From 13c078ddbd627fd230f09633068ab5f713b08153 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Wed, 1 Jul 2015 01:25:00 +0200
Subject: [PATCH] network: guard iptables call with manual lock

Apparently even iptables-restore does not handle concurrent firewall
updates. This is especially a problem in case of HVM, which have two
network interfaces (one through stubom and the other direct) added at
the same time.
---
 network/vif-route-qubes | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/network/vif-route-qubes b/network/vif-route-qubes
index 8d3251a..b7dbb21 100755
--- a/network/vif-route-qubes
+++ b/network/vif-route-qubes
@@ -24,6 +24,7 @@ dir=$(dirname "$0")
 . "$dir/vif-common.sh"
 
 #main_ip=$(dom0_ip)
+lockfile=/var/run/xen-hotplug/vif-lock
 
 case "$command" in
 	online)
@@ -54,7 +55,7 @@ if [ "${ip}" ] ; then
 		${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} metric $metric
 	done
 	echo -e "*raw\n$iptables_cmd -i ${vif} ! -s ${ip} -j DROP\nCOMMIT" | \
-		${cmdprefix} iptables-restore --noflush
+		${cmdprefix} flock $lockfile iptables-restore --noflush
 	back_ip=`qubesdb-read /qubes-netvm-gateway`
 	${cmdprefix} ip addr ${ipcmd} ${back_ip}/32 dev ${vif}
 fi