net-firewall/iptables: init: use -w when running iptables #501710

Newer iptables versions have an internal lock to keep multiple instances
from trampling on each other, but you have to use the -w flag.  Normally
this doesn't come up, but when you run iptables & ip6tables in parallel,
things can get a bit racy wrt state (even though they're updating diff
sets of chains).

1 files changed, 7 insertions, 7 deletions

diff --git a/net-firewall/iptables/files/iptables.init b/net-firewall/iptables/files/iptables.init
index 440e840c41a8..f396ea2ef148 100755
--- a/net-firewall/iptables/files/iptables.init
+++ b/net-firewall/iptables/files/iptables.init
@@ -35,7 +35,7 @@ set_table_policy() {
 	esac
 	local chain
 	for chain in ${chains} ; do
-		${iptables_bin} -t ${table} -P ${chain} ${policy}
+		${iptables_bin} -w -t ${table} -P ${chain} ${policy}
 	done
 }
 
@@ -73,8 +73,8 @@ stop() {
 	for a in $(cat ${iptables_proc}) ; do
 		set_table_policy $a ACCEPT
 
-		${iptables_bin} -F -t $a
-		${iptables_bin} -X -t $a
+		${iptables_bin} -w -F -t $a
+		${iptables_bin} -w -X -t $a
 	done
 	eend $?
 }
@@ -85,8 +85,8 @@ reload() {
 	ebegin "Flushing firewall"
 	local a
 	for a in $(cat ${iptables_proc}) ; do
-		${iptables_bin} -F -t $a
-		${iptables_bin} -X -t $a
+		${iptables_bin} -w -F -t $a
+		${iptables_bin} -w -X -t $a
 	done
 	eend $?
 
@@ -121,8 +121,8 @@ panic() {
 	local a
 	ebegin "Dropping all packets"
 	for a in $(cat ${iptables_proc}) ; do
-		${iptables_bin} -F -t $a
-		${iptables_bin} -X -t $a
+		${iptables_bin} -w -F -t $a
+		${iptables_bin} -w -X -t $a
 
 		set_table_policy $a DROP
 	done