,26 +95,26 @@ in

        preStart =
          ''
-            iptables -t nat -F PREROUTING
-            iptables -t nat -F POSTROUTING
-            iptables -t nat -X
+            iptables -w -t nat -F PREROUTING
+            iptables -w -t nat -F POSTROUTING
+            iptables -w -t nat -X

            # We can't match on incoming interface in POSTROUTING, so
            # mark packets coming from the external interfaces.
            ${concatMapStrings (iface: ''
-              iptables -t nat -A PREROUTING \
+              iptables -w -t nat -A PREROUTING \
                -i '${iface}' -j MARK --set-mark 1
            '') cfg.internalInterfaces}

            # NAT the marked packets.
            ${optionalString (cfg.internalInterfaces != []) ''
-              iptables -t nat -A POSTROUTING -m mark --mark 1 \
+              iptables -w -t nat -A POSTROUTING -m mark --mark 1 \
                -o ${cfg.externalInterface} ${dest}
            ''}

            # NAT packets coming from the internal IPs.
            ${concatMapStrings (range: ''
-              iptables -t nat -A POSTROUTING \
+              iptables -w -t nat -A POSTROUTING \
                -s '${range}' -o ${cfg.externalInterface} ${dest}
            '') cfg.internalIPs}

@ -123,9 +123,9 @@ in

        postStop =
          ''
-            iptables -t nat -F PREROUTING
-            iptables -t nat -F POSTROUTING
-            iptables -t nat -X
+            iptables -w -t nat -F PREROUTING
+            iptables -w -t nat -F POSTROUTING
+            iptables -w -t nat -X
          '';
      };
  };