diff options
author | Thomas Haller <thaller@redhat.com> | 2023-01-10 19:46:01 +0100 |
---|---|---|
committer | Thomas Haller <thaller@redhat.com> | 2023-01-16 10:22:05 +0100 |
commit | 11d8d18c162ce0c0797e3aa09e6d3b15429e091b (patch) | |
tree | ee13745df1f6a8db221d8561f9b5a3f1f765e848 | |
parent | 53a9ba354f79cf0986ed7e3eedc30b377c50e0a6 (diff) | |
download | NetworkManager-11d8d18c162ce0c0797e3aa09e6d3b15429e091b.tar.gz |
firewall: pass "--wait 2" to iptables to wait for concurrent invocations
iptables takes a file lock at /run/xtables.lock. By default, if
the file is locked, iptables will fail with error. When that happens,
the iptables rules won't be configured, and the shared mode
(for which we use iptables) will not be setup properly.
Instead, pass "--wait 2", to block. Yes, it's ugly that we use
blocking program invocations, but that's how it is. Also, iptables
should be fast to not be a problem in practice.
(cherry picked from commit 84a71771d9761fdcb1dc2a991af71cbc874ea0f6)
-rw-r--r-- | src/core/nm-firewall-utils.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/core/nm-firewall-utils.c b/src/core/nm-firewall-utils.c index 93bf501511..4bcde85fe3 100644 --- a/src/core/nm-firewall-utils.c +++ b/src/core/nm-firewall-utils.c @@ -148,7 +148,7 @@ _share_iptables_call_v(const char *const *argv) } #define _share_iptables_call(...) \ - _share_iptables_call_v(NM_MAKE_STRV("" IPTABLES_PATH "", __VA_ARGS__)) + _share_iptables_call_v(NM_MAKE_STRV("" IPTABLES_PATH "", "--wait", "2", __VA_ARGS__)) static gboolean _share_iptables_chain_op(const char *table, const char *chain, const char *op) |