commit 18990db7b05a3d81145b41e7cfe64ebbb958aa1a Author: Thomas Woerner Date: Thu Apr 27 13:15:36 2017 +0200 firewall.core.ipXtables: Use new wait option for restore commands if available The iptables restore commands in the next iptables release will support the wait option. This is very useful and results in less likely collisions with iptables commands used by other services or the user. diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py index 2ae0000..9f051d3 100644 --- a/src/firewall/core/ipXtables.py +++ b/src/firewall/core/ipXtables.py @@ -157,6 +157,7 @@ class ip4tables(object): self._command = config.COMMANDS[self.ipv] self._restore_command = config.COMMANDS["%s-restore" % self.ipv] self.wait_option = self._detect_wait_option() + self.restore_wait_option = self._detect_restore_wait_option() self.fill_exists() def fill_exists(self): @@ -251,6 +252,8 @@ class ip4tables(object): log.debug2("%s: %s %s", self.__class__, self._restore_command, "%s: %d" % (temp_file.name, stat.st_size)) args = [ ] + if self.restore_wait_option: + args.append(self.restore_wait_option) if not flush: args.append("-n") @@ -320,6 +323,24 @@ class ip4tables(object): return wait_option + def _detect_restore_wait_option(self): + temp_file = tempFile() + temp_file.write("#foo") + temp_file.close() + + wait_option = "" + ret = runProg(self._restore_command, ["-w"], stdin=temp_file.name) # proposed for iptables-1.6.2 + if ret[0] == 0: + wait_option = "-w" # wait for xtables lock + ret = runProg(self._restore_command, ["--wait=2"], stdin=temp_file.name) # since iptables > 1.4.21 + if ret[0] == 0: + wait_option = "--wait=2" # wait max 2 seconds + log.debug2("%s: %s will be using %s option.", self.__class__, self._restore_command, wait_option) + + os.unlink(temp_file.name) + + return wait_option + def flush(self, transaction=None): tables = self.used_tables() for table in tables: