diff options
| author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2014-04-11 16:29:45 +0200 |
|---|---|---|
| committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2014-04-11 17:16:44 +0200 |
| commit | 017408e048ae2419baf0adba424b51d85b063a30 (patch) | |
| tree | 74cd0619882ac91fb287d5cb3d366ccef2e894d8 /nixos/modules/services/networking/nat.nix | |
| parent | b9281e6a2dd3252052e69e15609b8e871c97c711 (diff) | |
| download | nixpkgs-017408e048ae2419baf0adba424b51d85b063a30.tar nixpkgs-017408e048ae2419baf0adba424b51d85b063a30.tar.gz nixpkgs-017408e048ae2419baf0adba424b51d85b063a30.tar.bz2 nixpkgs-017408e048ae2419baf0adba424b51d85b063a30.tar.lz nixpkgs-017408e048ae2419baf0adba424b51d85b063a30.tar.xz nixpkgs-017408e048ae2419baf0adba424b51d85b063a30.tar.zst nixpkgs-017408e048ae2419baf0adba424b51d85b063a30.zip | |
Use iptables' ‘-w’ flag
This prevents errors like "Another app is currently holding the xtables lock" if the firewall and NAT services are starting in parallel. (Longer term, we should probably move to a single service for managing the iptables rules.)
Diffstat (limited to 'nixos/modules/services/networking/nat.nix')
| -rw-r--r-- | nixos/modules/services/networking/nat.nix | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/nixos/modules/services/networking/nat.nix b/nixos/modules/services/networking/nat.nix index 3d3899a5c41..7f4094de12f 100644 --- a/nixos/modules/services/networking/nat.nix +++ b/nixos/modules/services/networking/nat.nix @@ -95,26 +95,26 @@ in preStart = '' - iptables -t nat -F PREROUTING - iptables -t nat -F POSTROUTING - iptables -t nat -X + iptables -w -t nat -F PREROUTING + iptables -w -t nat -F POSTROUTING + iptables -w -t nat -X # We can't match on incoming interface in POSTROUTING, so # mark packets coming from the external interfaces. ${concatMapStrings (iface: '' - iptables -t nat -A PREROUTING \ + iptables -w -t nat -A PREROUTING \ -i '${iface}' -j MARK --set-mark 1 '') cfg.internalInterfaces} # NAT the marked packets. ${optionalString (cfg.internalInterfaces != []) '' - iptables -t nat -A POSTROUTING -m mark --mark 1 \ + iptables -w -t nat -A POSTROUTING -m mark --mark 1 \ -o ${cfg.externalInterface} ${dest} ''} # NAT packets coming from the internal IPs. ${concatMapStrings (range: '' - iptables -t nat -A POSTROUTING \ + iptables -w -t nat -A POSTROUTING \ -s '${range}' -o ${cfg.externalInterface} ${dest} '') cfg.internalIPs} @@ -123,9 +123,9 @@ in postStop = '' - iptables -t nat -F PREROUTING - iptables -t nat -F POSTROUTING - iptables -t nat -X + iptables -w -t nat -F PREROUTING + iptables -w -t nat -F POSTROUTING + iptables -w -t nat -X ''; }; }; |