diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2014-04-11 16:29:45 +0200 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2014-04-11 17:16:44 +0200 |
commit | 017408e048ae2419baf0adba424b51d85b063a30 (patch) | |
tree | 74cd0619882ac91fb287d5cb3d366ccef2e894d8 /nixos/modules/services/networking | |
parent | b9281e6a2dd3252052e69e15609b8e871c97c711 (diff) | |
download | nixpkgs-017408e048ae2419baf0adba424b51d85b063a30.tar nixpkgs-017408e048ae2419baf0adba424b51d85b063a30.tar.gz nixpkgs-017408e048ae2419baf0adba424b51d85b063a30.tar.bz2 nixpkgs-017408e048ae2419baf0adba424b51d85b063a30.tar.lz nixpkgs-017408e048ae2419baf0adba424b51d85b063a30.tar.xz nixpkgs-017408e048ae2419baf0adba424b51d85b063a30.tar.zst nixpkgs-017408e048ae2419baf0adba424b51d85b063a30.zip |
Use iptables' ‘-w’ flag
This prevents errors like "Another app is currently holding the xtables lock" if the firewall and NAT services are starting in parallel. (Longer term, we should probably move to a single service for managing the iptables rules.)
Diffstat (limited to 'nixos/modules/services/networking')
-rw-r--r-- | nixos/modules/services/networking/firewall.nix | 6 | ||||
-rw-r--r-- | nixos/modules/services/networking/nat.nix | 18 |
2 files changed, 12 insertions, 12 deletions
diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 62d92ba50e1..a1ca5dcdcb1 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -32,9 +32,9 @@ let '' # Helper command to manipulate both the IPv4 and IPv6 tables. ip46tables() { - iptables "$@" + iptables -w "$@" ${optionalString config.networking.enableIPv6 '' - ip6tables "$@" + ip6tables -w "$@" ''} } ''; @@ -386,7 +386,7 @@ in # Optionally respond to ICMPv4 pings. ${optionalString cfg.allowPing '' - iptables -A nixos-fw -p icmp --icmp-type echo-request ${optionalString (cfg.pingLimit != null) + iptables -w -A nixos-fw -p icmp --icmp-type echo-request ${optionalString (cfg.pingLimit != null) "-m limit ${cfg.pingLimit} " }-j nixos-fw-accept ''} diff --git a/nixos/modules/services/networking/nat.nix b/nixos/modules/services/networking/nat.nix index 3d3899a5c41..7f4094de12f 100644 --- a/nixos/modules/services/networking/nat.nix +++ b/nixos/modules/services/networking/nat.nix @@ -95,26 +95,26 @@ in preStart = '' - iptables -t nat -F PREROUTING - iptables -t nat -F POSTROUTING - iptables -t nat -X + iptables -w -t nat -F PREROUTING + iptables -w -t nat -F POSTROUTING + iptables -w -t nat -X # We can't match on incoming interface in POSTROUTING, so # mark packets coming from the external interfaces. ${concatMapStrings (iface: '' - iptables -t nat -A PREROUTING \ + iptables -w -t nat -A PREROUTING \ -i '${iface}' -j MARK --set-mark 1 '') cfg.internalInterfaces} # NAT the marked packets. ${optionalString (cfg.internalInterfaces != []) '' - iptables -t nat -A POSTROUTING -m mark --mark 1 \ + iptables -w -t nat -A POSTROUTING -m mark --mark 1 \ -o ${cfg.externalInterface} ${dest} ''} # NAT packets coming from the internal IPs. ${concatMapStrings (range: '' - iptables -t nat -A POSTROUTING \ + iptables -w -t nat -A POSTROUTING \ -s '${range}' -o ${cfg.externalInterface} ${dest} '') cfg.internalIPs} @@ -123,9 +123,9 @@ in postStop = '' - iptables -t nat -F PREROUTING - iptables -t nat -F POSTROUTING - iptables -t nat -X + iptables -w -t nat -F PREROUTING + iptables -w -t nat -F POSTROUTING + iptables -w -t nat -X ''; }; }; |