From mboxrd@z Thu Jan  1 00:00:00 1970
Return-path: <ptxdist-bounces@pengutronix.de>
Received: from ginster.hi.pengutronix.de
 ([2001:67c:670:100:2e4d:54ff:fe67:bfa5] helo=ginster)
 by metis.ext.pengutronix.de with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <jbe@pengutronix.de>) id 1iuE4e-0006Ba-C0
 for ptxdist@pengutronix.de; Wed, 22 Jan 2020 12:21:28 +0100
Received: from jbe by ginster with local (Exim 4.92)
 (envelope-from <jbe@pengutronix.de>) id 1iuE4e-0000jL-48
 for ptxdist@pengutronix.de; Wed, 22 Jan 2020 12:21:28 +0100
From: Juergen Borleis <jbe@pengutronix.de>
Date: Wed, 22 Jan 2020 12:21:28 +0100
Message-Id: <20200122112128.2765-1-jbe@pengutronix.de>
MIME-Version: 1.0
Subject: [ptxdist] [PATCH] iptables: serialize startup service units
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/cgi-bin/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ptxdist-bounces@pengutronix.de
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
To: ptxdist@pengutronix.de

Since iptables-1.8.x the tool complains at run-time if a second instance
holds the shared lock:

   Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

If IPv4 and IPv6 is enabled, this concurrent situation can happen and at
the end one of both setups isn't done (first instance wins).

By serializing both service units this concurrent situation cannot occur
and both setups are done as expected.

Signed-off-by: Juergen Borleis <jbe@pengutronix.de>
---
 projectroot/usr/lib/systemd/system/ip6tables.service | 2 ++
 projectroot/usr/lib/systemd/system/iptables.service  | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/projectroot/usr/lib/systemd/system/ip6tables.service b/projectroot/usr/lib/systemd/system/ip6tables.service
index e842cc197..7cf9ab88b 100644
--- a/projectroot/usr/lib/systemd/system/ip6tables.service
+++ b/projectroot/usr/lib/systemd/system/ip6tables.service
@@ -3,6 +3,8 @@ Description=Packet Filtering Framework
 DefaultDependencies=no
 After=systemd-sysctl.service
 Before=sysinit.target
+# ensure, we are running after IPv4
+After=iptables.service
 ConditionFileNotEmpty=/etc/iptables/rules.v6
 [Service]
 Type=oneshot
diff --git a/projectroot/usr/lib/systemd/system/iptables.service b/projectroot/usr/lib/systemd/system/iptables.service
index fa4a8b367..29999628e 100644
--- a/projectroot/usr/lib/systemd/system/iptables.service
+++ b/projectroot/usr/lib/systemd/system/iptables.service
@@ -3,6 +3,8 @@ Description=Packet Filtering Framework
 DefaultDependencies=no
 After=systemd-sysctl.service
 Before=sysinit.target
+# ensure, we are running before IPv6
+Before=ip6tables.service
 ConditionFileNotEmpty=/etc/iptables/rules.v4
 [Service]
 Type=oneshot
-- 
2.20.1


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de