From 84a71771d9761fdcb1dc2a991af71cbc874ea0f6 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Tue, 10 Jan 2023 19:46:01 +0100 Subject: [PATCH] firewall: pass "--wait 2" to iptables to wait for concurrent invocations iptables takes a file lock at /run/xtables.lock. By default, if the file is locked, iptables will fail with error. When that happens, the iptables rules won't be configured, and the shared mode (for which we use iptables) will not be setup properly. Instead, pass "--wait 2", to block. Yes, it's ugly that we use blocking program invocations, but that's how it is. Also, iptables should be fast to not be a problem in practice. --- src/core/nm-firewall-utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/nm-firewall-utils.c b/src/core/nm-firewall-utils.c index 5d6b2decf2..f231583a21 100644 --- a/src/core/nm-firewall-utils.c +++ b/src/core/nm-firewall-utils.c @@ -213,7 +213,7 @@ _share_iptables_call_v(const char *const *argv) } #define _share_iptables_call(...) \ - _share_iptables_call_v(NM_MAKE_STRV("" IPTABLES_PATH "", __VA_ARGS__)) + _share_iptables_call_v(NM_MAKE_STRV("" IPTABLES_PATH "", "--wait", "2", __VA_ARGS__)) static gboolean _share_iptables_chain_op(const char *table, const char *chain, const char *op)