From 27a2f5aa3b111e62f52fcd3f66f763293f24871b Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@gentoo.org>
Date: Fri, 14 Aug 2015 05:12:11 -0400
Subject: [PATCH] net-firewall/iptables: init: use -w when running iptables
 #501710

Newer iptables versions have an internal lock to keep multiple instances
from trampling on each other, but you have to use the -w flag.  Normally
this doesn't come up, but when you run iptables & ip6tables in parallel,
things can get a bit racy wrt state (even though they're updating diff
sets of chains).
---
 net-firewall/iptables/files/iptables.init | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/net-firewall/iptables/files/iptables.init b/net-firewall/iptables/files/iptables.init
index 440e840c41a8..f396ea2ef148 100755
--- a/net-firewall/iptables/files/iptables.init
+++ b/net-firewall/iptables/files/iptables.init
@@ -35,7 +35,7 @@ set_table_policy() {
 	esac
 	local chain
 	for chain in ${chains} ; do
-		${iptables_bin} -t ${table} -P ${chain} ${policy}
+		${iptables_bin} -w -t ${table} -P ${chain} ${policy}
 	done
 }
 
@@ -73,8 +73,8 @@ stop() {
 	for a in $(cat ${iptables_proc}) ; do
 		set_table_policy $a ACCEPT
 
-		${iptables_bin} -F -t $a
-		${iptables_bin} -X -t $a
+		${iptables_bin} -w -F -t $a
+		${iptables_bin} -w -X -t $a
 	done
 	eend $?
 }
@@ -85,8 +85,8 @@ reload() {
 	ebegin "Flushing firewall"
 	local a
 	for a in $(cat ${iptables_proc}) ; do
-		${iptables_bin} -F -t $a
-		${iptables_bin} -X -t $a
+		${iptables_bin} -w -F -t $a
+		${iptables_bin} -w -X -t $a
 	done
 	eend $?
 
@@ -121,8 +121,8 @@ panic() {
 	local a
 	ebegin "Dropping all packets"
 	for a in $(cat ${iptables_proc}) ; do
-		${iptables_bin} -F -t $a
-		${iptables_bin} -X -t $a
+		${iptables_bin} -w -F -t $a
+		${iptables_bin} -w -X -t $a
 
 		set_table_policy $a DROP
 	done
-- 
2.26.2