net-firewall/iptables: init: use -w when running iptables #501710

Newer iptables versions have an internal lock to keep multiple instances
from trampling on each other, but you have to use the -w flag.  Normally
this doesn't come up, but when you run iptables & ip6tables in parallel,
things can get a bit racy wrt state (even though they're updating diff
sets of chains).

diff --git a/net-firewall/iptables/files/iptables.init b/net-firewall/iptables/files/iptables.init
index 440e840c41a8f1f6c61c1e73dbf914371dbc117d..f396ea2ef148bafdb609cc4fe8986e6203d2f747 100755 (executable)
--- a/net-firewall/iptables/files/iptables.init
+++ b/net-firewall/iptables/files/iptables.init
@@ -35,7 +35,7 @@ set_table_policy() {
        esac
        local chain
        for chain in ${chains} ; do
-               ${iptables_bin} -t ${table} -P ${chain} ${policy}
+               ${iptables_bin} -w -t ${table} -P ${chain} ${policy}
        done
 }
 
@@ -73,8 +73,8 @@ stop() {
        for a in $(cat ${iptables_proc}) ; do
                set_table_policy $a ACCEPT
 
-               ${iptables_bin} -F -t $a
-               ${iptables_bin} -X -t $a
+               ${iptables_bin} -w -F -t $a
+               ${iptables_bin} -w -X -t $a
        done
        eend $?
 }
@@ -85,8 +85,8 @@ reload() {
        ebegin "Flushing firewall"
        local a
        for a in $(cat ${iptables_proc}) ; do
-               ${iptables_bin} -F -t $a
-               ${iptables_bin} -X -t $a
+               ${iptables_bin} -w -F -t $a
+               ${iptables_bin} -w -X -t $a
        done
        eend $?
 
@@ -121,8 +121,8 @@ panic() {
        local a
        ebegin "Dropping all packets"
        for a in $(cat ${iptables_proc}) ; do
-               ${iptables_bin} -F -t $a
-               ${iptables_bin} -X -t $a
+               ${iptables_bin} -w -F -t $a
+               ${iptables_bin} -w -X -t $a
 
                set_table_policy $a DROP
        done