|
 |
843f86 |
commit 18990db7b05a3d81145b41e7cfe64ebbb958aa1a
|
|
|
843f86 |
Author: Thomas Woerner <twoerner@redhat.com>
|
|
|
843f86 |
Date: Thu Apr 27 13:15:36 2017 +0200
|
|
|
843f86 |
|
|
|
843f86 |
firewall.core.ipXtables: Use new wait option for restore commands if available
|
|
|
843f86 |
|
|
|
843f86 |
The iptables restore commands in the next iptables release will support the
|
|
|
843f86 |
wait option. This is very useful and results in less likely collisions with
|
|
|
843f86 |
iptables commands used by other services or the user.
|
|
|
843f86 |
|
|
|
843f86 |
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
|
|
|
843f86 |
index 2ae0000..9f051d3 100644
|
|
|
843f86 |
--- a/src/firewall/core/ipXtables.py
|
|
|
843f86 |
+++ b/src/firewall/core/ipXtables.py
|
|
|
843f86 |
@@ -157,6 +157,7 @@ class ip4tables(object):
|
|
|
843f86 |
self._command = config.COMMANDS[self.ipv]
|
|
|
843f86 |
self._restore_command = config.COMMANDS["%s-restore" % self.ipv]
|
|
|
843f86 |
self.wait_option = self._detect_wait_option()
|
|
|
843f86 |
+ self.restore_wait_option = self._detect_restore_wait_option()
|
|
|
843f86 |
self.fill_exists()
|
|
|
843f86 |
|
|
|
843f86 |
def fill_exists(self):
|
|
|
843f86 |
@@ -251,6 +252,8 @@ class ip4tables(object):
|
|
|
843f86 |
log.debug2("%s: %s %s", self.__class__, self._restore_command,
|
|
|
843f86 |
"%s: %d" % (temp_file.name, stat.st_size))
|
|
|
843f86 |
args = [ ]
|
|
|
843f86 |
+ if self.restore_wait_option:
|
|
|
843f86 |
+ args.append(self.restore_wait_option)
|
|
|
843f86 |
if not flush:
|
|
|
843f86 |
args.append("-n")
|
|
|
843f86 |
|
|
|
843f86 |
@@ -320,6 +323,24 @@ class ip4tables(object):
|
|
|
843f86 |
|
|
|
843f86 |
return wait_option
|
|
|
843f86 |
|
|
|
843f86 |
+ def _detect_restore_wait_option(self):
|
|
|
843f86 |
+ temp_file = tempFile()
|
|
|
843f86 |
+ temp_file.write("#foo")
|
|
|
843f86 |
+ temp_file.close()
|
|
|
843f86 |
+
|
|
|
843f86 |
+ wait_option = ""
|
|
|
843f86 |
+ ret = runProg(self._restore_command, ["-w"], stdin=temp_file.name) # proposed for iptables-1.6.2
|
|
|
843f86 |
+ if ret[0] == 0:
|
|
|
843f86 |
+ wait_option = "-w" # wait for xtables lock
|
|
|
843f86 |
+ ret = runProg(self._restore_command, ["--wait=2"], stdin=temp_file.name) # since iptables > 1.4.21
|
|
|
843f86 |
+ if ret[0] == 0:
|
|
|
843f86 |
+ wait_option = "--wait=2" # wait max 2 seconds
|
|
|
843f86 |
+ log.debug2("%s: %s will be using %s option.", self.__class__, self._restore_command, wait_option)
|
|
|
843f86 |
+
|
|
|
843f86 |
+ os.unlink(temp_file.name)
|
|
|
843f86 |
+
|
|
|
843f86 |
+ return wait_option
|
|
|
843f86 |
+
|
|
|
843f86 |
def flush(self, transaction=None):
|
|
|
843f86 |
tables = self.used_tables()
|
|
|
843f86 |
for table in tables:
|