From 67140657362407d7b51d2177449df6ec0e9ab361 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Wed, 28 Feb 2018 08:51:23 +0100 Subject: [PATCH] Add support for --wait options to restore commands Without this, either one of iptables and ip6tables services is likely to fail at system startup because the other one is holding the xtables lock. --- iptables-config | 12 ++++++++++++ iptables.init | 14 ++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/iptables-config b/iptables-config index ec61d23..3d7e176 100644 --- a/iptables-config +++ b/iptables-config @@ -45,3 +45,15 @@ IPTABLES_STATUS_LINENUMBERS="yes" # Space separated list of sysctl items which are to be reloaded on start. # List items will be matched by fgrep. #IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf" + +# Set wait option for iptables-restore calls in seconds +# Default: 600 +# Set to 0 to deactivate the wait. +#IPTABLES_RESTORE_WAIT=600 + +# Set wait interval option for iptables-restore calls in microseconds +# Default: 1000000 +# Set to 100000 to try to get the lock every 100000 microseconds, 10 times a +# second. +# Only usable with IPTABLES_RESTORE_WAIT > 0 +#IPTABLES_RESTORE_WAIT_INTERVAL=1000000 diff --git a/iptables.init b/iptables.init index 542677b..8f74bb3 100755 --- a/iptables.init +++ b/iptables.init @@ -55,6 +55,8 @@ IPTABLES_STATUS_NUMERIC="yes" IPTABLES_STATUS_VERBOSE="no" IPTABLES_STATUS_LINENUMBERS="yes" IPTABLES_SYSCTL_LOAD_LIST="" +IPTABLES_RESTORE_WAIT=600 +IPTABLES_RESTORE_WAIT_INTERVAL=1000000 # Load firewall configuration. [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" @@ -177,6 +179,12 @@ start() { OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then + OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}" + if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then + OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}" + fi + fi $IPTABLES-restore $OPT $IPTABLES_DATA if [ $? -eq 0 ]; then @@ -328,6 +336,12 @@ reload() { OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then + OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}" + if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then + OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}" + fi + fi $IPTABLES-restore $OPT $IPTABLES_DATA if [ $? -eq 0 ]; then