diff options
author | Alex Vakulenko <avakulenko@chromium.org> | 2015-07-14 07:15:17 -0700 |
---|---|---|
committer | Gilad Arnold <garnold@google.com> | 2015-08-10 23:11:53 -0700 |
commit | 398b5cf3626b312ed68d6fffc484daa6c6647415 (patch) | |
tree | b745dc91bcfb5de9df743847fe874da6a8dbeb2e | |
parent | fa9de93e3af59fa3f2f4cbba7e583d94542a660f (diff) | |
download | firewalld-398b5cf3626b312ed68d6fffc484daa6c6647415.tar.gz |
firewalld: Add -w option to invocation of `iptables` command
When multiple processes use `iptables` to modify the firewall, the
command grabs an exclusive lock for the table being modified. If the
lock cannot be obtained (another instance of iptables is running),
the current instance fails with an error.
By adding -w we make it wait for the other lock to be released before
proceeding.
BUG=brillo:1240
TEST=`FEATURES=test emerge-gizmo firewalld`
test_that -b gizmo <ip> security_Firewall
Change-Id: If147f6869d2df0e8f355323a265718f1cb8d617f
Reviewed-on: https://chromium-review.googlesource.com/285512
Reviewed-by: Vitaly Buka <vitalybuka@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Alex Vakulenko <avakulenko@chromium.org>
Commit-Queue: Alex Vakulenko <avakulenko@chromium.org>
-rw-r--r-- | iptables.cc | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/iptables.cc b/iptables.cc index d0ce87f..2357fcb 100644 --- a/iptables.cc +++ b/iptables.cc @@ -220,6 +220,7 @@ bool IpTables::AddAcceptRule(const std::string& executable_path, } argv.push_back("-j"); argv.push_back("ACCEPT"); + argv.push_back("-w"); // Wait for xtables lock. // Use CAP_NET_ADMIN|CAP_NET_RAW. return ExecvNonRoot(argv, kIpTablesCapMask) == 0; @@ -243,6 +244,7 @@ bool IpTables::DeleteAcceptRule(const std::string& executable_path, } argv.push_back("-j"); argv.push_back("ACCEPT"); + argv.push_back("-w"); // Wait for xtables lock. // Use CAP_NET_ADMIN|CAP_NET_RAW. return ExecvNonRoot(argv, kIpTablesCapMask) == 0; |