Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

network: guard iptables call with manual lock

Browse Source 
Apparently even iptables-restore does not handle concurrent firewall
updates. This is especially a problem in case of HVM, which have two
network interfaces (one through stubom and the other direct) added at
the same time.
This commit is contained in:
Marek Marczykowski-Górecki 2015-07-01 01:25:00 +02:00
parent 2bfc6edddc
commit 13c078ddbd
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
network/vif-route-qubes
View File

@ -24,6 +24,7 @@ dir=$(dirname "$0")
. "$dir/vif-common.sh" . "$dir/vif-common.sh"
#main_ip=$(dom0_ip) #main_ip=$(dom0_ip)
lockfile=/var/run/xen-hotplug/vif-lock
case "$command" in case "$command" in
online) online)
@ -54,7 +55,7 @@ if [ "${ip}" ] ; then
${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} metric $metric ${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} metric $metric
done done
echo -e "*raw\n$iptables_cmd -i ${vif} ! -s ${ip} -j DROP\nCOMMIT" | \ echo -e "*raw\n$iptables_cmd -i ${vif} ! -s ${ip} -j DROP\nCOMMIT" | \
${cmdprefix} iptables-restore --noflush ${cmdprefix} flock $lockfile iptables-restore --noflush
back_ip=`qubesdb-read /qubes-netvm-gateway` back_ip=`qubesdb-read /qubes-netvm-gateway`
${cmdprefix} ip addr ${ipcmd} ${back_ip}/32 dev ${vif} ${cmdprefix} ip addr ${ipcmd} ${back_ip}/32 dev ${vif}
fi fi