network: guard iptables call with manual lock
Apparently even iptables-restore does not handle concurrent firewall updates. This is especially a problem in case of HVM, which have two network interfaces (one through stubom and the other direct) added at the same time.
This commit is contained in:
Marek Marczykowski-Górecki
parent
2bfc6edddc
commit
13c078ddbd
@ -24,6 +24,7 @@ dir=$(dirname "$0")
|
||||
. "$dir/vif-common.sh"
|
||||
|
||||
#main_ip=$(dom0_ip)
|
||||
lockfile=/var/run/xen-hotplug/vif-lock
|
||||
|
||||
case "$command" in
|
||||
online)
|
||||
@ -54,7 +55,7 @@ if [ "${ip}" ] ; then
|
||||
${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} metric $metric
|
||||
done
|
||||
echo -e "*raw\n$iptables_cmd -i ${vif} ! -s ${ip} -j DROP\nCOMMIT" | \
|
||||
${cmdprefix} iptables-restore --noflush
|
||||
${cmdprefix} flock $lockfile iptables-restore --noflush
|
||||
back_ip=`qubesdb-read /qubes-netvm-gateway`
|
||||
${cmdprefix} ip addr ${ipcmd} ${back_ip}/32 dev ${vif}
|
||||
fi
|
||||
|
||||
Loading…
Reference in New Issue
Block a user